During our Phishing Education and Training sessions, we cover off passwords. Far too many people have simple passwords, or just change the number at the end of ‘Mary123’ to become ‘Mary124’. It’s a question often asked, “How do I make a decent password?”.
I hate to think how many times I’ve been in an organisation, and you can work out how long someone has been working there by the number at the end of their password. Generally, in a larger company, passwords are required to be changed every 3 months, and so Joe over in Accounts is now up to ‘Brook12’ as his password. Brook is his daughter’s name and 12 is the amount of times he’s changed his password.
It’s all bad.
No person’s name should ever be used in a password. There are companies out there trolling social media channels, looking for exactly this information. For example, you see some random Facebook post that says something along the lines of, “Enter your first child’s name and your favourite dessert to see what your porn star name would be”.
For a bit of fun, you enter ‘Brooktiramisu’ and share it with your friends. That scam Facebook page now has some valuable info about you, with potentially two things you might use in a password. If Brook is an only child then it’s even easier to have a go at any passwords you might have.
So never, ever use anyone’s name in a password, that’s the first rule. You should also never use any year, that’s Golden Rule 2. Using any year in a password is far too easy to crack.
Of course, it goes without saying to never use the word ‘password’ in a password – and yet people still do. When statistics are shown for the most common passwords, ‘password’ is always right up there, if not at the top of the list. That’s along with 123456. You might as well just give the scammer your money and data right now.
Other password advice
Never share your passwords. By this we mean don’t use the same passwords for all your accounts. You are simply asking to be hacked if you do this. Once a hacker/scammer has your password, they can use it to access all your accounts. Do you want that?
But realistically we know people will do this, or will have a pool of 2 or 3 passwords they use to access any websites, email or other applications. If you simply can’t cope with different passwords, at the very least have a different password for your email and bank logins. This means if a hacker gets a hold of your password, you can go to any websites you’d normally login to, and click on the ‘forgot my password’ link, and then an email will be sent to you to enable you to change it to something else, locking the hacker out. Of course, if it’s your email password that’s been hacked, you’re in a bit more trouble. In this case, check out our blog post, “My email has been hacked. What do I do now?”
How do I make a decent password?
Popular current ways of creating a password are now keyboard patterns, and password phrases. There’s also password safes or vaults, which we’ll cover off in another blog post.
On top of keyboard patterns and password phrases is the length of your password. Longer is ALWAYS better. Just adding a few extra characters to your password can make it exponentially more difficult to crack. Keep that in mind at all times. Ideally, your password should be at least 8 characters long, and preferably over 10.
The problem with giving someone a password that’s not words or names or years, is that they can’t remember it, and this is where keyboard patterns come in.
Let’s look at this made-up password (keyboard pattern): UJNwsx45!@#
That looks horrendous to remember, and if you were trying to tell someone your password (of course, you never would) you’d struggle to say it out loud. But here’s the thing; it’s simply a bunch of keyboard patterns.
UJN are three letters in a row, all in caps.
wsx are three letters down, all in lower case.
Then we have two numbers, and three special characters. Those special characters are in a row on the keyboard too. So now you have a password that’s 11 characters long and is extremely hard to crack. In fact, it would take 13 years to crack that password.
How long do you think a password like Mary2020 would take to crack? It’s 0.15 seconds. That’s a huge difference!
You can check your own password strength by visiting https://www.my1login.com/resources/password-strength-test/
You can do anything you want with keyboard patterns to make it easier for you to remember, but harder to crack. Always remember, longer is better.
These are also called passphrases, but they mean the same thing: using a phrase as your password. Generally, this will mean that the password (phrase) is longer, and as we say, longer=better/stronger.
Passphrases are not necessarily a known saying, as some people think. It’s better to have a collection of seemingly unrelated words as your passphrase.
So an example of a passphrase might be ‘brown dog hairy barber stripes’. These are words I’ve picked to actually make sense. So my brain has picked brown to be related to dog which relates to hairy which relates to barber which relates to stripes (as in red and white stripes).
The above passphrase is 30 characters which is great for being almost impossible to crack – it would take 204 million years to crack it – but that does make it very long, and you may be prone to hitting the wrong keys now and then. You could remove the spaces and say one of the words. Meaning ‘brown dog hairy barber’ would still take 543 years to hack, more than acceptable.
The reason behind it all
I’ve lost track of how many times people have said something along the lines of, “I don’t have anything worth taking,” or “why would someone want my email address?”. Hackers are out there and they want a lot of things. Some want your email password so they can send emails as you to everyone you know, with some scam link inside the email or a virus attached.
Other times they want access to your information. Of course, if they can get your email password that might be the same as your bank password, and then they’re in. Hackers can do a lot with your information/passwords, so please don’t make it easy for them.