If you are concerned about keeping your user accounts secure, and access to sensitive business information under control, then the strength of passwords is incredibly important.
The Password Cracking Process
Hackers use tools that automate the password cracking process by running through all possible combinations until they find one that works. For example, they may start with a, then b, then c, etc. until they get to z. If your password is not one of those, they’ll try aa, ab, ac, ad and so on.
Password cracking tools are able to run through all of these combinations very quickly. If your password contains the minimum 6 characters and you use all lowercase letters, it will take a maximum of 308,915,776 attempts to find your password. That might sound like a huge number which would surely take a long time, but a basic password consisting of all lowercase letters can be cracked in as little as 0.29 milliseconds.
Each extra letter added multiplies the number by 26 again. But, where you can really make your password hard to crack is by using a mixture of upper and lowercase letters, as well as numbers and symbols. Upper case adds 26 different characters to the equation. This means the maximum number of attempts needed to crack your password is now 52 x 52 x 52 x 52 x 52 x 52 for a 6 character password.
- lengthen your password to 12 characters
By doing this, the number of attempts needed to crack it starts getting astronomical (like a 1 with 30 zeros after it).
Even a Strong Password Can’t Completely Protect You – Why You Need Another Layer of Security
No matter how strong you make your password, there’s always a chance someone could find out what it is without needing to use software to crack it.
- A study revealed two in five people have written passwords down. This is a great way for them to get into the wrong hands.
- An online service you use could get hacked exposing the password you’ve used there too. This is low hanging fruit for cyber criminals who will try these login details on other services (tip: don’t reuse passwords like 55% of people).
- A cyber criminal could even befriend you on Facebook and shorten the password cracking time by configuring their software to first try passwords containing your wife, children’s or pet’s names, or the name of your favorite sports team.
- A cyber criminal could try resetting your password and correctly getting through your security questions.
- You could connect to public Wi-Fi and unknowingly be observed by a “man in the middle” who could track your keystrokes.
- Similarly, if you already had malware on your device, your keystrokes could be logged and passwords exposed.
To really ensure your accounts are secure, you should be using two-factor authentication.
Two-factor authentication means a second method of verification is needed to log in to your accounts. This is in addition to your username and password. This is usually something you have – meaning to log in you need something you know (password) and something you have.
The “something you have” is often a code generated on a token that you keep with you. When you’re ready to log in you press a button on your token and it displays a unique code. This will only work for a short period of time (~ 30 seconds). You enter this in a separate field when logging in. Once it’s been used, or once the time elapses, the code generated by the token no longer works. From here, you must generate a new one the next time you need to log in.
A token can even come in the form of an app on a smartphone linked to your account. A code is used alongside your password to log in is generated within the app.
Other forms of verification send a notification to your device asking you to approve the login attempt. If you wish, a code can be sent to you via SMS instead.
Using two-factor authentication greatly increases the security of your account. Even if a cyber criminal knows your password, they still won’t have a chance of logging in. This is the case unless they can steal your token or phone as well.