There is a lot of guidance out there regarding best practice password policies, much of which can seem incredibly conflicting and confusing. When you come out of this 2-minute read, that confused password haze should be lifted (although we can’t make any promises).
To start with we’ll look at some ways in which potential attackers could breach your account.
You’re too obvious
It goes without saying that your password shouldn’t be something that can be guessed easily. Although I’m sure most of you reading this will argue that your passwords cannot be guessed because of their obviousness, all you need to do is look at a ‘top passwords’ list and I bet you will find at least one element of your password (if it is obvious that is). So the moral of this subheading – don’t be obvious. Password1234567899 is not a good choice, even if it is just to secure your laptop account.
You’ve been compromised without realising
Unfortunately I’m sure you have seen one of the many headlines that look something like this ‘500,000 customer records taken’, and you may have feared that your account was one of those affected. The likeliness that you were is probably very high, even if you haven’t seen any unusual activity…yet. If you are guilty of using the same password across many different devices and websites and you were indeed involved in one of the many breaches that we see on a daily basis, cyber criminals might use their plethora of known passwords to try and get into the accounts that you use on other sites. So, the moral of this one is that as tempting as it may seem, try not to recycle your passwords across multiple sites.
Key logs
Keylogging is the practice of logging every time you press a key on your keyboard. This comes about through a nasty piece of malware that gets installed on your device, and lets attackers literally watch you type your password in. Unfortunately, no matter how secure your password may be, if you are a victim of keylogging there is not much you can do. This just reiterates why keeping your software up to date is crucial in combatting attack methods like this one.
Hashing
It is common for most websites to ‘hash’ passwords before they store them – this is the process of storing your passwords in a sequence of jumbled characters and numbers etc. When you revisit the website and enter your password, it will once again get ‘hashed’. If this hash matches the hash on their records, you can access your account. If attackers managed to gain access to a website’s list of hashed passwords, they can then launch a dictionary attack. This is the practice of putting lists of known words through the same hashing process, and if they result in the same hash as the one on the list, then they know your password. Although this sounds like an arduous task, with the number of applications out there it can only take a few minutes for an attacker to work out your hash.
So where do the three random words come in to play?
Really long passwords that match website criteria and include a range of numbers and symbols aren’t necessarily the best option in securing your password-controlled accounts. Trying to remember loads of different complex passwords can seem like a huge task and may lead you to store your passwords in a notebook or even on your device, which definitely isn’t encouraged. And then there is the problem of intelligent hackers – they are becoming increasingly more aware of the coping mechanisms we have of generating and creating complex passwords.
Having a password made up of three random words and a few numbers can be memorable for the person creating them, but incredibly hard to compromise from an attackers point of view.
Toaster99Screen76Hedgehog – who would have guessed that?