What’s in a Password: A Guide for Laymen

Secure Passwords

Last week I spoke to a diverse group of college students about secure passwords. Although most students today are fairly tech-savvy, some seemed amazed to data protectionlearn that their passwords could be hacked within seconds. Quite a few hands went up when I asked the students if they had ever had their email or social media account hijacked. Has that happened to you?

According to NBC News Online, the U.S. Government, Office of Personnel Management database system was hacked and 5.6 million health records, fingerprints and social security numbers of federal employees were stolen by hackers. I’m sure you’ve heard the scuttlebutt surrounding the embarrassing photos of Kim Kardashian and other celebrities that were made public as a result of hacked Snapchat accounts. Don’t think that just because you’re not a celebrity or don’t have millions of dollars that you are not a target for hackers.

Today I’m going to share with you why it’s important to have a secure password, how hackers gain access to your password and how to set a secure password. So, why are passwords important? The answer may seem obvious — that they are the “combination lock” used to secure your data. Passwords protect your financial and personal information and protect you from identity theft that exposes you to debts you did not incur, crimes that you did not commit and sensitive and personal information that you intended to be private.

Now that we know what passwords do and why they are important let’s talk about how hackers gain access to your password. Although there are a multitude of methodologies that hackers use, today I’m going to talk about two prevalent methods: Brute Force Attacks and Social Engineering.

Just as criminals can pick a combination lock by trying every possible combination of letters until the hasp opens, hackers use computers with very fast processing speeds and software designed to apply algorithms that try combinations of dictionary words, frequently used passwords, letters (both uppercase and lowercase) and special characters (*&!, etc) until they successfully gain access to your account. This software is frequently deployed on the internet, crawling through domain after domain using combinations of userids and passwords.  These are Brute Force Attacks and are so widespread that if you were to check your Google Analytics, you would find multiple attacks per day.

Depending on the complexity of your password and the speed of the hacker’s computer, it may be deciphered in a matter of seconds or could take a millennium to finally hit that correct combination.  A good web developer is not only aware of these popular attacks, but implements secure techniques in any coding to thwart these kinds of attacks as well as others.

Another interesting technique used to gain access to your password is called Social Engineering.  Joan Goodchild, CEO and Senior Editor of CSO online defined social engineering as:

“The art of gaining access to buildings, systems or data by exploiting human psychology”.

For the sake of simplicity and brevity, I will only mention two social engineering techniques – keystroke logging and phishing scams.

Keystroke logging is the actual capturing of every keystroke that you make on your computer.  This is accomplished by a very small program that gets installed on your computer without your knowledge — whether by inserting a flash drive that contains the program or as a “bundled” package from downloaded software that not only installs your intended program but also installs the keylogger without your knowledge.  Not only does this program log every keystroke, but after a period of time, that information is invisibly emailed to the hacker which gives him the information about the websites that you visit, userids and passwords.

An extremely common tactic of hackers is phishing.  The goal of phishing whether deployed by a phone call, email or website is to trick you into giving them sensitive information such as userids, passwords, and social security numbers, thinking that you are communicating with a legitimate service provider with whom you may have an account.  Below is an actual phishing email that I recently received.  The URL link has been partially blotted out for your safety — don’t go there!  Firstly, no bank is going to contact you via email requesting this information — they already have it!  Secondly, I do not even have an account with this establishment, so this could not apply to me.

Many times, emails like these misspell words or the grammar does not even make sense.  These emails almost always contain a link for you to click to go to the website to “verify” your information by logging in.  I cannot emphasize enough to never click on these links.  If you suspect that you may indeed have a problem with a legitimate account, either make a phone call to the establishment or type in their website address that you know directly into your web browser and log in as you normally would.  The links in these emails are designed to take you to a website that looks exactly like your account provider’s website.  When you visit the link from the email even if you don’t enter a userid or password, you have told a hacker that the email that you clicked from is a legitimate email address and you are likely to have that email address sold to marketers.

Now that we know a few tactics that hackers use to gain access to your password, let’s learn how to set a really secure password.  The rules are easy:

  1. Never use a dictionary word as a password — these are words tested against in a brute force attack.
  2. The minimum length of a password is 8 characters long.  Make sure you use both upper and lowercase letters.
  3. Strengthen your password with at least one special character (ie – !, #, &, *, @).
  4. Use a memorable phrase to help you remember your password.  You might use:  Mary had a little lamb, but make sure you do something like this:  MrYhadALillAmB.  Then add a special character to it for further strength.
  5. Don’t use the same password for every account.  Yeah, I know — that means you have to remember too many.  Instead – use a good password vault software where you can save all your passwords in one secure place without memorizing them all.
  6. Don’t write your password down.  People really do some really wild things sometimes and tape their userids and passwords on a sticky note to their monitors.  With some easy social engineering (peering over your shoulder) your password is no longer safe.
  7. You may not want to answer your password security questions honestly.  That ex-spouse knows your mother’s maiden name, the color of your first house, the street name of your first house, etc.  Write down bogus answers to your questions, then save them in your password vault software.

Here’s a fantastic source for learning just how secure a password is.  www.howsecureismypassword.net.  This is a great way to find out how long it takes a hacker to brute force your password.  Dictionary words are deciphered almost instantly.  An eight character password without a special character can be deciphered in minutes.  Adding a special character to that password increases the time to hours.  A password containing 9 characters with both upper and lowercase letters and a special character may increase your decipher rate to years instead of months.  Adding further length can increase that to a millennium!

Today, we learned about why it’s important to have a password and how it is the combination lock that protects your personal and financial information.  We also talked about a few hacking techniques used to decipher your password such as Brute Force attacks and social engineering attempts such as keystroke loggers and phishing.  Lastly, we discussed the rules to setting a secure password and a tool to show you how secure your password is and how long it would take a hacker to discover your password.

Now that you know the importance of a password and have the necessary rules and tools to set a secure password, we hope you will use this information to better secure your financial and personal information from hackers.  As a web developing business, we do our part in securing servers as well as closing holes in software that allow hackers to gain access to account information through use of websites.

We hope that this information and the linked resources have been helpful to you!  Leave a comment below and let us know your experiences with having had a password hacked or techniques that you have discovered that were used against you or your website.

1 thought on “What’s in a Password: A Guide for Laymen

Leave a Reply

Your email address will not be published. Required fields are marked *