Everyth1ng Y0u Kn0w Ab0ut P@ssw0rds 1s Wr0ng
The near-continuous revelations of data breaches bring into sharp relief a small but critical way that weak passwords can turn weaponized data from breaches into an even more dangerous attack tool:
More than 80% of adults reuse the same password across multiple accounts.
And that means that once hackers get their hands on weaponized data, they can run through account after account after account, seeking to exploit this common vulnerability. The result is more account takeovers, more fraud attacks against online merchants and greater confusion and havoc in the e-commerce world.
A big reason for password re-use is the difficulty of remembering multiple, complex passwords. But now, the long-accepted norm that strong passwords require a mix of letters, numbers, and special characters has been challenged by the researcher who first proposed it. Bill Burr, a 72-year-old former manager at the National Institute of Standards and Technology, says “much of what I did I now regret."
His original idea was that cryptic and complex combinations made it difficult for passwords to be guessed or hacked. However, he and other the researchers now suggest instead to use the longest word or phrase you can remember, even if it’s understandable or comprehensible. The reason is that the advances in computing power have made it easier and easier for hackers and fraudsters to try millions and millions and millions of combinations in very little time. Thus, shorter words or phrases, no matter how hard they are for our human minds to remember or reproduce, provide fewer combinations for these bot attacks to run through before “cracking the code.”
An example of a long phrase that presents a challenge to today’s supercomputers?
The phrase “CorrectHorseBatteryStaple” would take 550 years for a computer to compromise. On the other hand, a unique spelling of the word “troubadour” with a couple of unique characters appended at the end (i.e., Tr0ub4dor&3) would require only 3 days to crack due to its shorter length.
Noted security expert Shelley Palmer provides a number of additional tips for creating strong password tips at his blog, but raises one important caveat: many websites, e-commerce accounts, and other password-protected resources typically limit the length of your password at 8 to 12 characters. And that simply is not long enough to meet the requirement for enhanced safety. However, if you’re allowed to use a word phrase that’s at least 25 characters, you will be safer.
It’s also important to not to use names, addresses, jobs, schools or other words that are personally identifiable with you and your family when creating long passwords made up of common words. In other words, if your name is William, don’t use the word “Bill” in your password, if you live in Tampa, don’t use the word “Florida” in your password, and if you attend school at the University of Alabama, don’t use “crimsontide.”
Of course, having word phrases that are more easily remembered makes it much easier for consumers to use a different password for every account, which at the end of the day, is the most critical aspect of password security.
As password science evolves, it will become easier and easier for us to protect our personal accounts. For example, Google, Facebook, and other sites can already verify that you are who you say you are by checking to see that you are properly logged in. In addition, there are a number of biometric and multifactor identification and authentication schemas being developed or are in use to help make identity confirmation more secure and simpler.
But in the meantime, it’s never to soon to take advantage of this new knowledge and make your password protection as strong as possible.
Learn how to protect yourself against fraud and chargebacks in our eBook "Fighting Fraud & Chargebacks: 5 Strategies for Winning".