March 21, 2017

Is your password 1234? Twelve ways to protect your online passwords.

Think of a password. Okay stop. If your password does not look something like this: &*F3110w5hp1*& or this ##D0nTuF0rg3tIT## Then you are just begging to get hacked. Now I know what most of you are thinking, no one will ever guess partygirl99 or sailboat50 but passwords without any capital letters based on a common name with no special characters can be cracked in seconds with a  brute force attack and are common to find in hacker made dictionaries of passwords. Hackers have dictionaries of most commonly used songs, passwords, bible veses, koran verses, pop culture, names, memes, etc…With a few clicks they can load the dictionary files into their cracking engine and go grab a coffee while their computer does a brute force attack.

The best passwords are long, like over 16 characters long, have many numbers special characters and letters and have no obvious pattern. Since weak passwords are easy to remember we often times don’t bother with long complicated passwords for fear of forgetting them, but you should. However, you can choose something in between.

Lets take our example (partygirl99)

  1.  You could interleave the same password like this  9pgairtry9 , that makes it a lot tougher to crack since there is no word that looks like it, the crack dictionaries used by hackers are likely not to have it. Another strategy is to use a small phrase with spaces or underscores or purposefully misspelled words in the password.
  2. Add symbols in a pattern that you will recognize -=9pgai!rtry9=-. In this example, we added the same special characters at the end but used the last character first at the end, plus we added one special character to the middle.
  3. Throw some capital letters in there for good measure -=9pgAi!rtRy9=- . Putting the capitals at the beginning and the ends is not recommended since so many people already do it.
  4. Make it long, the longer the password becomes the longer exponentially longer it will take to guess or crack.
  5.  Add 2-factor authorization and use your cell phone number, do not choose email. Since email address are usually first compromised your attacker may be able to exploit the advantage of having email set up for 2nd authorization method. Plus having your phone send you a text out of nowhere saying that you are attempting to log in serves as a detection method to alert you of attack.
  6. Use an authenticator if available. Authenticators are apps like google authenticator that you can put on your smartphone, the password shown on the authenticator changes every few seconds. This makes it very hard for an attacker to gain entry without the app that is synced to your phone and user account.
  7. Password apps are good but can be a double edge sword since all the passwords are stored in a central location and make it a much more tempting target for attackers.
  8. Don’t use obvious usernames like, user, admin, or names like john, mary, etc… Take a moment to be creative and give yourself a unique username that may have a discernable pattern to you but no one else, in this way each account you secure with your username can be unique but not obvious to an attacker.
  9. Don’t use your password on all your sites, this is just begging to get your entire digital life hacked. You could have the same password but make at least two or three changes to the original password to make it still formidably difficult to crack. The original password -=9pgAi!rtRy9=- could be made into mybank-=9pgAi!rtRy9=- or use any other easy to remember scheme that will make it easy to make as many different passwords as the original but still different and unique enough that it would very long to figure out.
  10. Check the strength of your password. Kaspersky Labs offers a free tester, but if you use another tester, make sure it is safe since hackers know that these could be used at some point and may try to exploit this vulnerability. Our original sample password partygirl99 takes only 13 days on a desktop computer if the attacker has no clue what it could be, but if they have a good idea, it may be seconds or minutes. The sample strong password we created (-=9pgAi!rtRy9=-)on the other hand would take 3261 CENTURIES!
  11. Either rotate or completely change your passwords often (every 90 days is good for most users).
  12. If you have decided that this is too complex and want to save your passwords on a cheat sheet, you can make a secret file on your computer where to store them safely by using WinRAR(a zip utility) for free. This program will allow you to encrypt the file inside its compressed zip and put a password on it. Also naming the password text something bland like greentea.txt vs the obvious (passwordfile.txt). In addition, you can make your file disappear with the hidden attribute in the properties. Believe it or not, your encrypted password text file is safer here than it is in a company that stores passwords because no one knows you are saving it and everyone knows that other sites have thousands or millions of accounts.



The big takeaway here is, accounts will always be vulnerable, so whatever combination of the methods outlined here you decide to use, always try to add as many layers to your security as you can. Don’t put all your eggs in the same basket and follow this Pro Tip:Stay Safe and keep an up to date antivirus program to catch any viruses that may be used as a keylogger or fake phishing scam sites that are trying to get you to log in.