Security breaches happen so often nowadays, chances are you're sick of hearing about them and all the ways you should beef up your accounts. Even if you feel you've heard it all already, today's password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here's what has changed and what you should do about it.
Background: Passwords Are Easier To Crack Than Ever
Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.
Making matters much worse is the fact that hackers know a lot more about our passwords than they used to. All the recent large-scale password leaks have helped hackers identify the patterns we use when creating passwords, so they can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.
Take the password "Sup3rThinkers" — a password which would pass most password strength tests because of its 13-character length and use of mixed case and a number. Website How Secure Is My Password? estimates it would take a desktop computer about a million years to crack, with a four billion calculations-per-second estimate. It would take a hacker just a couple of months now, Ars Technica notes:
Passwords such as "mustacheehcatsum" (that's "mustache" spelled forward and then backward) may give the appearance of strong security, but they're easily cracked by isolating their patterns, then writing rules that augment the words contained in the [2009 hack of online games service] RockYou [...]and similar lists. For [security penetration tester] Redman to crack "Sup3rThinkers", he employed rules that directed his software to try not just "super" but also "Super", "sup3r", "Sup3r", "super!!!" and similar modifications. It then tried each of those words in combination with "thinkers", "Thinkers", "think3rs", and "Think3rs".
In other words, hackers are totally on to us!
What You Can Do: Strengthen Your Passwords By Making Them Unique and Unpredictable
We've suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.
1. Avoid Predictable Password Formulas The biggest problem is we're all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of uppercase and lowercase letters, numbers and symbols, most of us:
- Use a name, place or common word as the seed (women tend to use personal names and men tend to use hobbies)
- Capitalise the first letter
- Add a number, most likely 1 or 2, at the end
- Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end
Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers or appending another word wouldn't help much, since hackers are using the patterns against us and appending words from the master crack lists together.
Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.
The solution: Don't do what everyone else is doing. Avoid the patterns above and remember the basics: don't use a single dictionary word, names or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it's only secure if no one else is using that rule. (Check out IT security pro Mark Burnett's collection of the top 10,000 most common passwords, which he says represents 99.8 per cent of all user passwords from leaked databases, or this list of 500 most common passwords in one page.)
2. Use Truly Random Passwords Use multiple unrelated words for your strong, long password: Using a passphrase is more secure and more memorable than complicate, shorter passwords, as web comic Xkcd pointed last year. Longer and simpler passwords trump shorter and more complex ones — but only if the words you use are truly random. If you're using a common quote or saying for your passphrase, you're a target, because hackers' dictionaries include common quotes, phrases, titles and lyrics — and they can easily employ rules to use just the first letter of each word or other similar pattern. "To be or not to be" and "2b30rn0t2b3" and "tbontb" might all very well take just seconds to crack thanks to fast algorithms, so make your passphrase truly unique and random. (The Xkcd password generator can pick four random words for you.)
The best option is to use a password generator and manager: While the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password, the best option is to generate a truly random, long and complex password. This avoids the problem of easily cracked patterns and word lists. LastPass, KeePass, or 1Password can all generate a random password for you. See how to build a nearly hack-proof password system with LastPass for detailed instructions. Remember, the only secure password is the one you can't remember.
3. Use a Unique Password for Each Site No matter what passwords you choose or create, this is the most important security strategy of all: Use a different password for each site. This limits the damage that can be done if/when there's a security breach — if your password is compromised on one site, at least all your other accounts are protected.