Passwords. It seems like most people, when asked, will tell you that it’s important to use strong passwords. However, in my work experience, all too often I see people using fairly weak ones. When asked why, the answer I usually get is that it’s too hard to remember long random passwords. I get this. A password doesn’t do you much good if you can’t remember it.
A popular techie web comic made a good one about this from xkcd:
Now, like a lot of stuff you come across online, this comic is a bit of a simplification. The length of a password directly corresponds to the difficulty to brute force it, but so does complexity. For example, if you have a password with five all lower case characters, you’ll have 11,881,376 possibilities. If you take that same five character password, but now add the option of using upper case letters and numbers zero through nine, you’re now looking at 916,132,832 possibilities. That is a very significant difference. Taking an easily memorized string of words, and adding a couple of upper case letters and numbers/symbols will go a long way towards 4SecuRing9THaT9PasswORd2.
However, having a long and complex password won’t do you much good if you don’t have secure practices. Here’s another comic that I like that really sums this up well: Movie hacking vs real hacking
Don’t give out your password. It sounds simple, but you’d be surprised how often this happens. If Phishing attempts didn’t work, you wouldn’t see them used anymore. Nowadays, you shouldn’t come across any organization that will ask you to verify your password over email. It just isn’t done anymore. If you see a password verification request, it is either a phishing attempt, or it’s legitimate – in which case you’ll want to read that request as “Hey user, we as an organization have TERRIBLE security – move your services elsewhere if you know what’s good for you.”
Another thing that can get people into hot water is using the same password for multiple accounts. Here’s a hypothetical situation that unfortunately isn’t all that hypothetical for some users… Let’s say you’ve got a fantastic password that you’ve committed to memory, but you use it for pretty much everything. All is well and good until the site where you created an account to manage your Girl Scout troop’s fantasy football league gets compromised. No big deal, right? What’s a hacker going to do with your latest draft picks? Well, let’s say you used that same password for your email account. The same email account that you used to sign up to the fantasy football league, which Mr. hacker now also knows about. Now they can log into your email account and take a look at what other kinds of accounts are tied to this email address. Things like online banking, mortgage, credit cards, etc.
Which brings us to my last point; a chain is only as strong as its weakest link. Having a fantastic password for your online banking account doesn’t do you much good when your email address tied to the account has a weak password. Once they’re into your email account, they can ask for a password reset from the other accounts tied to this email address.