Cracking Your Password

• Jul 2015
• NARPM Residential Resource

It seems each day that passes brings yet another news story of a major website that has been hacked with its users’ identities or credit card information compromised. Not only could this security breach damage the hacked company’s reputation, but it also has the potential to be an enormous financial calamity for the company. Read on to learn how to better protect yourself from the damage inflicted by internet hackers.

WHAT MAKES A SECURE PASSWORD?

Regularly Change your Password
It is debatable whether regular changes to your passwords make you more secure. Some analysts believe that requiring users to change their passwords on a regular basis may lead users to create passwords that are less secure. Nevertheless, if your password has been compromised, changing passwords on a regular basis limits the time frame of the potential damage.

Others believe the best approach is to change passwords multiple times per year in order to stay ahead of potential hackers. Many advise, and many companies require, a password change every 90 days. The easiest way to remember to keep to this schedule is to change your password with the changing of the seasons. Use a mix of characters, none of which are a keyboard pattern.One way you can help to remember various passwords is by using unique phrases that are familiar to you and substituting numbers and symbols within the phrase. Take the phrase “Go Team Blue.” It could be written as several different variations for use as a password.

The trick is to ensure you remember not only the phrase but also the portions that were replaced and with what they were replaced. Each of the sample passwords in the first column is followed by an estimate of the amount of time it would take a desktop PC (not a supercomputer) to crack the password. These estimates, (as well as others referenced in this article) were obtained from the website HowSecureIsMyPassword.net which can be used to check your favorite passwords. Another helpful tool, www.passwordmeter.com, will point out the strengths and weaknesses of a specific password.

Any combination of upper and lower case letters, along with numbers and symbols, can combine to make a strong password provided that they are over a minimum of eight characters and are not a keyboard pattern. Keyboard patterns are commonly known repetitions such as 12345, ASDF or qwerty. Many of these can be found in password dictionaries easily accessible online.

Longer Passwords are better
Computer hackers work using a database of the most commonly used passwords (e.g. password). When they resort to using algorithms to crack a password, they start with the smaller combinations and work up to larger ones. The longer the password, the more difficult and time-consuming it is to crack. For example, an eight character password (digits and both upper and lower case alpha characters) can be cracked in 15 hours. Increase that number to twelve characters and it takes 25,000 years. It is only used for one account and has not been used for any account in over a year.

Do a quick mental inventory of how many accounts you have. Between various email accounts, social media sites, banking and utility accounts, most people are easily in the double digits. That doesn’t even begin to include shopping accounts, discussion forums and various other fitness and lifestyle sites you may have joined. Do you have any accounts that use the same password? If so, you are putting yourself at risk. If just one of those accounts is hacked, every other account with the same password instantly becomes vulnerable. The only way to truly ensure security for each account is to have a unique password for each entry point.

Creating a password that is both secure and memorable isn’t the easiest task to accomplish. You may be following all of the rules to keep yourself as secure as possible, including a mix of characters with one password per account and updating your password on a regular basis. With that you may be running out of ideas of what to use next, so it seems easy to use a password from two to three rounds ago. Think again. Until a password has been dormant for over a year, it shouldn’t be used again, no matter if the password was previously used on a different account than the intended, the risk is not worth the reward.

Multi-word Phrases
For years, the idea that a random gibberish passwords as secure as you can get has prevailed. That train of thought is on its way to derailment. Many sites are now allowing the use of spaces within a password so a sentiment such as Maddy is Crabby (46 billion years) would be much more secure, and much easier to remember. Use uncommon words within your phrases to make them even harder to crack.

PASSWORD MANAGEMENT

Your password may be completely secure with no ability for guesswork but that does not help if you can’t remember it. Writing down passwords defeats the purpose of all of the security you are working to put in place.
If you have difficulty in remembering your passwords, consider the use of a password manager. The simplest variety of this tool is built in to most web browsers. The problem is that most browsers (Chrome and Internet Explorer) store your passwords in an unencrypted format on your computer. Firefox allows you to encrypt your saved passwords with a single “master” password but lacks advanced features
of dedicated password managers.

LastPass, a popular cloud-based password manager, automatically saves your log-ins and passwords for each site you visit. There is a free version as well as a premium version – and the download is available for Windows, Mac, and Linux. KeePass is a popular desktop application for managing your passwords. This open-source product includes browser extensions and a mobile app.

Always use a password for your computer and mobile devices (tablet and smartphone). This will help keep the contents from prying eyes, particularly the stored unencrypted passwords (remember the web browsers we just talked about).

SECURITY CHALLENGE QUESTIONS

When creating your password, you are often asked security challenge questions to provide a mechanism for resetting you password if you forget it. Don’t let your guard down now. Avoid the use of familiar answers. For example, don’t use any information that is well known or easily accessible (e.g. your social media profiles) such as your birthday, spouse’s first name, mother’s maiden name, your auto license plate, or city where you live.

A number of accounts were compromised by a hacker using information publicly available online to respond to security questions allowing them to reset the password and therefore gain access.

CONCLUSIONS

As computers become more powerful and hence password-cracking techniques advance, more secure methods are needed. A recent study from Carnegie Mellon University challenges the safety of long grammatical phrases, warning that cracking programs are now matching long sentence-like passwords. They suggest that bad grammar may be more advisable. I feel my high school English teacher shuddering as I write this. The challenge is balancing security with convenience. Multi-factor authentication improves security, but is less convenient. The latest release of Windows incorporates the use of picture passwords in which the user may use any combination of three motions
anywhere within their selected image.

Remember that it is not a question of if your account will be compromised, but when. Use these techniques to put that event off for as long as possible.

• Other Topics: