If you are reading this website, then chances are you use passwords in some way on a regular basis. Many people have multiple (even dozens) of passwords to remember, and the work involved in organizing and remembering them all often leaves us tempted to use simple, easy-to-remember passwords, which, unfortunately, also tend to be easy to guess.
When I say guess, I don't just mean someone literally guessing (although that does happen, as you will read below), but also the use of various tools to try to "crack" or figure out your password. I won't go into all the details about how this is done, but there are numerous tools out there that can grab an encrypted copy of your password from various places and attempt to decrypt it.
No amount of technology can make up for an easily guessable password. Once a person figures out your password, they can essentially impersonate you within whatever system that password applies to. In some cases, the password may not give the user access to anything critical - maybe just e-mail or a photo gallery. In the case of bank accounts, credit cards, or job-related systems, the potential exists for a person to do serious damage.
Here are a few tips for choosing "Strong Passwords" - or passwords that cannot be easily guessed.
More complex passwords are more difficult to guess, and take longer to crack with hacker tools. By complexity, I mean the number of different kinds of characters used. A password that consists of all lower-case letters is less complex (easier to crack) than one that uses mixed-case letters with numbers and other symbols mixed in. A few good rules are:
You should try to incorporate all of these rules into every password you create. A common trick is to use a word, name, etc., but replace certain letters with numbers or symbols. So instead of using "MyPassword", you would use "MyP@$$WoRd". Just be aware that if you use this too often or fall into a pattern (such as always replacing the letter "a" with "@"), then your passwords are just as easy to guess once someone has figured this out. Also, someone discovering one password may figure out patterns that lead them to guess your other passwords. The safest password is one that does not follow simple patterns like this.
The number of possible combinations of characters increases exponentially as you add to the length of your password. For example, if your password consists of both upper and lower case letters as well as numbers, here are the possible combinations for each length:
When you add all the possible symbols into the mix, these numbers are even higher. Now, you may be thinking "Wow - 4 characters is pleanty. Who could guess out of over 14 million possible combinations?". However, you've got to remember that today's modern high-speed computers can run through thousands of combinations per second. It is best to use at least 8 characters (with nearly 22 trillion combinations) for a good password. But don't stop there if you can remember more. The longer, the stronger.
One of the most common tools used to guess a password is a dictionary cracker. To help you understand how this works, I have to first give you a little more insight into how passwords are stored and transmitted (if this part doesn't make sense to you, it's ok to skip it, as long as you just trust me and follow the rule of not using any words found in the dictionary).
Most computer systems store their passwords in an encrypted form, so that a person that breaks into, or even has legitimate access to a system, can't simply read the passwords (A password of "MyP@$$WoRD" might be stored as "Xzf4!s8~03R@sV(M>b3"). Most of the time, the passwords are encrypted using what is called a "one-way hash". This means the password is incrypted in such a way that it cannot be decrypted again (it only goes one-way). So, how do they use it if they can't decrypt it?
What happens is when you enter your password to log into a system, the system encrypts the password you entered using the same one-way hash that it used to store your original password. Then, it compares the encrypted value to the encrypted value that it has stored, to see if they match. If they do, then you entered the right password, and it lets you in.
Now, back to dictionary crackers. What these tools do is take the encrypted password, and try to match it by using the same one-way hash to encrypt every word in the dictionary, and even combinations of words. This can take anywhere from minutes to weeks, depending on the extensiveness of the dictionary used, the hash involved, and the number of combinations it tries. Once they find a word or group of words that encrypts to the same value as your encrypted password, they know what your password is! So, if you don't use words found in the dictionary, this type of tool will be useless in guessing your password.
Dispite all the technology that thieves and hackers have, the most common way of discovering someone's password is still "Social Engineering". So what does that mean?
How many of your passwords have something to do with your spouse's name, your child's birthday, or your favorite sports team? Probably most of them. Social Engineering refers to learning about someone's life in order to formulate good ideas as to what they might use for security. If I know you are a pet lover, it's a good bet that your password has something to do with your pet's name or your favorite breed of dog.
This type of breach of security is less likely to be performed by a hacker than it is by a co-worker or "friend". Just because you trust someone enough to tell them stories about your life doesn't mean you trust them to log in to your computer or have access to your bank account. Make sure you aren't giving away your passwords on a daily basis in the stories you tell, and don't use easily attainable information such as birthdays and anniversaries.