Using technology to crack passwords is not a new concept. In fact, if you think back to how Alan Turing cracked Enigma during World War II, as shown in The Imitation Game, the same principles exist today.
These days, it takes less than one second to crack the password ‘123456’. Even something more complex like ‘qqww1122’ can still be figured out in less than an hour. While harder passwords can take days and even months to crack, with time, anything is possible.
Today is World Password Day — a good reminder to evaluate, update and manage your passwords to ensure the security of your accounts. In this blog, I’ll be sharing how brute-force attacks work, along with six best practices that can make all the difference between keeping your accounts secure and potentially exposed.
What is a brute-force attack?
Let’s first start with the very reason why we have to be so diligent about password security: brute-force attacks. These attacks occur when hackers leverage technology to continuously try every possible combination of words, popular keywords and numbers to break into accounts.
Brute-force attacks are becoming incredibly problematic as hackers apply hardware and/or software with a ton of RAM and processors in the public cloud to simultaneously attack as many passwords as they can at once. Many of the programs leveraged by hackers are becoming increasingly more accessible and affordable (and sometimes even free) to access, making the average internet user an easy target.
Here's how to improve your password security:
1. Create complex and hard-to-crack passwords.
Think of a password like a bike lock. A cheap lock (or simple password) will be easier to break into. The better the lock (or the more complex the password) is, the less likely it can be cracked. The bike thief (or hacker) will only spend so much time trying to break into it before giving up.
One of the best ways to avoid falling victim to a brute-force attack is by ensuring your password is stronger than the next one. To achieve this, it should include:
- At least 16 characters
- Upper and lowercase letters
- Symbols (and even spaces if the program allows it)
Along with length, you should also consider your passwords’ complexity. Despite our best efforts to create something entirely random, it’s human nature to connect patterns between words and characters when thinking of a password. Many users try to incorporate ‘unique’ spins on classic passwords like shifting all the characters over to the left or right by one on the keyboard. Unfortunately, with the use of technology, these tricks are becoming easier to crack than you would think.
If you are being targeted, it’s likely the hacker has done their research through your social media channels to learn more about you. This means they could know about your hobbies, pets’ names, family’s birthdates and more — all of which tend to be common password choices. Even if your social media profiles are private, you never know who on your list of friends could attempt to breach your account, or worse yet, who has access to their accounts too.
To avoid any identifiable words, phrases or numbers, I recommend using a random password generator to ensure your password is entirely unique and as hard as possible to crack. To take it a step further, I recommend making up fake (but memorable) answers to the security questions asked on websites to avoid someone resetting your password. As the post above suggests, you never know what information about you is out there — even from years ago.
2. Use a nonsensical passphrase as your password.
Passphrases — when you string 4-6 random words together — is another option for creating a strong password. In fact, a 2020 article by ZDNet reports the FBI recommends passphrases over password complexity. When compared to a short, complex password, the FBI explained “a longer password, even if relying on simpler words and no special characters, will take longer to crack and require more computational resources.” Still, when using a phrase, your password should include the basic principles (i.e., upper and lower cases, numbers, etc.) listed above.
If you would rather create a passphrase yourself, be sure to use at least four unrelated words that are each five characters or longer (i.e., Autumn Kangaroo PurpleRiver93!4). Avoid using names or dates that can be easily guessed, such as those of your children, spouse or parents. Remember, the more random you make it, the harder it will be to crack. If you have trouble coming up with completely random words yourself, there are free resources available that can help you generate a new passphrase or test how secure yours is.
One advantage of using a passphrase is that it will be easier to remember. At the same time, it will also be easier for someone else to remember if they happen to catch a glance of you typing it without the characters being hidden by asterisks.
3. Make your passwords different for each account.
Sadly, using the same password for multiple accounts is a mistake many users still make. If a hacker gets into one of your accounts and you use the same password for others, it’s likely they will continue accessing as many accounts as they possibly can. If you’re not convinced of the importance of diversifying your passwords, entering your email address into have i been pwned? can serve as a real eyeopener. Take it a step further, and you can test out your passwords to see how many times they’ve appeared in a data breach (and should therefore never be used).
To avoid third-party hacking, it’s also important to not log in to a website using your Facebook, Google or Apple account credentials — an increasingly common option when registering to a new website. As tempting as it may be to link to your pre-existing logins, it’s always better to create a unique username and password for each account.
4. Keep track of all your passwords.
Keeping track of several random passwords can be a challenge. Instead of clicking ‘remember password’ on your browser, or worse yet, keeping a list of your passwords on your phone or computer, opt for a Password Management tool like Last Pass to keep them organized securely.
5. Enable multi-factor authentication.
The surest way you can add an extra layer of security to your accounts — whether they be social media, email or banking — is by enabling two-factor or multi-factor authentication. This means when you or someone else attempts to log into your account, a text, phone call or email will be sent which contains a code that must be submitted to complete the process.
6. Make your accounts more secure by using an authenticator app.
While sending a text is the standard, it is not the most secure method of accessing your accounts. Aside from the issues of connectivity, like when Rogers was down for a full day last month, cellphone companies are notoriously bad at protecting your phone number. A hacker can easily target you, call Rogers, Bell or TELUS, get a SIM card that’s attached to your number, pop it into their phone and intercept the authentication texts or calls.
Instead of depending on these texts or emails, I strongly suggest installing an app such as Microsoft Authenticator App or Authy. This way, the hacker must log in to the account and the app that is installed directly on your device in order to gain access to your accounts. Alternatively, hardware solutions such as Yubico offer an extra thick layer of security by ensuring the person accessing the account has the physical key in their possession.
Returning to our analogy above, using an authenticator app is like having the most heavy-duty bike lock available. Even if a hacker happens to crack your password, once they come up against an authenticator app, they will be out of luck and be forced to move on.
The reality is that even the most tech-savvy people can fall victim to cybercrime. At Ricoh, our team applies each of these best practices to ensure the security of our accounts. Additionally, all of our RelativityOne users are required to sign in using Microsoft Authenticator App.
Have questions? Get in touch with us today.
You may also be interested in...
You receive a call from IT. It’s come to their attention the recent firewall upgrade is blocking employees from accessing the network through the VPN. To resolve the issue, they’ll have to reset everyone’s user profiles.
Whether the sender is well known or even internal from your own organization, there are several reasons why sending files via email should be a practice of the past.