Time is money, even in cybercrime. The easier your password, the easier and faster it is to crack. Criminals crack passwords in bulk, so when they crack enough easy ones, they move on to the next phase of their crime and dump the uncracked passwords.
Use the following guidelines to create more complex passwords.
- Combine upper and lower case letters
- Use no less than eight characters; passphrases are best
- Include at least one number and one special character; more is better
- Make them easy to remember, but difficult to guess. For example, make them create a pattern on the keyboard
Many techniques for obtaining passwords have become more sophisticated over the years. The top methods, in no particular order, for cracking passwords are rainbow tables, brute force attacks, social engineering, phishing, malware, and the completely unsophisticated method of guessing.
At a high level, rainbow tables are long lists of every possible security code used to verify your account. Attackers put these into password cracking software in large quantities at a given time. This is why security experts recommend using longer passwords and phrases. The longer they are, the more time it takes for them to be found on these lists.
Brute force attacks use dictionary words working through all possible combinations of alphanumeric characters (all possible combinations of the letters and numerals in a given language). The longer the password, the longer it takes to figure it out. Passwords that are six characters or less can be cracked in a matter of seconds, whereas passwords 10 characters and longer may take a day or more.
Social engineering is the foundation of many security-related breaches whether they are intrusions into a network or theft of a password to get into an account. It involves getting users to give up passwords. Hackers are amazingly successful at getting information by pretending to be someone else and bringing victims into their confidence. A favorite scene for the social engineering actor is to call an office posing as the IT person. They simply ask for passwords and are presented with them.
Phishing is everywhere. On an average day, more than 156 million phishing email messages are sent. While many get caught in spam filters, some don’t. Of the eight to nine million that make it to users’ inboxes, about half are opened. Roughly 10 percent of those are acted upon. These messages are trying to coax the user out of information and often times it’s a password to an account that will net the thief something of value.
Malware is a software loaded on a computer or device and can be used to commit various cybercrimes from logging key strokes to redirecting a web browser to fake websites.
Guessing still works. People often create passwords based off of information that is not so hard to find out such as kids’ names, birthdates, or pets’ names. Then, they post their kids’ names, birthdates, pets’ names, and more on their social media profiles. A savvy hacker may use the aforementioned social engineering techniques to befriend victims and simply guess passwords.
There are many more strategies for stealing passwords. No matter what you come up with for your password creations, they need to make sense to you and no one else. If you must write them down, do it. Just keep the list separate from your computer and mobile device and out of plain sight.