One of my kids has a favorite online computer game and invests quite a bit of time playing it. The end of April, someone decided to take over this beloved account by changing the login credentials, and they were pretty determined to do it. I’m not sure what approach they were using to hack into the account, but the game started generating password reset request emails to my inbox like clockwork. The first day of this targeted effort, I received 103 emails!

I submitted a customer support ticket and asked if they would block the IP address of this unknown hacker. (And save me from all these emails!) Their response was intended to reassure me, that I could delete all the emails, and that the 2-step authentication that we’d previously set up on the account was working as intended. It wasn’t all that reassuring since I received 148 additional emails over the next few days to remind me of the on-going hacking effort.

The hacker never gained access, thanks to the security configurations on the account, and the generated emails mysteriously stopped. The name for this attempted account take-over is called a brute-force attack, and it can happen to any account. There are many ways to hack technology, but access using credentials continues to be the easiest and preferred approach of hackers. The reason for this seems to be that if they can walk in the front door, it’s better than climbing over the fence. So why are hackers walking in the front door? Aren’t passwords supposed to be the lock that secures your account?

The answer to this question is complicated. Passwords have never been a perfect solution, but they would have been stronger than they are now if it hadn’t been for the human element. For example, businesses wanting to comply with security recommendations, create protocols to make sure everyone changes their passwords every month. Inevitably, this leads to forgotten passwords, and people soon discover how to cheat the system.

Instead of changing the entire password each time, the system would accept a change of one character as though the whole password was new. So what was “password” last month became “password1” this month, and then would become “password2” next month and so on. This quirk of human nature soon became known to hackers as well, and they started creating lists. Today, files containing thousands of these common passwords are bought and sold online. When a hacker wants to break in, they start with those first.

As superior technology develops, the time it takes for a program to run through these password lists gets shorter and shorter. Processing power now has the capability of cracking even relatively complex passwords in a matter of hours. This increasing hacking ability is why “strong password” recommendations continue to change, and why other forms of identity authentication, such as 2-step authentication and one-time-use codes have become necessary as an extra layer of security.

Experts continue to debate the validity of frequent password changes and whether the future will have passwords at all. Until they decide, we still need passwords in our daily lives. So how do we create strong passwords that will hold up against current hacking capabilities?

The best solution for most people is to use a password manager service and circumvent a lot of the human-related issues with passwords. A password manager will generate long, complex, unique passwords for each account, and the only password to memorize is the one for the password manager service. Most of them sync with multiple devices, and it makes them easy to use.

However, even password managers don’t eliminate the need for humans to understand how to create strong passwords, how to remember them, and the best practices for passwords as a whole.

So how do we create a strong password these days? Here’s a list of the characteristics:

• Create long passwords, using 12-16 characters or more if the account allows it. Length is the most critical feature.
• Use a mixture of upper and lowercase letters, numbers, special characters, and uncommon words. Some systems even allow spaces.
• Avoid creating passwords using the details of your life, such as the name of your pets, mother’s maiden name, or your favorite band. These details make passwords easier to remember, but it’s also information that’s readily available from your social media accounts.
• Make passwords that are easy to remember. Advice that may seem a little ironic, given that everything on the list so far, makes this part impossible.

So how are we supposed to remember strong passwords? There are several password creation tricks to help with this problem. The first is to use a passphrase, rather than a password. To do this, you need a lengthy collection of words: a quote from your favorite book, the punch-line of a good joke, or a quirky sentence that you’ll remember. The differing length of the words increases the difficulty to hack it. If you use punctuation and find a way to include numbers, such as swapping “to” for “2”, this memory trick should fulfill the requirements. The second approach is to take another lengthy collection of words like before, but only use the first character of each one. This method creates an entirely random collection of characters that should fulfill password requirements but will be significantly easier to remember.

There are still human behaviors that can undermine strong passwords. Let’s say you did the steps above, created a truly brilliant, and strong password, wrote it down on a sticky note and then stuck it to the side of your computer monitor, or underneath your keyboard. These are common locations to check, and it’s easy to gain access to accounts this way.

Perhaps you were in a hurry while signing up for a new account and decided to use the same brilliant, strong password again. This approach doesn’t seem too dangerous until you consider that when companies experience data breaches, it’s usually the data with the account information in it that gets stolen. So if you’re using the same password over and over, it becomes part of the stolen data that hackers will use to break into your other accounts.

Both of these common human behaviors weaken the security potential of strong passwords. So if you must write a password down, store your sticky notes securely out-of-sight! Use a unique password for each of your accounts. Also, add Multi-Factor authentication and device authentication steps to your accounts whenever possible. While it’s essential to create unique, strong passwords, it’s also a good idea to add more layers of security to your accounts whenever you can, even when it’s just an online game for one of your kids.

Are you already using a password manager? Which one do you recommend? Let us know in comments, and help our Vivio community decide which one to use!

References:

Barrett, Brian. (2017, December 9). TAKE THESE 7 STEPS NOW TO REACH PASSWORD PERFECTION. Retrieved from https://www.wired.com/story/7-steps-to-password-perfection/

Bradley, Tony. (2019, May 2). Cybersecurity Experts Share Tips And Insights For World Password Day. Retrieved from https://www.forbes.com/sites/tonybradley/2019/05/02/cybersecurity-experts-share-tips-and-insights-for-world-password-day/#578ccc65c2ef

Creating and Managing Strong Passwords. (2018, March 27). Retrieved from https://www.us-cert.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords

Drozhzhin, Alex. (2019, February 1). Change Your Password Day Strong Password Day. Retrieved from https://usa.kaspersky.com/blog/strong-password-day/17094/

Goodin, Dan. (2013, May 27). Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”. Retrieved from https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Hoffman, Chris. 2018, May 9). How to Create a Strong Password (and Remember It). Retrieved from https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/

Password Best Practices. (2018, September 30). Retrieved from https://security.ucsb.edu/news/password-best-practices

Password Do’s and Don’ts. Retrieved from https://krebsonsecurity.com/password-dos-and-donts/