Think for a moment about how much your passwords protect. Facebook, bank account, e-mail… quite a bit right? You don’t want hackers or other crooks getting in. Your password is your bulwark against the scum and villainy of the cyberworld.
Passwords, unfortunately, can be cracked. In fact, it is impossible to make a literally uncrackable password – with enough time and patience, any password can be broken.
Your passwords might be breakable, but they don’t have to break easy. With the right techniques, you can make your passwords so difficult to crack that many hackers will just give up and move on. To understand these techniques, let’s take a look at the two main flavors of password cracking: social engineering and software hacking. Both are major threats, but both can be contained with safe password practices.
Social Engineering is an explicitly human-based attack on your password. The method involves using knowledge about the user as an avenue to gain unauthorized access. For instance, a hacker might use knowledge about your favorite hobbies to form guesses about your password. This could take some time, but it can work – especially if you use preset password hints. If you have a hint that says “My favorite thing to do!”, a look at your Facebook account will likely provide the answer.
More common for social engineering hackers is to use knowledge of your personal data for “Reset my Password” prompts. Common questions in these prompts ask for your date of birth, mother’s maiden name, your high school mascot, etc. in an effort to prove your identity. Unless you’re very careful, much of that information can be dug up through inspection of your social media accounts. This is a common way that passwords are hacked.
The most effective protection against this is simple: Don’t use social media. Of course, that’s asking a bit much. Social media is useful. I don’t want to have to abandon it entirely.
Apart from abandoning social media, the next best thing is this: publicly share as little as possible. For anyone other than my approved friends, my Facebook reveals nothing other than my photograph and my name. I do not publicly share any updates, statuses, or other photos. I hide my family connections and personal details.
I even avoid sharing much with my approved friends – for instance, my birth date is hidden from everyone. If you’re the kind of person who loves birthday wishes, this is too much to ask. But I’m happy as long as my wife bakes me a cake on my birthday, so I can endure not getting birthday well-wishes on Facebook.
In addition to all this, control public access to your profiles. Unless you’re using your social media accounts for your job, business, or marketing, I recommend locking them down entirely from the public. The information that a hacker can glean from your account simply brings them that much closer to cracking your password security.
Program or script-driven hacking, on the other hand, is explicitly computer-based: using a program to crack your code. From the standpoint of the hacker, this takes much less effort – just set it and forget it.
The tools out there used for password cracking are very powerful and very efficient. The most modern are able to target commonly used words, characters, and conventions, allowing for even quicker cracking time. In 2013, Ars Technica gave 16,000 encrypted passwords to three competing hackers using highly modern cracking software in a contest to see who could break the most passwords. The winner? One expert broke a whopping 90% of the passwords in only 20 hours. The loser broke *ahem* only 62% – still well over half – within the same time frame.
For a while, the xkcd method was popular: choose four distinct words memorable to you and string them together. The example was “CorrectHorseBatteryStaple”. While such a password technically would require a long time to crack in a pure brute force attack, hacking techniques have developed to negate this advantage. Crackers now use dictionaries when running their software that also account for popular password conventions like using 1 or ! for the letter I and are able to blow through word-based passwords in a jiffy.
The bottom-line is this: almost any password that’s constructed in such a way as to be memorable is more easily cracked, because hackers use the conventions of memorability to their advantage. It’s a hard-knock life!
“…So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.”
Some of his examples:
- WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow…doestcst = Wow, does that couch smell terrible.
- Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
- uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
I agree with his method. Difficult to guess from a human standpoint, difficult to guess from a computer standpoint, and still maintains an aspect of memorability. Not as easy to enter, but you have to weight the pro’s and con’s of password security in each individual case.
In addition what’s mentioned above, Schneier lists a few simple practices that can do wonders to protect your password security over the long run:
Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.
Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.
No password is impossible to hack. With enough time and the right techniques, your password will get hacked whether you like it or not. But you can exercise control over how difficult that process will be by practicing the techniques described above. For an average user with an account of average value or importance (not overtly valuable or important), hackers will probably lose patience before they can hack your accounts and will move on. Time is money.
Gauge the importance of your passwords effectively. The more important and sensitive the account, the more difficult and strong the password should be.