16 Dec
Do you use simple passwords that can be easily guessed? Have you thought about your online accounts password security?
How many of you know that your poor password is the easiest way for anyone to access our online accounts?
Who amongst us has the habit of re-using passwords across multiple accounts? Are we aware of current password security best practices?
Are we having the practice of changing the password very similar to the new password by adding or changing one character only?
Similar passwords are used in all your online accounts like social media, mailing systems, online banking, utility bills?
Then you are in the right place and will get to know more about useful password security practices.
What is password security?
Password is a basic fundamental & precautionary step needed for all online and offline accounts security. Be it online shopping (Amazon, Flipkart, Etsy, Shopify etc), social media (Facebook, Twitter, Instagram, Pinterest etc), banking and financial transactions, personal chats and other websites that still need our passwords.
Your password is the key to unlock all your accounts.
If you have valuable assets like cash or jewels at home, would you keep them lying across with no good protection? Would you ever leave the key to your locker for all to find?
The simple answer to that is NO.
Your accounts do deserve the safety of a strong & safe password as they hold the keys to digital accounts (assets). Your assets could include your files & folders, chat conversations, memories in pictures, family and friends contact, etc.
So what exactly is password security? You will get to see that in more detail shortly.
Top 100 passwords
Before we get into the details, a few key points to keep in mind on password security are :
- Follow basic password hygiene
- Create and store passwords safely
- Always have a strong and long password
- Ensure individual accounts have unique passwords
- Try managing your passwords through a password manager
- Avoid password sharing
- Use 2FA or MFA ( Two Factor Authentication or Multi factor authentication )
Please always remember these best practices and have a peaceful time.
Better keep them safe and secure them with a strong password.
How secure is my password?
With the current computing power, passwords with 8 characters or less in length can be guessed in a very small and negligible time frame .
It is not surprising to hear that even high profile user accounts have been cracked open easily when they have poor passwords. Various examples of the same are available as references.
Even the most thorough and tested larger online systems are breached by password attacks ( credential stuffing ).
Let us see them shortly.
You might have questions related to a password like the following :
1. How long does it take to crack my password?
2. Where to check your password compromise?
3. Is my password safe?
Basic questions from an account owner, however let us get into more details and understand about them.
How long does it take to crack my password?
Passwords with a length of 12 or fewer characters are unsafe. Avoid such passwords and change them to 12 characters or more.
Is my password safe?
No password is safe if it is breached. In an ideal world, if your password is above 12 characters in length and you had used unique passwords with a combination of character set then you may have a chance.
In today’s world with the help of internet, the chances of your passwords being exposed are pretty high as we hear about numerous data breaches on regular basis these days.
There is no guarantee as a 100% safe environment. However, it is up to us to minimize those risks by having a unique and strong password with proper password security.
That being said and considering the high risks involved, it is strongly recommended to follow best practices. This will ensure the safety of your passwords.
How to check if my password is exposed?
Various websites are there to help and alert us, in the event of your password being exposed.
Let’s see a simple check for the word “password123” in XposedOrNot.com . Anonymous password checking with a password collection of approximately 850 million passwords exposed in previous breaches, makes it an ideal choice.
The entire list of ~850 million passwords are stored in a highly safe and secure format using SHA-3 hashing algorithm. Also, the checking of the password is done in a very safe form such that the password is never sent out and only the first ten characters of the unique one way hash are checked against the repository.
Technical architecture and the process of security enforced has been detailed in XposedOrNot: Want 850 Million Passwords For Free?
Why would someone hack into my account?
The simple answer to this complex problem is that there are multiple reasons.
Let us start looking at each one of them in detail.
Curious people( people who already know you )
There are enough people in this world, who would be happy to peep into others’ lives. That does not include only real-life situations, it also includes online accounts.
For example, you have a Facebook account and people are following you and interacting with you. Out of your followers, there could be people who would want to see your personal and private data hidden inside that account.
That includes seeing your photos, photos you have received, your personal chats and your friends list, etc.
This is one un-avoidable issue when using social media accounts which are highly visible outside. The good thing is Facebook, Twitter, and such social media companies easily block such attempts based on user behavior.
Though not many web sites do have the resources or financial support needed to implement such strong security mechanisms as part of their authentication mechanisms (login procedure).
Financial motive( online banking accounts )
People to steal or misappropriate others’ finance will surely be on the prowl for easy targets.
Either if your password is weak or if your password is exposed, then the chances for such people to misuse your funds is pretty high.
Always ensure that your online accounts related to banks and financial institutions are kept safe from such prying eyes.
If anything looks like easy money or too good a deal on the internet, it is sure to be taken with a pinch of salt.
Account misuse( post de-famatory or un-ethical content )
The next set of people who would want to (ab) use your account to post content on your behalf. The primary purpose of this is to bring in negative attention to you or your account.
At times, this type of attack is done to just mask the original perpetrator and make it look like as if you did the activity.
Social media site accounts have to be safeguarded extremely well. Else it could lead to some unwanted and unpleasant experience.
Data breaches( account credentials exposed in website hacks )
Sites like Yahoo, Twitter have had their user accounts compromised. Your passwords on those sites are to be treated as unsafe passwords.
There are so many ways and means data breaches happen. Most of them are attributed to unsafe practices from technology or human angle.
Some of the high-risk breaches in known history are Yahoo, LinkedIn, British Airways, Facebook, Reddit, Equifax, etc.
Those hackers do have the passwords and it can be misused easily.
Lately, numerous data breaches have had their data breached from common utility sites up-to sites maintained by governments holding voter information.
In all likelihood, one or many of your accounts have the possibility of being exposed during a data breach.
How to check if my account is compromised?
The goodness of internet is always there to help, for all those who seek it properly. In other words, a couple of helpful websites do check if your email or password is compromised and it can also alert us.
What should I do when my account is exposed?
- Change your passwords immediately to a unique one
- Also, change passwords in places where you have used this password ( the xposed one )
- Enable and use 2FA (Two Factor Authentication) or MFA (Multi-Factor Authentication). In simple terms, it is the use of enforcing an additional layer like an SMS or application-based OTP (One Time Password) to be generated uniquely for that login. Most of the commercial websites have enforced 2FA/MFA for their customer logins.
- Check with your immediate circle of friends & family and help them change their credentials. Every act of caring for and supporting each other is always good for relationships and business.
- Please make use of a password manager and enforce a strong password for managing the same.
Nowadays, almost all online accounts undergo attacks in one form or another. The primary motive of such activities is predominantly financial, however, there are a couple of other reasons as well.
Credential Stuffing
Considering the re-use of passwords in multiple accounts, it is pretty easy to log in to your accounts using just one compromised password. The act of doing the same is called as credential stuffing.
Let us see this with a simple example. You have an account in yahoo and have used the password as “password“. If you had used the same password elsewhere, it will be pretty easy for anyone to break into those accounts.
As of today, various data breaches have exposed a huge trove of password credentials and it is available easily to anyone who wants to find it out. Such breaches include Collection #1-6, Yahoo, Linkedin, Dropbox, Equifax, etc.
It is easy for anyone to crack your other accounts through credential stuffing attacks.
How-ever if you have changed the password to an unique one, your risk may be lower. We have to be very cautious about not re-using old passwords considering this risk.
With that being said, now let us look at ways to see how safe is your password.
There are multiple ways to check your password safety. The easiest way to check the security of your password is given below.
Password Security Tips
Never Use Dictionary Words
Dictionary words are pretty weak from a security standpoint. There are pretty simple hacks available to crack open accounts.
Avoid using words from a dictionary. Passwords from dictionaries are unsafe. Be it English or any other language.
Dictionary words are usually first used by an attacker.
Considering that high risk, please avoid picking your passwords from any known word from any dictionary.
That means words like life, love, money, etc are high-risk passwords. Please refer to the top 100 frequently used passwords shown above.
Avoid character repetition
Passwords created using the style of character repetition is also widely considered as poor password.
For example, aaaa, 1111 etc can be easily forced open by any determined attacker who is targetting your account.
Stay Off Personal Data
Using personal data for your passwords is so very common across users.
It is safe and wise to avoid passwords with your personal data .
In the event of personal data used as password (name, date of birth, year, kids name, pets name , spouse, etc), it is pretty easy for determined attackers to compile an easy list of your passwords. These are data points that are incidentally leaked by us unknowingly to all, particularly in social media channels.
Avoid password re-use
In the event of you using the same password on multiple websites, the risk is pretty high.
Let me explain this with a simple example.
Hypothetically let’s assume you have your Gmail password as “myPassword” and username as “myName”. You also have another account on Facebook.
You would prefer to have your username as “myName” as it’s yours and your already familiar in using that. With this basic information, an attacker can easily target your Facebook account with the leaked “myPassword”.
At least major sites like Facebook and Google have enough security precautions to avoid these, but not all.
Hence it is always suggested to avoid password repetition as one single website compromise should not be impacting your other accounts.
How to set a good password easily?
Try these for your passwords :
- It is recommended to have any password nothing less than 12 characters in length ( a mixture of alphabets, numbers & special characters )
- In one of the recent findings by a security researcher, it was even recommended to keep it much longer than 12.
- Most of the current password rules currently do not have any major restrictions on numbers.
- Password managers can also be a helpful tool in saving all the passwords in a controlled fashion.
Avoid using the below while creating passwords :
- Strongly avoid using the same password in any of the websites or services you use. This helps minimize the impact, even if one website is breached or impacted.
- Avoid using words commonly found in any dictionary.
- Refrain from using personal information like kids name, date of birth, city of living as your password
- Easily guessable words and sequences. For example, 123456, love, abcde & password are already in the top 10 most frequently used and abused passwords. Hence it is prudent to avoid them at all costs.
- Avoid using your login or user name in other forms like user name, capitalised, reversed, etc as your password. These are generally one of the first steps attempted by attackers for targeting specific users.
How Safe Is A Password?
Suggestions for selecting your passwords :
Use Common Phrases
“Never ever use a single password in multiple sites !”
“I love my puppy Milky for he is my life :D”
“Do you think you can read my password so easily ???”
Feel free to make your statements and use them as your passwords. This is much safe and easy to remember as they will be unique to you.
Well, why not add some numbers and make it even more difficult.
“Never ever use a 1 p4ssword in multiple sit3s !”
“I l0ve my puppy Milky for he is my lif3 :D”
“Do you think you can read my p4ssword so 3asily ???”
Oh well, alphabets and numbers are used, what about the special characters …..
“Never ever use a ! pa$$word in multiple s!tes !”
“I love my puppy M!lky for he !s my life :D”
“Do you think you c@n read my p@$$word so e@sily ^-^”
This looks so simple and easy, lets further spice it up
“Nevah evah use a 1 p4ssword in mltple sit3s !”
“I luv mie ppy Milky for hes mieeeh life :D”
“Do u thnk u cn rd mi paswd so 3sly ???”
Why not mix them all and see what happens?
“Nev@h ev@h use @ ! p@$$word !n mltple s!te$ !”
“I luv m!e ppy Milky f0r h3s m!eeeh l#f3 :D”
“D0 u thnk u cn rd m! p@$wd s0 esly ^-^”
All that being said, let us also look at some nuggets. Here are the most used passwords and better to avoid these for any of your accounts/transactions.
It is up to your imagination to create safe and simple passwords for your use while making it extra difficult for others to guess it.
Famous words of an infamous person :
Jokes apart, safeguarding and maintaining password hygiene will help us a lot in avoiding unwanted issues.
Password Manager
Beyond the traditional ways and means of storing and saving passwords in our files, do we have an alternative?
Of course yes!
The answer is: Password Manager.
Password managers are small software utilities available to you to manage your accounts and their related passwords.
Today’s password managers are pretty user-friendly and highly intuitive to use. Guided by their assistance, you can ensure all your online accounts can be safeguarded with a strong password.
The beauty of using good password managers is such that, it can even give you a snapshot of your password hygiene. Based on that, we can quickly remediate.
Accounts created a long time back in history are mostly forgotten. Those forgotten hidden nuggets might contain valuable clues to your password. Hence ensure all your online accounts are managed through a good and tested password manager.
Simple and user-friendly interfaces make an ideal choice for selecting and using a password manager.
Yes, there are lots and lots of good password managers ( commercial and free ). The choice of selection is based on individual preferences and requirements. Below shown are a few of the criteria for password selection. This is much helpful.
Password Generator
Looking at all these issues and problems related to unsafe password, the next obvious question on our mind is what is a safe password?
Well, any problem for that mater can be solved with a determined mind supported by relevant technology.
Software utilities like password managers have the feature of generating strong and safe passwords for your accounts.
They can be easily integrated with all desktop PCs , smartphones and laptops.
Conclusion
Please make use of these recommendations and best practices for protecting your accounts and stay safe.
Please make sure to inform and educate your near and dear ones on the perils of password management.
One simple password breach could mean a lot to an individual user who has lost his files. The same could be true for folks who lose money by fraudsters making use of stolen passwords.
Good references on password security:
- www.techsafety.org/passwordincreasesecurity
- https://us.norton.com/internetsecurity-how-to-how-to-secure-your-passwords.html
- https://www.mcafee.com/blogs/consumer/family-safety/15-tips-to-better-password-security
- https://www.wired.com/story/7-steps-to-password-perfection/
- https://www.avatier.com/blog/what-makes-passwords-secure/
Thank you for your patience in reading this far. I sincerely trust this would help you improve your password security posture.
Please share your comments or any feedback and I would be happy to interact with every one of you.
I would love to hear your thoughts on password security in the discussion area given below.