The first thing people say when they hear that you work in information security is almost always something about their passwords.
“Is it really that bad that my password is the same on every account?!”
“It’s so hard to remember my password, how could I possibly use more than one or two?”
“My password is just my kid’s name and birthday. That’s ok, right?”
“I’m nobody. Why would a hacker even bother to try to get my password?”
“I write my passwords on this little notepad I keep in my wallet…”
Try not to run screaming from the cocktail party when you hear those same comments…again…and again. When you work in security, you know how much passwords really do matter. And you know that there’s a super simple solution to staying password safe that is both cost effective and user friendly. It might not be fun to talk about at cocktail parties, so read on here instead.
Bad Passwords Put You at Risk, Really
Hackers have multiple tools in their arsenal to crack your password. Yes, yours. They don’t care that you’re “nobody.” Everybody online is somebody, with a rich trove of data that can be exploited in ways you might not even be able to imagine. If you do anything online–communicate with friends, schedule appointments, pay utility or medical bills, keep a calendar–you are a target.
Google spent a year from March 2016 to March 2017 researching how hackers steal passwords. In that time they found that 12 million credentials were stolen through phishing and another 3.3 billion were obtained from third-party breaches (like the Equifax breach). Everyone online is at risk.
A brute force attack is one method employed by hackers to gain access to password-protected accounts. A script or a bot is used to “guess” the required password. Way back in 2012, a password-cracking expert revealed a machine that could make 350 billion password guesses per second. That means that any typical 8-digit password would be cracked in less than 6 hours.
In a password spraying attempt, a hacker uses a program to attempt to log in to a large number of accounts with a common or dictionary password. Hackers avoid detection and save themselves the trouble of password lock-out policies by “spraying” a common password at many accounts.
Once a hacker has your password, they’ll start poking around in any account that uses the same password looking for interesting data. Maybe they’ll log in to your Google Drive and see what’s useful. Maybe you’re storing a file with your family’s bank account or social security numbers or other account passwords. Maybe the password they hacked was used for PayPal or Venmo–they might start sending themselves money. If a hacker has accessed a patient portal or health insurance provider account, your medical data and associated payment accounts are now exposed. And your exposure might spill over on to other members of your family or business organization.
So What Makes a Good Password?
The best passwords are not words. They are long passphrases that contain both symbols and numbers. Using the longest permissible password or passphrase for each of your accounts is one of the easiest ways to protect yourself online. And it’s a best practice to use each passphrase only once. That’s right: one password per account. Most connected Americans have hundreds online of accounts, which means they should have hundreds of passwords.
Let’s go back to the cocktail party with the bad password users. They have a sense that they’re doing something wrong. They want to laugh it off. They act like it’s such a hard problem that it’s best ignored. But the problem is actually solved easily with a password manager.
Password managers are software programs that both generate strong passwords and save them for future use. These programs are encrypted and accessed by users with a long, complex master passphrase.
Using a password manager is simple and straightforward. The first step is to download the software to your computer and/or install the app on your mobile device. Most password managers also offer browser extensions that should be installed too.
Next, simply start adding your usernames and passwords. You can also add credit card information and notes that contain information that’s private but useful to have handy. Think of your kids’ and spouse’s social security numbers; your frequent flier account numbers; library card number; etc. All of this valuable information is encrypted and is only accessible when the master passphrase is entered.
The only responsibility you have is to remember that one master passphrase. Now you are free to have hundreds of unique passwords for your hundreds of accounts. You will never forget them and your likelihood of being hacked has plummeted.
Once your password manager is set up, you can log in and copy/paste your passwords as needed. You’ll also have fast access to credit card and bank account numbers as well as other hard-to-remember information. Most password managers offer an auto-fill option, but these tools should be used with caution. Make sure you are asked to enter your master password before every auto-fill occurrence!
Popular password managers include 1Password, LastPass, KeePass, Dashlane, and BitWarden. Almost all password managers are subscription services. They often offer a higher price tag lifetime subscription, but if you’re unwilling to make that level of commitment to one service, annual fees range from $20 – 60.
Bear in mind that using a password manager is a great choice for individual consumers and families. If you are considering installing a password manager (or any other software) on an employer-owned device, you should check with your IT department first. They–hopefully–have a policy in place and you should comply!
Does your company have a strong password policy? If you need guidance on developing and implementing high quality information security practices, Asylas can help. Email us at firstname.lastname@example.org or call 615-622-4591.