How many attempts would a hacker need to guess your password?
Password Day is apparently a day to celebrate the power they behold, but before we get there, is your password “Password” or maybe it’s a more strategic “Password123”? If yes, you might want to consider the importance of passwords as it is key to safekeeping your digital world. India has the second largest internet savvy population in the world which also increases its vulnerability to the growing sophisticated cyber threats and frauds. And given the current device explosion, there is a strong need to have cross device security.
So, we may not have any traditions for Password Day yet, but that’s OK, every tradition is a new idea to begin with and if anything in computer security deserves a bit of attention, it’s your password.
Today, in the spirit of better understanding digital security, we’re celebrating Password Day with a simple guide to upgrade your password habits and reflect on ways to give cyber criminals a tough time:
1. Have unique passwords for all your accounts and do not reuse:
First things first! You should have a unique and dedicated password for each of your online accounts. For example, let’s say if you have 10 accounts on the internet including social networking, emails, online payments or apps then all of them should have different and distinct password. Reusing your passwords can reward anyone who steals one of your passwords with the key to a number of other sites as well, making the damage far worse.
2. It’s complicated and should always be: Not your relationship status on Facebook but maybe your log in password for it. It’s an interesting way to think about how we choose our passwords. I’ve noticed that guidelines for creating strong passwords, such as “use a long, random collection of numbers, upper- and lower-case letters and wacky characters,” are often turned into arbitrary rules that make passwords easier to guess, like “your password MUST be between eight and twelve characters long and contain at least one uppercase character and one number!” So instead of thinking about what makes a password strong, think about avoiding these common pitfalls: don’t pick one of the 10,000 most common passwords; don’t use personal information, an animal, sports team, business name, nickname, quotation, family member, phrase, collections of related words or pet names; avoid dictionary words; and don’t expect to fool anyone by using common mis-spellings, $ubst1tuti0ns or by adding numbers53 on the end.
3. Shhh…It’s a secret! : Your password is a secret and it should be kept a secret and if you share a password, it’s not a declaration of true love and it’s not a secret any more either. It has been often observed that sharing passwords always lead to a domino effect in terms of it getting shared because when you share a password, you lose control of it as you don’t know who else the person you shared your password with, shared it with, who they emailed it to or where they wrote it down.
The trouble is that many of us just don’t think of passwords like that. A survey conducted by the purveyors of password management software, LastPass, found that 95% of us share up to six of our passwords with each other. And it’s not just a bad habit of end users, it’s a bad habit practiced by IT professionals who should know better too. So please refrain from sharing your password with anyone.
4. Don’t trust password strength meters: You always feel that the judgement of these password strength meter can be trusted upon but unfortunately, many of them flatter to deceive with vague wording, fancy graphics and arbitrary rules that look important but might actually make your password weaker. Others have been shown to send passwords unencrypted across the internet, store them in unknown Google spreadsheets and accidentally leak them to 3rd party marketing companies (that was the CNBC password testing tool in case you’re wondering).
Though there are some excellent passwords strength meters out there, such as the rigorously tested zxcvbn that is used by WordPress and Dropbox, so some passwords strength meters are trustworthy. Unfortunately, you can’t tell them from the ones that aren’t.
5. Don’t fix a pattern or schedule to your password change: You often get this advice, especially from your office’s IT department, to regularly change your password but this advice that’s aged badly as the number of passwords we have to keep has grown. In the modern world it translates to “you must create and remember about 25 completely new and unrelated random passwords every month” and in doing that we generally compromise on the strength of the password and take shortcuts that make cracking our passwords easier. If you can create and remember a full set of new, strong passwords every month that’s great, but don’t force anyone else to do it because the chances are they can’t. Instead, focus on choosing the strongest passwords you can.
- by Sunil Sharma, Vice President - Sales, Sophos (India and SAARC)