A password is one of the simplest security measures, but it is also one of the most crucial. Oftentimes a password is all that stands between hackers and your private information. It’s for these reasons that it is critical to have strong, easy-to-remember passwords for all of your accounts.
To help you understand how to make an unbreakable password, we first need to consider the methods attackers use to try and crack your passwords. Here are some of the most common strategies.
How do hackers get your passwords?
There are several methods at hackers’ disposal, and not all of them involve actually cracking the password. Attackers can use passwords leaked in data breaches or passwords sold by other hackers on the dark web. This is part of the reason it’s important to use different passwords for all of your accounts.
Brute force attack
Put simply, this is when attackers use specialized software to try every password combination they can until the software manages to guess the correct password. The most industrious password cracking set-ups can crack any password under 8 characters in a matter of hours, guessing up to 350 billion combinations a second. Generally, any password under 12 characters is potentially vulnerable to brute force attacks. The longer the password, the better.
Dictionary attack
While a brute force attack tries every possible combination of letters, numbers, and symbols, a dictionary attack uses a prearranged list (or “dictionary”) of commonly used password phrases. This means that simple one word passwords are exceptionally vulnerable, unless you use a multiple word phrase or exceptionally uncommon words. Many hackers create and sell dictionaries of passwords exposed in previous data breaches. This means that if you use the same password for multiple accounts, a hacker with your password in their dictionary could gain access to every account that uses that password.
Phishing
Phishing is when cybercriminals try to trick, pressure, or intimidate you into doing something they want. These attacks come in a variety of forms, including fake emails or phone calls imitating credit card companies, government agencies, banks, subscription services, and other trusted entities.
The attacker’s aim is to get as much valuable information out of you as possible. This type of attack can be especially dangerous, as it uses the most common security threat that no company can fully secure – the user. Never give your password or other sensitive information to suspicious individuals.
What makes a strong password?
For starters, stay away from the obvious. Never use sequential letters or numbers, and never use “password”. Passwords such as 12345, abc123, qwerty, etc. are exceptionally common and easy to guess. Also avoid using personal information such as your name or your birthday. If the attack is targeting you specifically, the hacker will likely have access to that information and will include it in password attempts.
Can it survive a brute force attack?
- Make the password long. This is the easiest and most critical way to protect your password from brute force attacks. Use 15 characters or more.
- Use a mix of characters. The more diverse your characters are (including upper-case and lower-case letters, numbers, and symbols), the stronger your password will be.
- Avoid common character substitutions. Simply substituting a letter for a similar-looking number or symbol is not enough to protect your password. These can be cracked just as easily.
- Stay away from common keyboard paths. Similar to the advice not to use sequential letters/numbers, avoid using common keyboard paths (such as qwerty or asdfg). These are common and easy to guess.
Can it survive a dictionary attack?
Avoiding this kind of attack is fairly simple. Do not use single word phrases for your password; include at least two words. Passwords become exponentially stronger with every word you include. Using a new password for each of your accounts also guards against dictionary attacks based on passwords exposed in a prior data breach. If the password for each of your accounts is unique, it is much less likely to be included in a dictionary available to hackers.
How to improve your password portfolio
Now that we know what not to do with our passwords, let’s consider what we should do when making passwords.
- Have a system for making passwords. Have a set of guidelines to go off of when making a new password so that you can have unique, but easy-to-remember, passwords. A password is most useful if you can remember it.
- Use a password manager. A password manager will do the legwork for you when it comes to remembering passwords – some even come with random password generators to take the guesswork out of new passwords. Just make certain you can remember the master password; you won’t be able to access your accounts without it.
- Be discerning with who you trust. Even the strongest password is useless if you give it away to everybody. Use common sense and never give your password away unnecessarily.
