Hacking is often not that complex. Sometimes hackers have to make their attack strategy just a little more complicated, but the truth is that you can prevent a lot of common attacks and keep your online accounts a great deal safer just by using better passwords. So if you are looking for a way to improve your cybersecurity, password security is where you should start.

Trying Common Passwords

One of the easiest and most common ways to hack into an account is to try common passwords or to do a little research on the intended victim and try some passwords related to that person. A 2015 survey indicated that the most commonly-used passwords are the following:

• Password

• qwerty

• 12345

• 123456

• 12345678

These are VERY unsecure passwords. They are easily to guess and cybercriminals will start trying to access your accounts with weak passwords like these.

We also recommend that you never use passwords that contain the following information:

• Your name of the names of your family and friends

• Your birthday or those of your family/friends

• Pets names

• Places you live or have lived including cities or street names

Dictionary Attack

In a dictionary attack, a computer uses a wordlist (like maybe the entire English dictionary) to try and find a password that works. The computer will simply plug in every word in its word list in an attempt to find a working password.

We recommend that you avoid using a single word from the dictionary as your password. You should also avoid using any commonly used word or name that might not be in the dictionary. 

Hybrid Attack

A hybrid attack is like a dictionary attack where the computer will add some numbers and special characters to the words in the word list.

Also, consider that if the attacker assumes you will probably use a year as that 4 digit number, then they don’t have to try every combination. Making assumptions about how passwords are commonly constructed can bring the attack time’s way down.

Mask Attack

A mask attack is all about making the assumptions that were mentioned in the last sections and then performing a specific kind of hybrid attack based on those assumptions.

Imagine that a website requires that you have an 8-character password that uses at least 1 character from each of the following sets

• Upper case letters

• Lower case letters

• Numbers

• Special characters

The average person is likely to respond to that password requirement by choosing a password like “Word123!”  As English speakers, we capitalize the first letter of a word in normal writing. We are also more likely to use a special character like “!” or “?” than “^” of “#.” Again, we use those characters when we write and we are familiar with them.

Attackers know this. So they make assumptions and create a mask that will limit the number of combinations they have to try in their hybrid attack. 

Brute Force Attack

A brute force attack makes no assumptions. It simply tries every possible combination of allowed characters until it finds a match. This kind of attack is very effective on shorter passwords and it will even be able to hack passwords composed of randomized characters. But the length does matter. A brute force attack is not very efficient and if your password is long enough it can be impractical to hack.  

Attacks on Hashes

Passwords are usually stored on servers in what’s called a “hash.” Hashes are essentially a form of encryption that cannot be reversed. Normally when you log in to the web site, your password is sent through a hashing algorithm and then compared to the stored hash. If it’s the same, they let you in. The reason they do things this way is so that a hacker cannot break in to the webserver and steal your passwords directly. Instead they could only steal the Hashes. However, if an attacker does steal the hashes they can attempt to “crack” them by plugging password combinations into the hashing algorithm (using the attack strategies above) and comparing the resulting hashes to the stolen ones. If there is a match, the attacker has cracked your password. This all hinges on having the hashes available but it can allow the program that is attempting to crack the passwords to try far more passwords per second. 

Create strong passwords

• Make it long. This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.

• Use a mix of characters. The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it.

• Avoid common substitutions. Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (*leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)

• Don’t use memorable keyboard paths. Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed.

• 20 Ways to remember your Password

• Strong Password Ideas

Don’t re-use passwords

It is also really important that you never, ever use the same password or passphrase in more than one place. That means every web login you have and every device you have should have its own unique password. You might think that sounds insane, but here’s the deal. If a cybercriminal gets one username and password combination that works on one website, the first thing they are going to do is try that same username and password on other sites. They even have programs that will help them check out hundreds of popular sites in seconds.

If you reuse passwords, you run the risk that a hacker could steal your password from them. Then, as a result, they gain access to your bank accounts. Yeah, pretty much dancing right around all that security implemented by your bank. So don’t reuse passwords anywhere.

Use multifactor authentication

Multifactor authentication (MFA) adds an incredible extra layer of security for your account logins. It’s free and easy to use and will make it nearly impossible for an attacker to compromise your accounts. 

Consider your password reset questions

Have you ever considered how easy it would be for a cybercriminal to answer those security questions and then change the password to your account? Or to break into your email and change the password for other accounts that use that email for password resets?  Most people don’t consider the security surrounding password resets when they think about strong passwords. But really, your password is only as strong as the process required to change it.

For accounts that send password reset e-mails, the solution is simple. Lock down that e-mail account. Make sure it has a strong password that is not shared with any other account. Also make sure that you enable Multifactor Authentication whenever it is offered. If you do those things, you don’t really need to worry about someone breaking into your e-mail account. Your e-mail account is arguably the most important account to keep secure because it is often used to validate other accounts and to reset passwords. We highly recommend that you take steps to keep it really secure.

Many security questions are way to easy like, “Where did you go to high school?;”  “What was the mascot?;”  “What’s the name of your favorite pet?;”  “What color was your first car?;” “What’s the name of your favorite teacher?”  The list goes on.

Which of those questions can’t be guessed by doing a little bit of research on you? So then how should you answer these questions to keep your account secure? Sometimes the account won’t give you an alternative recovery option, so what do you do? How about not answering them truthfully? There is no reason you have to give the correct answer to the question or even an answer that makes sense. The answer to, “What is your favorite pet’s name?” could certainly be “The shutters on my house are green.”  Now that is not going to be easy for an attacker to guess. You just have to remember how you answered the question, that’s all. And to do that, you could use a password manager. 

Don’t write down your passwords

This might sound like a no-brainer but a lot of people do it.  If you write down your passwords, someone will be able to get into you accounts if they find where you’ve written them down. A post-it note on the underside of your keyboard is not as sneaky as you think it is. People will find that. Also be aware that e-mail and online file storage services are not secure ways to store passwords. If you can't remember your passwords and need to write them down, please consider using a password manager. 

Use a password manager

A password manager is an application that  it helps you manage your passwords.

With any password manager, you enter the username and password of each one of your accounts into the manager. You can also store the URL of web-based accounts. The manager keeps these passwords secure by encrypting them with a very strong encryption algorithm that is impractical for any bad guy to break.

Password managers will also let you store secure notes and other data. So you can put your credit card payment information, your driver’s license number and other important information in it as well. Really, any important information that you want to keep secure and that you don’t want to have to remember can be stored in this tool.

Sometimes password managers provide you with additional tools to help you stay secure. For example, some will perform a security assessment on your entire list of passwords. It will tell you which passwords are weak and which ones are old enough that they need to changed. Sometimes they will even monitor for leaked credentials on the dark web and make you aware of when your account credentials might have been compromised in a breach.

We recommend that you consider a password manager if you feel like you cannot practice good password security without one. There are a bunch of free options and some that require payment. We recommend doing some research and selecting a reputable password manager that has the features you need.

Citation and for more information: https://cybersecurity.osu.edu/cybersecurity-you/passwords-authentication/passwords