Sunday, March 27, 2011
Can a Hacker Guess Your Passwords?
We use passwords so often that it's easy to lose sight of just how critical a password really is: one of the best defenses we have against cybercrime is often the one we take the least seriously.
After a hacking incident in 2009, InformationWeek analyzed the login information of the site's 20,000 users and found that most passwords were ones a hacker could guess in seconds. The most common passwords? 123456 and password.
Don't make it this easy for the cyber criminals—create strong passwords that are easy for you to remember but hard for others to guess.
Why you need strong passwords
It can be tempting to use an easy-to-remember sequence like a birth date or cell phone number as a password. But don't. Many systems have been broken into due to weak passwords, which are passwords that can be easily guessed or can be quickly decoded by a cracking program.
A password cracking program is a tool that runs through a list of possible passwords, one-by-one, until it hits on the right combination; it can process tens of thousands of different passwords in one second. The list of possible passwords the program uses can include commonly used passwords, dictionary words, and information specific to you, such as your birth date.
Once your password is known, a hacker can tap into your private information and do all sorts of damage, ranging from reading your personal emails and creating fake postings on your profile page to robbing your bank accounts and stealing your identity.
Tips for creating a strong password
4 Password Dos
Use long passwords. The longer your password is, the better. Use a password that has at least 8 characters, and for your high-security accounts, security experts recommend even longer passwords: at least 14 characters. (How can you remember 14 characters? See "Consider building passwords based on phrases" below for some ideas.)
Mix it up. Use a mix of uppercase letters, lowercase letters, numbers, and symbols—the more types of characters you use in your password, the harder it is to guess.
To illustrate: For an 8-character password with all lowercase letters, a cracking tool would be able to run through every possible combination in 2.42 days. By mixing in uppercase letters, numbers, and symbols, the tool would take 210 years to run through every combination.
Use text that's not in a dictionary. A password cracking program can check millions of dictionary words in seconds. Avoid "real" words that can be found in a dictionary.
Change passwords regularly. Change your passwords on a regular basis. Every 60-90 days is the recommendation of most security advisors; you may want to change them more or less often depending on the security of the information the password is protecting.
4 Password Donts
Don't use 'password'. The word password and variations such as password1, passwd, p@$$w0rd, and drowssap (password spelled backwards) are so common that many hackers start with these.
Don't use easy-to-guess patterns. Don't use a sequence of characters (like 123456 or abc123), repeated characters (ioioio), or patterns that use characters that are close together on the keyboard (qwerty).
Don't use your name or other personal characteristics. Don't use your first or last name, and don't use terms associated with your personal life that others may know, like the name of your spouse or children, names of pets, license plate numbers, and phone numbers.
Don't use the same passwords for every account. The risk in using the same password for multiple accounts is that if someone figures out one password, that person now has access to everything else. For the utmost in security, use a different password for every password-protected program, web site, and account that you use. It's particularly critical that you not re-use your email account password on web sites because once it’s compromised, the door is opened to all your accounts that have your email address on file.
Consider building passwords based on phrases
The truth is that a long string of random characters can be hard to remember, especially when you have a lot of different passwords to keep track of.
One strategy is to use passwords that are built from easily remembered phrases. You take the first letters from each of the words in the phrase, and you also mix in some symbols and numbers in place of certain words, like using & to replace "and."
Here are a few examples of strong passwords built on phrases:
M2010nyri2l15# ("My 2010 new year's resolution is to lose 15 pounds")
Lmu?i:Wayd4o? ("Life's most urgent question is: What are you doing for others?")
Iw2Tls&cw2gb! ("I went to Texas last summer and can't wait to go back!")
TIP: A number of online password checkers like The Password Meter can be used to check the strength of your password.
Make any security questions strong, too
Automated password resetting is a process that lets you reset your password if you ever forget your current one; it's typically implemented by you setting up one or more security questions that you have to answer in order to gain access to your account. But if these questions are too simple, someone else may be able to easily guess the answers.
One example of this technique happened in 2008 when the email account of Sarah Palin, a nominee for Vice President of the United States, was broken into. The hacker was able to answer three security questions and illegally access Palin's email simply by researching her zip code, her birthday, and where she met her husband.
For any account that offers password resetting, be sure to set up strong questions as well.
And remember–keep your passwords secret
The strongest of passwords won't protect you if others can readily access it. Have you ever seen someone's password written on a sticky note taped to their monitor? This is a bit like taping your car keys to the windshield—you can easily find your keys, but so can anyone else.
Here are a few tips on safeguarding your passwords:
Don't respond to any email that asks for your password or asks you to verify your password by sending it in. Reputable companies don't use email to ask their customers for this information.
When using public computers such as in airport lounges, internet cafes, and libraries, don't access any sites that require a password. In these insecure locations, hackers can easily capture everything you type using keylogging devices. (Read more about keyloggers.)
The old advice was to never write down your passwords, but with today's reality, you can end up with dozens of different passwords—and it's better to use multiple passwords than to just use the one or two passwords that you can memorize. So it's OK to write down your passwords: just be sure to keep the list in a secure place that others can't access, such as a locked drawer or a safe deposit box.