If an attacker guesses the combination of our username and password, we’re done. Sometimes there are ways out of this situation as well, needing a password reset, but when it comes to a crucial service, such as our email address, we can put a mask on the problem. We’ll take a look at what our passwords should look like and what are the most common attacks that hackers make on our accounts.
The best passwords will thwart brute force attacks and dictionary ones alike, but we should also find them relatively easy to remember. We’ll take a look at what these attacks look like, and how, given their method, to choose a password so that attackers don’t stand a chance.
- Passwords are a normal part of our lives
- How does password hacking occur?
- Brute force attack
- Dictionary attack
- The anatomy of a strong password
- Common sense or don’t choose stupid and transparent passwords
- Examples of the best passwords
- Use multifactor authentication
- Use a smartphone authentication app
- More security tips on passwords
Passwords are a normal part of our lives
Passwords allow access to a huge range of services, from email addresses, to social networks or even internet banking, for example. If you’re wondering how to create the best and strongest password possible, you’ve come to the right place. It’s the very foundation of keeping your accounts safe. It’s true that even with a strong password, security can be cracked, but with a weak password, your accounts will absolutely always be at risk.
So what’s the solution? Unbreakable passwords. But before we look at how to create such a password, let’s first take a look at the different ways of hacking passwords to understand the most common methods in use today.
How does password hacking occur?
Cybercriminals have several password hacking tactics at their disposal, but the easiest is to simply buy passwords from the dark web, a sort of underworld of the internet. We use passwords to log in to a number of services and sometimes we use the same password. These services, which may need various not-so-well-secured forums or movie fan sites, for example, can become easy targets for attackers to go after lists of users with their passwords. These can then be sold for big money on the black market. It doesn’t really matter how strong the password is then, as the attacker simply knows it
Simply put, this means that if you use one password on many services and for several years, it’s time to change the password for at least the most important services.
If you use different passwords, and for important accesses it is certain that the passwords did not make it to the aggregated black market lists, attackers must crack them in other ways, which we will also discuss.
Brute force attack
This type of attack tries to guess every combination of characters that exists until it hits your password. The attacker has software that tries as many combinations as possible in the shortest amount of time. Thanks to the speed of computers, brute force attacks are becoming more and more effective, and especially short passwords can be cracked in seconds. Attackers can try hundreds of billions of combinations per second, when even a combination of upper and lower case letters, numbers and special characters simply won’t help.
Brute force attacks are generally countered by using long passwords. Generally anything under 12 characters is very susceptible to being cracked. Every extra character we use in a password greatly increases the time to perform a successful brute force attack.
Services are secured against similar attacks by the necessary limited number of login attempts, but even so, the longer the password, the better protected your account is.
This attack is exactly what it sounds like – the hacker is essentially attacking you using a dictionary. While a brute force attack tries every combination of symbols, numbers, and letters, a dictionary attack tries a pre-prepared list of words that you find in a dictionary or from information the attacker finds out about you.
If your passphrase is a commonly used word, the dictionary attack will detect it quite easily. There just aren’t that many words, and trying all combinations, including alternatives to characters with numbers or using capital letters, is just tremendously fast. A password like “Hesl0” will be detected virtually instantly.
To survive a dictionary attack, your password must not be an ordinary word, but a jumble of characters, or you must put ordinary words together to create multi-word phrases like “PradloOrangutanPomerancBeatles”. The more words in a phrase, the worse these passwords are to crack. Additionally, you need to choose words that are not completely obvious – they may be foreign words, words you don’t use, or the name of a favorite band or movie, for example.
This video (in English) discusses this topic very nicely:
The most insidious tactic of attackers is so-called phishing. During this attack, the attackers try to lie, intimidate or pressure us through social engineering to unknowingly do what they want.
A phishing email can (falsely) report that something is wrong with your credit card account. It directs you to click on a link that takes you to a fake website designed to resemble your bank’s website. If you enter your password on this fraudulent site, the attackers immediately have it and will immediately apply it.
Phishing attacks used to be very transparent – there were typos in messages, graphics were broken, and fraudulent sites didn’t even need to be translated. Today, attackers are very sophisticated and a phishing site can be completely indistinguishable from an official site, the emails are completely error-free and everything looks very legit indeed. Therefore, phishing is something to be really careful about.
The anatomy of a strong password
Now that we know how passwords are hacked, we can create strong passwords that will survive (hopefully) any attack (although the way to survive a phishing attack is to simply not get caught). Your password is strong enough if we follow these basic rules:
Common sense or don’t choose stupid and transparent passwords
We should never use obvious passwords. We should not use sequence numbers, names, and certainly not passwords like “password”, “12345”, and the like, even using, for example, the form “p455w0rD”.
Come up with unique passwords that do not contain any personal information such as your name or date of birth, data that can be traced or found out quite easily. If an attacker targets you, they will try to exploit everything they know about you when guessing passwords. So be wary of passwords that include something that can be easily deduced from your social networks or generally publicly available information about you.
If you use any of the similar passwords, or other completely obvious variants, we recommend changing these passwords immediately, as you are asking for your accounts to be hacked:
|The most commonly used weak passwords on the internet|
Will brute force crack your password?
Given the nature of a brute force attack, you can take specific steps to deter attackers:
- Password must be long – This is the most important factor. The password should be at least 15 characters long
- Use a mix of upper and lower case letters, numbers and special characters – The more you mix letters, numbers and special characters, the stronger your password is and the harder it is to crack with a brute force attack
- Avoid common substitutions – Hackers try replacing common characters with letters, as in the case of the aforementioned “password” and “p455w0rD”. It is not a problem for an attacker to set up that these variants will be tried as well. On the other hand, inserting a completely random symbol ideally in the middle of a word, or a series of words, can be very helpful.
- Don’t use keyboard hints – Don’t use passwords such as qwertz, qwerty and the like, which are easily visible on the first row of the keyboard and are used simply because they are easy to type.
Will a dictionary attack break the password?
The key to stopping this type of attack is to ensure that the password is not just a single word. Several words in a row will thwart this attack quite successfully, especially if you incorporate various other special characters into the password.
Examples of the best passwords
A good password should be easy for you to remember, but very difficult for computers to guess. If you can’t remember the password yourself, it’s not a good password, but the password should also not be too short just to be memorable. Check out the following tips.
A series of words with something extra
Above we gave an example of the password “LaundryGorillaOrangeBeatles”, but what if we made a simple change to “LaundryGo$rillaOrangeBeatles”? We added one symbol, which is kind of nonsensically in the middle of the word. In order to perform a successful dictionary attack, an attacker would have to add a condition that starts inserting symbols inside words like this. This, on the one hand, may not occur to the attacker, and on the other hand, even if he were to add this condition to the attack, the time to arrive at the correct word would be significantly increased.
It’s also great to insert words that are not common, are in another language, may be unusual company names, or may not even be words, but simply something that you and only you remember (for example, some much-created nickname you used to honor a classmate with in elementary school).
Of course, you can combo the words in different ways, add substitutions or even more special characters directly into the words. Each of these aspects increases the security of the password, but again, the password should still be memorable.
The idea is to come up with a random sentence and use a rule to convert it into a password. You may need to remove the second letter from each word, but you can make up the sentence and rule entirely on your own:
I like going to concerts -> Ilkegingtcncerts
To anyone else, this password is completely meaningless, but because you know the original sentence and the rule about how to remove letters from a sentence, you can always easily figure out the password. But the password is long, and you can’t figure it out with a dictionary attack because you’re not actually using words.
Use multifactor authentication
All passwords can get out or be cracked. It could be a phishing attack or a really skilled hacker. That’s why you should especially protect your most important accounts with something other than a password.
Multi-factor authentication (sometimes also multi-factor authentication, MFA or 2FA in English) adds an extra layer of protection (which becomes your first layer of protection in case your account details are leaked).
Multi-factor authentication is an additional verification that it’s really you. In addition to the password, this can be things like fingerprint, retina authentication, or entering a password from a token, or you may need to authenticate via email or SMS (although it’s true that SMS authentication isn’t highly recommended these days). So the password itself becomes only half of the puzzle of getting into the account. Even if a hacker does crack the password, for example, it may take them additional time to penetrate the second layer of your security.
Use a smartphone authentication app
The best method of multi-factor authentication is to use a dedicated app for your smartphone. An app like Google Authenticator (for iOS here, for Android here) generates a one-time PIN that you enter as an additional factor during the login process. The PIN automatically changes every 30 seconds. Setting up multi-factor authentication is done on a service-by-service basis, but the use case is that once you’ve logged in with your password, you then still enter your PIN, which completes the login.
More security tips on passwords
Protect your login credentials further with these tips:
- Use a VPN on a public Wi-Fi network. This way your communication with the servers is encrypted, so your data is more secure too.
- Never text or send your password to anyone via email or various chat tools.
- When selecting security questions for password recovery when creating an account, choose hard-to-guess answers that only you know, or choose another strong password as your answer. These security questions can easily become a vulnerability in your account if you choose answers that can be guessed, for example, on social networks.
- Use security software on both your computer and mobile.
- Always keep your operating system and software up to date. Updates are not just for the sake of adding features, but also to patch security holes.