Passwords: Do You Know the Trick to Getting Them Right?
By
Andrew Kemshall

Passwords. We all use them as the gateway to our personal information, emails, different websites—you name it. And the reality is that whether we admit it or not, most of us reuse passwords between different applications or sites.

While there is much that businesses can do (and many of them are doing it) to get away from the singular reliance on passwords to protect sensitive data, there’s much more each of us can do to prevent our virtual identities being abused.

Before I tell you how to create a virtually unbreakable password, let’s look at how they are cracked.

How are passwords broken?

In one scenario, a dedicated hacker researches a ‘target’ until they know a lot about them (often using social networking sites) and will try to guess a password based on what they have found out. These sorts of attacks are very hard to prevent, but they aren’t common and are easily avoided if you don’t use your childrens’ or pets’ names as passwords. (And no, not your husband’s name either, even if you do combine it with his birthday to make it a bit more complex.)

It is more likely that they will use a brute force attack using automated programs, either by trying the most common terms in major languages or by going through every possible character combination. Crackers will also try common password lists, such as “123456”, “qwerty”, “abc123” and, of course, “password”—so don’t use them either.

How can I make my password stronger?

An invented phrase or word is harder to crack, especially if you add numbers and symbols. However, current hacker tools can try 100 million checks per second, so even a truly random password might not take long to break:

Password length      Tries per second     Time to break
         4        100 million     0.16 seconds
         6        100 million     11.4 minutes
         8        100 million        32 days
        10        100 million       365 years

 

Before you break into a cold sweat thinking you need ten character, random passwords for every site you visit (which of course you must not write down), don’t worry, I have a solution.

First of all, break your password down into at least two parts as this will make it easier to remember. It’s almost like having your own two-factor authentication: something you know, and something you own.

One part stays the same for every account you have. And this can be complex, because as long as it’s only four characters people are generally able to remember it—so it might be M!7n. Think of this as “something I know.”

The second element should be relevant to the site you are logging into. So, for example, for an online clothes company you might use “lookingfab” alongside your complex four character part, for a lottery site you might add “lucky8,” etc—as  long as it is different for each one. It wouldn’t hurt if you wrote these down secretly, perhaps in the notepad on your phone. This part becomes the “something I own” element.

While we’re waiting for the businesses to start making it harder for criminals to steal our online credentials, we can still do our best to protect ourselves. Using this simple technique for your password means it will take a “cracking” program at least a year to break your password, but you’ll always remember it. Did you know it would be that easy? So what’s stopping you?

Andrew Kemshall is the Co-Founder and Technical Director of SecurEnvoy. Before setting up SecurEnvoy, which specialises in tokenless two-factor authentication, Andrew worked for RSA as one of their original technical experts in Europe, clocking up over fifteen years of experience in user authentication.