We all use passwords everyday, but for a lot of people, we don't often think about how secure they are. In fact, most of us probably still use passwords that we picked out 5 or 6 years ago, maybe even more. As we all know technology moves very quickly and as computers get quicker and more advanced, so do hackers. So, it's always important to make sure you are doing the most to keep yourself safe on the web.
Common misconceptions - Capitals and punctuation marks make your password secure
When signing up to a new website, many of them will ask you to make sure your password has certain characters in it, e.g. at least one number or capital letter. Which leads to most people thinking that's what makes a secure password. Unfortunately, it doesn't and to prove this I'm going to provide two different passwords. One that uses the security settings that most sites will recommend (at least one capital, number and punctuation mark) and one that doesn't.
Password 1: $rt56tYp
Password 2: anything
Now, straight away most people would assume that password 1 is an example of a secure password, whilst password 2 is the complete opposite. However, if we check both passwords on https://howsecureismypassword.net/we find surprisingly password 1 would take only 9 hours to hack, whilst password 2 would take 6 years.
Password length is key!
9 hours compared to 6 years is a substantial difference, but to properly explain why this is I'm going to explain a common method of password hacking known as a brute force attack. A brute force attack is about as straight forward as it sounds. It simply involves writing a script that tries every combination of password until it finds one that matches yours, or at least it sort of does.
The problem with brute force attacks is time. Trying every password possible would take an unimaginable amount of time, so instead hackers shorten this by only trying certain combinations. For example, they might limit their script to checking passwords with 8-10 characters, containing lowercase letters, uppercase letters, and numbers. This why it is advised you have a variety of different characters in your password because more characters mean more combinations, and more combinations take longer to crack.
However the biggest misconception today is that numbers and punctuation marks instantly make your password secure. They certainly do make it more secure, but the length is a much more important factor. That is why password 2 was so much more secure than password 1. Those extra 3 characters create so much more possible combinations of passwords than simply adding numbers and punctuation marks.
Most websites today will allow you to create a password that is only 8 characters long, but you absolutely should not do that. They are very easily cracked no matter what combination of characters you use. They advised length from companies such as Google and Microsoft is currently at least 12-14 characters.
You should though still include capitals and numbers to be safe when making your password, it's just important to remember short passwords are insecure no matter what you put in there. Another common pitfall is doing something like replacing the letter o with the number 0. Brute force attacks are very simplistic, but there are more clever attacks out there that are referred to as dictionary attacks that use common words and patterns to speed up the cracking process and most of these will predict common patterns such as replacing letters with similar looking numbers or punctuation marks. So, to be extra secure and if you are placing numbers in your password make sure there placement is just random.
So, is my password safe now?
Well unfortunately not. You can do as much you can to make your password secure, but it's still up to the website you sign up to keep your password safe and secure.
Database breaches of large websites do happen and companies like Yahoo and Adobe have recently lost passwords to hackers. But the Yahoo story, in particular, was very disappointing from a security standpoint.
One of the first things you're taught as the developer is not to store someone's password directly in a database so that in case your database is ever breached, hackers don't have direct access to your user's passwords. Instead, passwords should be hashed, which is similar to encryption, except that encryption is designed to be reversible whilst hashing is not. Now, although Yahoo had hashed all their user's passwords, they had done it using a method well known to have vulnerabilities. So bad in fact they may as well have not bothered encrypting the passwords at all.
Is there anything I can do?
The most important thing to do is to avoid using the same password across different websites. When hackers get a hold of passwords from a site like Yahoo, they will try using the email and password combinations they've got to login into a website containing valuable personal information like Amazon. Since shorter passwords are easier to crack and decrypt, people with weak passwords are more likely to be targeted after these large scale breaches, so if you have a secure password you will certainly be safer than others, but still not 100%.
Of course though, asking people to use a different password for every single website they visit isn't realistic advice. You can look into using password managers but if not, I would personally recommend having one or two really good passwords and using a pattern to change them for each website you visit. So, for example, maybe if you replace the second last letter of your password with the second last letter from the name of the site your using. Really asking people to use a different password for every site they visit would lead to one of two things, either you forget most of your passwords or you start writing them down somewhere, which is also a really dangerous habit.
Make your password memorable!
Being able to remember your password is very important. One of the worst things you can do is write your password down somewhere and only recently a French TV station named TV5Monde found this out first hand.
Around April 2015, TV5Monde was hit by hackers who took several of their stations offline for a couple of hours. Then only the following day a journalist for TV5Monde was interviewed inside their offices discussing the companies frustration over these attacks, whilst in the background of this interview a few keen eyes spotted a sticky note which read "Le mot de passe de YouTube" which if you haven't already guessed, is French for "The youtube password".
In fact, there were several passwords visible for different social media accounts, but fortunately for TV5Monde they haven't reported any serious damage done to those accounts. But it has been widely reported that password security was also responsible for the attacks the day before, with high level accounts within the station using the password "azerty12345" (the french equivalent to “qwerty12345”).
If your starting to worry about how secure your password is, please do use a service like https://howsecureismypassword.... to create one that you are comfortable with. If you are also worried that one of your passwords may have compromised at some point, there are also services like https://haveibeenpwned.com/Pas... that allows you to check if they have.
Also, as important as it is to keep yourself secure on the web, we also believe it's important keep our users informed and their information as secure as possible.