When anything gets hacked, the security breach is usually down to human error rather than any kind of software glitch. And the root of that error is usually one or more people on the system using a range of weak passwords.
The second most common password?
Using a password as embarrassingly weak as these is like leaving your Ferrari in the wrong part of town with the windows open and your key in the ignition. It presents a golden opportunity for hackers and cyber-criminals, leaving you and your business vulnerable to ransomware, website defacements and more. With networks of several thousand zombie machines under their control, all constantly scouring the web for weakly-guarded accounts, it is simply a matter of time until they find yours.
Why do people choose absurdly simple passwords?
When you’re asked to create a new password two things happen. First, your mind goes blank. This vacuum is quickly filled with achingly obvious pattern-based passwords like qwerty (last year’s no. 4) or 12345678 (no. 2) or the less obvious qazwsx (no. 24).
The second thing that happens is that you evaluate possible passwords for two qualities: Originality – whether anyone is likely to guess your password – and memorability – whether you are likely to remember it yourself.
While you might choose monkey (no. 3) or starwars (no. 16) as your password, they’re probably not actually related to anything to do with your login. This is known as “security by obscurity” but this is a total misnomer as the level of security it provides is illusory at best. Even if you choose something as simple as this, you’re probably going to forget which you chose by the time you next log in. And no way could you ever expect to recall a random string of characters made by a password generator.
The temptation is then to use the same password for everything. Easy to remember, but when you get hacked once, you’re vulnerable everywhere.
You’ve also probably also been asked to include at least one number and use a mixture of upper- and lower-case letters. So to get out of this tailspin, you defer solving the problem at all. You choose 123456789 (no. 6) or letmein (no. 7) and tell yourself you’ll change it later.
But you don’t. And then you get hacked.
How hackers work.
Contrary to what you see on TV recreations, hackers don’t sit alone in the dark, whiling away their time trying to uncover your password by tapping guesses into a login screen. Typically, they don’t care what’s in your account, or even whose account they get access to. They just go straight for the low-hanging fruit (of which there is plenty) and see what comes back.
Unsurprisingly, they have machines to do all the hard work which approach the password-guessing game systematically. Any dictionary word will be hacked instantly, with combinations of words very shortly afterwards. You should assume that every word in your vocabulary is a vulnerable password.
They begin with the most popular passwords that have been hacked before, as this is the most likely way to gain access to anything. This is what makes 123456789 (no. 6) so easy to crack.
After that, they start on the brute force method: Systematically running through combinations of characters and alphanumeric patterns or sequences – q1w2e3r4t5y6 for example – until they eventually find their way in.
So if you can’t use real words or patterns of characters, how can you create a password that you’ll be able to remember, but which could never be guessed by marauding hordes of zombie computers?
Create a new secure and memorable password.
As there is a potentially unlimited number of combinations of letters, numbers and characters, guessing a complex password can take even the fastest machines a very, very long time. So here’s a way of generating long, complex passwords that are still ridiculously easy to remember when you need them.
- Think of a person you used to know.
The more obscure and mundane they are, the better. For example, they could be a former neighbour, an old schoolmate or teacher. You don’t even have to know their full name, just who they were to you.
- Describe their relationship to you in a simple statement.
Include numbers by adding a significant year when you knew them, or your age at the time.
- Use the initials of your statement to create a string of characters.
Include capital letters where appropriate. But don’t complicate things by inserting them arbitrarily as you’ll forget where you’ve put them.
In your second year at Eton College, a boy called David ran the tuck shop. Your statement might be:
David Cameron sold me a Curly Wurly at Eton when I was 13
From this, your password would be:
For extra security, include some punctuation in your statement:
In 1987, when I was 13, I bought a Curly Wurly from David Cameron at Eton!
So your password would be:
Now all you need to do that is to mentally connect the image of your old school chum / former prime minister to the login screen that you’re using the password for. How you do this is up to you, but a simple way to do it is imagine them reading out the name of the website you’re logging into. From then on, every time you see that login screen, that person will leap into your head and trigger the statement which you – and only you – can then translate into your password.
From there you have a password that is completely unique, easy to remember but impossible for anyone else to guess.
How secure are these passwords?
By copying and pasting the above passwords into a password tester, we can gauge roughly how long it would take a machine, relentlessly and systematically bombarding your account with guesses, to crack your password.
The first password, without punctuation, would take around ten million years to crack.
And how long would it take to crack the second, longer password that includes punctuation? An astonishing three octillion years. That’s this many:
If the bad guys do eventually gain access, by then it really won’t matter to you or your hackers what your password was, or what was in your account.
So if you’re one of the millions of people still using football (no. 9) starwars (no. 16) or passw0rd (no. 19) to secure your online accounts, it’s time to dig up someone from your past, dead or alive. By simply remembering who they were to you, they can help prevent you and your business from the pain and expense of falling victim to cyber crime.
Rob Taylor is Senior Consultant at Reedsmore.