Every year, mainstream and tech media will report on the latest list of the “worst” passwords choices that everyday users make. And every year, I.T. Techs around the world cringe when they read them. As front-line technical support for many of our clients, an important part of our job consists of educating users about the importance of a strong and secure password. Business-critical data is just as important to the business you work for as your financial information is to you. What if anyone could access your bank account and make transactions? The same applies to business-critical data.
Why are bad passwords such bad news for I.T. techs and your business? Simple. As I.T. experts, it is our job to ensure the security of any business-related data contained on networks. One of the most common ways that hackers break access data is by guessing passwords, so a strong password is critical in providing essential protection from fraud and identity theft. The more challenging the password is, the lower the likelihood that one’s computer will fall victim to an unwanted intrusion. That’s why we’re always harping on about using password best practices!
These “worst password” lists are often based on how often a password appears in leaked or stolen databases of account passwords. It’s not the fact a password appears in such a list that makes it “worst”, it’s that passwords being used most often makes them an obvious and predictable guess for hackers, and thus a terrible choice.
A password consisting of a single word is about as bad as it gets. A hacker’s first attempt to gain access will often involve trying a list of common words or pass phrases – this is called a “Dictionary Attack”. A Dictionary Attack often involves a bot spamming login pages with millions of attempts using known common passwords or the most common words in a particular language. Though most current sites will lock after a set number of failed login attempts, hacks of this scale often involve bypassing the attempt limit or trying to decrypt a stolen database of encrypted passwords.
This won’t usually be the only tactic an attacker employs, but using a “real” word as your password puts you at much greater risk.
A brute force attack involves trying every possible combination of letters. Which, in this scenario makes longer passwords exponentially more secure. There are only 26 letters in the English alphabet, so it is guaranteed that you’ll guess a single letter correctly within 26 attempts. To guess two letters correctly you’d need to try 26 x 26 attempts or 676 total attempts. Including eight characters in your password makes for five trillion possibilities. Hence, the more letters involved in a password the more combinations are possible – better yet, throw some numbers and punctuation marks!
It only takes a few extra characters to increase the average time to crack a password from a few hours to thousands of years.
Using only letters in your password greatly decreases its security, similar to the same reason that the length of your password matters. For any single character in your password, including numbers takes the number of possibilities from 26 to 36. Adding punctuation marks increases that number by another 26 options. Including capital letters in addition to just lower case letters doubles the alphabet! Even with a (very much not recommended) four-character password, you’re talking about the difference between 11 million possibilities and nearly 6 billion.
While length and characters are important, the worst possible password is one you across multiple websites. If an unencrypted database of usernames and passwords gets leaked, the hackers almost always attempt to use those same login credentials across other websites, particularly websites that may grant access to sensitive personal data. So if you are reusing the same password across multiple platforms and accounts, you are effectively placing all of those accounts at the same level of risk.
The most secure password is one that is:
Sounds impossible to remember, right? Don’t let your memory be a limit to your security. The best way to generate and employ secure passwords is by using a password manager. DO NOT store your list of passwords in a plain text file on your computer or a Post-It note on your monitor.