These days, virtually everyone has at least one device on which they access some online resources. That makes having strong passwords as vital as remembering to get dressed before leaving for the office. Whether you’re making online purchases with a credit card, checking your email or simply logging into Facebook, you’re exposing some aspect of your life that should probably remain private. And there are plenty of hackers out there anxious to gain access to your data. Don’t make the mistake of thinking nobody cares about your information… there are many ways in which they can profit from it.
How Hackers Profit from Gaining Access to your Password
Obviously, having your password to your online banking portal cracked can have disastrous results. But actually, such thefts represent only a small portion of the cyber-crimes committed each year. There are many ways in which a hacker can make use of your information – and even your computer.
They can clean out your bank account, max out your credit card, sell your passwords and corresponding hashes to rainbow table compilers, sell your (and all your contacts’) email addresses, put your computer to work sending out spam en masse or participating in DDOS attacks and more. As described in a recent article, Is your Refrigerator a Security Breach of your Network, they can even gain entrance to your home, either electronically or physically.
Basic Password Options
Not long ago, the common wisdom was that a password of 8 characters was strong enough to make cracking extremely difficult. Brute force cracking is no longer the only method we really need to worry about, though. Using brute force, at 350 billion guesses per second, an eight character password can take less than 6 hours to crack (25-GPU cluster cracks every standard Windows password in <6 hours – Arstechnica).
Obviously, both your bank portal and your blog’s host are likely limiting login attempts. To get around that, hackers intercept the hashes and perform what’s referred to as offline cracking. That allows them to process as fast as they wish, and not return until after they’ve matched the hash encrypted version of the password.
So how can you choose a password that’s sufficiently difficult to crack that it’s not worthwhile for hackers to try? There are plenty of options available. We’ll all seen the random password generators that will generate a password like cMBT2JFYsw5pxDeq&)Vjc2)R which, with its 24 characters, including upper & lower cases, numerals and symbols, would take a medium size botnet around 874 septillion (874,000,000,000,000,000,000,000,000) years to crack. I’d call that a strong password! Even the very impressive GPU cluster described in the above Arstechnica article would need nearly 2.5 quadrillion years to break it. Of course, that password might be a little difficult to remember.
Another option would be to use an encrypted password manager like RoboForm or LastPass. They’re very convenient, but I’ve always believed that if a really intelligent programmer can design a system to be difficult to hack, there’s always another programmer out there who’s just a little bit smarter, who can do it. Having your password manager hacked could be exponentially worse than just one password being revealed.
So let’s try to find a reasonable method – maybe something along the lines of 30+ years, which can be recalled with relative ease. I use a rule of at least 10 upper and lower case characters and symbols, choosing an obscure phrase, substituting numbers for similar letters (3 for E, 1for L, 0 for O, etc.). But I use the reverse spelling of the words.
For example, I take the phrase “red oak table” and I reverse it to become “elbatkaoder”. Then I make some substitutions, to end up with 3Lb@tKa)dEr. Notice that starting with the second character, I used upper case on every other character – that makes it a bit easier to remember. According to John the Ripper (one of the most commonly used free password cracking algorithms), that would take about 57,337 years to crack.
Notice that I avoided any double letters like ee, oo, ss, tt or ll. Cracking algos are programmed to look for those common combinations, as well as for ea, ou, ai, sh, gh or th. Also avoid words with common endings like ing, ity, ment, itis, ium, etc.
Is Privacy a Thing of the Past?
With our daily lives becoming more integrated into the online world every day, it’s increasingly difficult to protect our privacy. What was once adequate protection can now be overcome in seconds by the tens (if not hundreds) of thousands of full-time hackers. Some of them are reaping $80K per month, just harvesting and re-selling private information. Solid password protection is your first line of defense against those folks and their algorithms.
And never… NEVER… use the same password on two or more accounts! Each one should be unique. If you decide to keep a log of your passwords, it should be double-encrypted, at the very least. Needless to say, you should change passwords periodically, as well.