by Evelyn Helminen, Exploratory Initiatives and Partnerships team
My grandmother’s Facebook account was hacked over the holidays. Afterwards, she posted, “I don’t know how they figured out my password which was ‘outhouse’….so I have a new one now.” I know she was picturing someone hunkered over their computer, spending hours focused solely on guessing her password.
That’s not the way it works. Humans are not typically trying to hack into your accounts one painstaking guess at a time. Hackers have machines for that—very fast machines—that use a combination of complex algorithms; all the words in the dictionary; common substitutions, capitalizations, and special characters; and, worst of all, a collection of 1.4 billion exposed usernames and passwords from an aggregate of privacy breaches. These machines are so fast they can try 8.2 billion password combinations per second. Additionally, “password reuse, combined with the frequent use of email addresses as usernames, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.” (Source: ARS Technica)
It took a hacker approximately 1.3 milliseconds to break into my grandma’s account.
Are you at risk? Check out this free resource to quickly assess if an online account of yours has been compromised or “pwned” in a data breach.
Here are some actions you can take to have better passwords and password management:
- Do not reuse passwords across different accounts. Using the same password even once significantly reduces your security.
- Set up multi-factor authentication.
- Use passwords that are 12 characters long or longer. The longer, the better.
- Change your usernames. Think of them as code names.
- Start using a password manager. (This is something I’m going to try. Amy Collier uses the free version of LastPass Manager and likes it)
If you want to be extra cautious, change all of your passwords. If you want to make a password that is harder to hack then don’t do what millions of users have done in creating their passwords:
DO NOT start with a capital letter.
DO NOT end with a number or exclamation point or other special character.
DO NOT use a word straight from the dictionary.
DO NOT use straight song lyrics or quotes.
DO NOT use someone’s name.
DO NOT make common character substitutions for letters.
DO NOT use only numbers.
DO NOT use less than 12 characters.
DO NOT make your password the same as the site you’re logging into.
Password management is harder than ever but also more important than ever. Take a step today to secure your password-protected accounts and devices.
Reflection: What new practices can you adopt in your daily digital habits to improve the security of your passwords?
Krebs On Security, Spam uses default passwords to hack routers
Krebs On Security, Simple banking security tip: Verbal passwords
Krebs On Security, Stolen passwords fuel cardless ATM fraud