Each week, security researchers compile the most recent news in the field and post it on these blog sites. If you’ve been following the news, you may have noticed a disturbing trend: data breaches in Carnival Cruises, ProctorU, and Garmin in the last two months. Those are only a few examples.
You’re undoubtedly wondering, “What are the best techniques to establish a secure password?” to protect your accounts from these fraudsters. You’ll want to update your passwords as soon as possible if they were part of a hack.
Hence, what’s the solution? Passwords that can’t be hacked Nevertheless, before we get to it, let’s have a look at some of the most prevalent ways passwords are hacked today.
A password can be compromised for a variety of reasons.
To hack passwords, thieves have a number of options, but the simplest is to simply buy them on the dark web. Assuming you’ve been using the same password for a long period of time, you’re more than likely to have had it hacked.
Cybercriminals, on the other hand, will have to break your passwords if you keep them off the black market’s aggregated databases. So, if that’s the case, then they’ll employ one of the following approaches. You may be the target of an attack on your own accounts, or a database of hashed passwords may have been released.
Attacks using brute force
Every combination in the book is a target for this attack until it hits on yours. It’s unfortunate that the attacker has made some progress in automating software to try as many possibilities as feasible in the shortest amount of time possible. One diligent hacker released a 25-GPU cluster in 2012 designed to crack any 8-character Windows password containing uppercase and lower case letters, digits, or symbols in less than six hours. 350 billion guesses per second can be attempted by this system at any given time. As a rule of thumb, everything with less than 12 characters is subject to attack. Brute force assaults have taught us that password length is critical. Better yet, if it can go on indefinitely.
Dictionary Attack
To put it another way, the hacker is assaulting your computer with the dictionary. In contrast to brute force attacks, dictionary attacks use a pre-arranged list of terms like those in a dictionary to try to guess a password.
Only if your password is unusual or if you utilize numerous words, like LaundryZebraTowelBlue, can you withstand a dictionary assault. As demonstrated in the “How to Choose a Password” video by Computerphile, these multiple-word phrase passwords outsmart a dictionary assault, which confines the possible number of variants to the number of words we might use.
Phishing
When hackers try to trick, intimidate, or compel you through social engineering into unintentionally doing what they want, phishing is the most heinous of tactics. A phishing email may claim that your credit card account has been compromised. If you click on the link, you will be taken to a fake website that looks like your credit card provider. As the scammers wait patiently, they hope that the trick will succeed and that you’ll enter your password. Once you do, they’ve got it.
Scammers can also use phone calls to entice you to fall victim to their phishing schemes. Any robocall purporting to be from your credit card company should be taken with a grain of salt. Observe that the recorded greeting does not identify which credit card the caller is referring to. If you don’t hang up straight away, they know they’ve got you “hooked.” This person will try to get as much personal information from you as possible, including your passwords if you remain on the phone.
The structure of a Secure password
Because we now know how passwords are cracked, we’re better equipped to generate secure ones (though the way to outsmart a phishing scam is simply not to fall for it). If you adhere to these three simple guidelines, your password will be impenetrable.
Avoid the obvious choices. When creating a password, avoid using sequential numbers or letters and never use “password” as your password. Don’t use your name or date of birth in your passwords, as this could be seen as impersonal. Hackers will try to guess your password using all of the information they know about you if you’ve been specifically targeted.
A brute force attack can be prevented by following a few simple measures, such as:
- Don’t be afraid to go on and on. This is by far the most important aspect. If you can, use at least 15 characters, if not more.
- Use a variety of characters in your writing. Brute force attacks have a harder time cracking passwords that have upper- and lower-case letters, digits, and symbols mixed together.
- Avoid making the same mistakes that other people have made in the past. Password crackers are well-versed in the standard password substitutions. The brute force attacker will be able to get into your system regardless of whether you utilize DOORBELL or D00R8377. Random character placement is more successful than leetspeak* substitutions these days. Letspeak is an informal language or code used on the Internet, where normal letters are often replaced with digits or unusual characters.
- Don’t make your keyboard shortcuts memorable. In the same way that you should avoid using successive letters and numbers, you should also avoid using sequential keystrokes (like qwerty). A lot of people have guessed them.
Is it vulnerable to a dictionary assault?
Dictionary attacks can be prevented if the password is not only one word. As detailed in the XKCD piece on this issue, these attacks decrease the possible number of guesses to the number of words we might use to the exponential power of the words we are using.
Best Password Methods
You can use the password ideas below to come up with your own unique passwords that are both secure and easy to remember. If you use one of these helpful hints, you’ll be putting your digital world at even greater risk.
Paraphrase Method
If you’re looking for a unique take on the multiple-word phrase strategy, this is it. Consider using proper nouns, local landmarks, historical persons’ names, and any other foreign words you’re familiar with. Hackers might be able to crack ‘mountain’, but they’d have a tough time cracking a password example like this:
MountainVeryEverestBig
Try to conjure up an image in your mind with the words you use. The following will aid with your recall.
Random characters can be added in the center of your words or between the words to increase the difficulty level. As a general rule, do not use underscores between words or any other frequent leetspeak* substitutes. This informal language or code used on the Internet is known as “leetspeak,” in which normal letters are frequently replaced with numerals and other unusual symbols.
Sentence Method
This method is also described as the “Bruce Schneier Method.” The idea is to think of a random sentence and transform it into a password using a rule. For example, taking the first two letters of every word in “The Zy Shop Is My Favorite” would give you:
TheZyShIsMyFav
To anyone else, it’s gobbledygook, but to you, it makes perfect sense. Make sure the sentence you choose is as personal and unguessable as possible.
Tips for increasing Password security
Since the average person uses at least a dozen different passwords, these solutions aren’t very practical. To get you started, here are a few ideas: Make use of a password manager, install an authenticator app on your smartphone, and buy new hardware. There are numerous ways in which each of them might improve the security of authentications.
Password Manager
Using a password manager, you can forget about remembering your passwords because the password manager maintains track of them for you. All of the suggestions and tricks listed above are recommended for the big kahuna. Generators built into the software can construct passwords that are incomparably more difficult to crack than anything a person could possibly come up with.
Trustable Websites
Users’ passwords are hashed by websites concerned about security so that even if the data is leaked, the passwords themselves are protected. That is not the case with other websites, which don’t bother. Be cautious before registering accounts, creating passwords, and entrusting a website with personal information. Is it safe to use if the address bar shows “https”? Do you get the impression that it’s up to date on the latest security standards? If not, you might want to think hard about handing over any of your personal information to it.
Multi-factor Authentication
An extra layer of security is provided by multi-factor authentication (MFA) (which becomes your first layer of protection should your account details ever get leaked). For effective security, these have become the new industry standard. As we show in this blog post, we explain how to deploy MFA on social media sites like Twitter and Facebook. Additionally, biometrics (such as a fingerprint or eye scan) or a physical token are required. In this manner, it doesn’t matter if your password is simple or difficult; it’s only half the solution.
Authenticator Smartphone App
Using a smartphone app for MFA is the best method. A few examples of free apps include Google’s Authenticator (for iOS and Android, respectively) and Authy (for iOS and Android, respectively). A one-time PIN is generated by the app and entered during the login procedure as an additional security measure. Every 30 seconds, the PINs are automatically changed. Use the instructions provided by your application to set up multi-factor authentication (MFA). This MFA approach is not yet supported by all applications.
A security key takes things to a whole new level of protection. The YubiKey (called for “ubiquitous key”) provides you with the most cutting-edge protection currently available on the market. You can only access your files if you have the key in your hand. A thumb drive-sized security key is available in USB, NFC, and Bluetooth varieties. To yet, there have been no data breaches among the 88,000 people employed by Google, which compelled all employees to use security keys in 2017. One of the Titan Security Key’s primary functions is to guard users against phishing scams.
Check out the FIDO Alliance, which is trying to develop strong authentication standards for desktop and mobile apps. Using FIDO-compliant services, such as those offered by Microsoft, Google, PayPal, Bank of America, NTTDocomo and DropBox is the only way to ensure your online safety. The alliance’s rigorous standards of authentication and security are met when a given security key, website, mobile app, etc. is “FIDO® Certified.”
Additional Advice for password security
Using these common senses, high-security measures, you can protect your login credentials even more.
- On public Wi-Fi, always use a VPN. This ensures that no one can steal your username and password when you use them to access accounts.
- Never divulge your password to anyone by text or email.
- When creating a new account, be sure to use questions that only you can answer when filling out the security questions. Be wary of what you search for on social media, as many questions may be answered with a simple search.
- Do not forget to inform your loved ones about the need of protecting themselves. As long as breaches continue to occur, you may assist your friends and loved ones stay safe by forwarding this blog post to them.
- Maintain the most recent version of your anti-virus. If a virus manages to sneak past your firewall and into your computer, a decent antivirus will be able to identify and remove it.