Strategies for Smart Password Security

So much of our life is now conducted online: online banking, online shopping, online socializing, etc. The internet has helped streamline the way we manage our personal business, but it has also presented new opportunities for hackers and cyber-criminals to gain access to our personal data. As their techniques become more refined, the need for strong password security to guard information becomes critical.

Hackers have multiple ways to get to your accounts and data. Some of the most popular include:

Brute-force attacks

The hacker uses a computer program to run every possible combination of characters to find the correct one. Brute force computers are often very fast, processing millions of passwords every second. But even with this speed, it can take a long time to crack the password, depending on its length and complexity.

Dictionary attacks

This is more common and successful than a brute-force attack. It exploits passwords with common “dictionary” words, including popular phrases, song lyrics, nursery rhymes, etc. A dictionary attack will also pair up these common words with numbers and symbols to cover the most likely combinations, including combinations that use a similar number or symbol to replace a letter, i.e., P@$$w0rd.

Data breaches

A type of cyber-attack usually made against large corporations, where the hacker finds “backdoor” access into a website database to obtain the file with all the user logins and passwords.

Passwords are just the first line of defense against hackers. A good website also has encryptions and hash functions in place to protect the data itself. But for every security advancement, there’s always a cyber-criminal working on a way to break it.

There are varying opinions about the best way to have optimum password security. Many websites place requirements for your password to include a symbol, number, capital letter, or any combination thereof.

While these characters are not a bad choice for passwords (and even encouraged), some experts feel having them as posted requirements on a website 1) gives the hackers knowledge of what parameters the password will have and 2) could limit the possible complexity of a password, since an alpha character has 26 different possibilities, while a numeric one only offers 10. However, there are several tips most experts agree on:

  • Size matters! Every character you use for a password multiplies the number of possible combinations. The longer the password, the more secure it is. A general suggested guideline is at least 12-16 characters.
  • No personal information! Don’t use birthdays, anniversaries, pet names, phone numbers, etc. as part of your password. Also, avoid using favorite TV shows, sports teams, or other information that a hacker might know or easily obtain.
  • Gibberish is encouraged! Made-up words that can’t be found in a dictionary will be much tougher to crack than a common word.
  • Diversity is key to password security! Never use the same password for all your accounts. If it’s difficult to keep track of them, utilize a password manager.
  • Choose safe websites! A website should never have your password stored. If you forget your password and request it from the site, you should only be directed to create a new one. Any website that can send you your existing password in plaintext is not secure enough.

Need a strategy for choosing your passwords? One recommended practice is to take a phrase of your choice, such as “In 2016 my son will graduate from San Jose State University.” Then compress it down by just using the initials, numbers, and symbols: I2016mswgfSJSU.

If you choose to use common words, keep in mind that the dictionary method of hacking, as mentioned above, has proven successful for hackers. Use multiple words to create a complex, nonsensical phrase, such as: The bicycle twists, but the agile horse knows to hide Pepsi underneath.

The PAO (Person-Action-Object) method helps you create a set of stories and use “image pairs” to generate passwords from those stories.

Unfortunately, no password can be absolutely hacker-proof, but by using these smart strategies, you can have optimum password security and make your data a much harder target.