Having a strong password might sound like common sense. However, not everyone will put a great deal of thought into this key aspect of cybersecurity. Many believe they simply aren’t a target for cybercriminals. Others believe their passwords are strong enough.
Before we dive into what makes a strong password, let us examine a couple of notable breaches which revealed that people did not use their best judgement in selecting a secure password.
In July of 2015, a hacktivist group targeted the website Ashley Madison. The group exploited some programming errors in the encryption algorithm that allowed them to crack 11.7 million encrypted passwords. What does this have to do with strong passwords? After all the passwords were encrypted right? Well, the list of exposed passwords revealed the top five to be “123456”, “12345”, “password”, “DEFAULT”, and “12345678”. Of those, 120,511 accounts used “123456” illustrating that it would have been very easy to access these accounts by simply using a trial-and-error methodology, also known as a brute force approach.
According to Splashdata, a leading software supplier of security applications who publishes an annual “Worst Passwords” list, the following are the top 10 worst passwords found on the internet in 2014:
Another noteworthy password hack was on Mark Zuckerberg’s Twitter and Pinterest accounts. After a breach of LinkedIn, in which millions of user account details were leaked online, hackers were able to identify and use Zuckerbergs’s LinkedIn credentials to access some of his other social media accounts. He had not only used a weak password, but he also used the same weak credentials for multiple accounts.
Both examples clearly illustrate how using a weak password or using the same for multiple accounts can prove to be devastating to any small business when exploited by cybercriminals.
How to create strong passwords
Here are some great best practices to make your passwords strong and as secure as possible:
Make it unique and memorable
Too often, people create a password that is easy to remember, but fail to make it unique. Many create passwords based on personal information, such as a family member or a pet’s name or birthday. Also, the password should not contain any recognizable numbers such as a phone number, social security number, or address. While these make the password easier to remember, it also makes it much easier to be cracked by a cybercriminal.
Length, width, and depth
Strong passwords require a certain degree of complexity. Length, width, and depth are factors that can assist in creating the necessary level of complexity.
Length: Length denotes the number of characters in the password. A password should be a minimum of 10 characters long, but longer passwords are obviously more secure. With each addition character the complexity goes up exponentially. According to a 2010 Georgia Tech study passwords of 12 random characters could satisfy the minimum length requirement to defeat code breaking software. Anything less could be vulnerable.
The same study assumes that a sophisticated hacker trying 1 trillion password combinations per second would take 180 years to crack an 11-character password. Adding one additional character increases this to 17,134 years. Even the 11-character password sounds like it would be impossible to break, but the current generation of GPUs (Graphical Processing Units) can calculate up to 11 Teraflops—or 11 trillion floating point operations per second. With cybercriminals using multiple linked cards paired with the right software, that 180 year number is decreased significantly.
Width: Width refers to the combination of differing types of characters, such as alpha, numeric, upper and lowercase, and symbols. Each password should contain at least one uppercase, lowercase, number, and special character such as symbols or punctuation.
Depth: Depth in a password indicates that a password has meaning, but that it is difficult to guess. To give a password depth, the user must think about phrases and mnemonics instead of actual words. An example of this would be “You miss 100 percent of the shots you don’t take” – Wayne Gretzsky. This would translate into the password “Ym100%otsydtWG”. Just how secure is this password? A website called HOW SECURE IS MY PASSWORD?, which tests password effectiveness, indicates that it would take approximately 204 million years to crack it.
Do your passwords pass the length, width, & depth test?
No password reuse
As illustrated in the Zuckerberg example, reusing passwords can prove to be a bad idea. Creating a secure password is not always easy, but trying to remember multiple secure passwords can prove to be even more so. Applications like Dashlane provide free secure password creation and management software that can help users overcome this dilemma.
Use Multi-Factor Authentication when available
Using multiple pieces of data to verify identity is becoming more common. Even if your password has been compromised, the cybercriminal may not be able to access your account. The idea is simple: Once your input your password another piece of data is required. This could be something you know such as a pre-established answer to a question, a key sent to your phone, or a biometric form, such as a fingerprint, voice recognition, or retinal scan.
Never write your passwords down
Many people violate this best practice, which of course makes your strong passwords useless if someone finds them. If you do violate this however, never store them in an easily accessible area such as taped to your monitor, underneath your keyboard, or in your wallet or purse. Again, it is far better to use a password manager that can store and retrieve them instantly without exposing them to the prying eyes of criminals.
Strong passwords are necessary to help keep your data secure. Ideally, a good password is one that is so complex that it’s impossible for you to emember. This is not practical however and using the tools that are readily available, such as password managers, are worth implementing.
People and companies every day fall victim to cyber theft and a clear-headed approach to password security is a big step in stemming the tide of these crimes. At the very least, you’re making it more difficult for criminals to crack your passwords and gain access to your valuable data.
Ron Smith is an Infusionsoft Sr. Quality/Security Engineer. Having served in the USAF as a security specialist, he became passionate about security. During his 20 year career, he has worked for very large companies such as Microsoft, Intel, and Pearson, but his love for small business carried him to Infusionsoft. He is also the father of five boys and an avid Harley Davidson rider and home brewer.