Why Your Passwords Suck And Should Be Changed Now
Most likely, all of your passwords suck and you should change them immediately. I am going to outline exactly why your passwords suck and should be changed now. Yahoo! recently disclosed that they had a major breach in 2014 and it is likely the biggest security breach in history with more than 500 million accounts compromised. This doesn’t mean that if you have ever had a Yahoo account that it is immediately compromised as tech companies don’t store your password in a database as plain text.
When you create your password, it is encrypted and stored in a password database as a hash. Depending on what type of encryption is used, it will likely looks something like this 82FA72F2471E5244EBFA691C6E5B0603. Hackers now have this database with millions of lines of gibberish. Crisis averted, right?
So they have gibberish. Why does it matter?
Unfortunately, as fast as computers are today, it is quite easy to crack a hash. A relatively inexpensive computer can try billions of combinations and comparisons per second and serious hardware can compute much faster than that. This means that a password that is 10 characters long including lowercase letters and numbers will take less than one second to crack.
To make things more diabolically simple, password crackers not only use single word English dictionaries to crack passwords, but they use multiple dictionaries containing millions of previously cracked passwords. These dictionaries contain lists of previously cracked passwords and, if we include the latest hack, there will be lists of well over a billion passwords. The methods are many and software like CudaHashCat makes quick work of cracking passwords by utilizing multiple methods simultaneously.
So once they have your password they have your Yahoo! account, right? Yes. Your Yahoo! account AND anything account associated with that account AND any other account on which you’ve used that same password. It doesn’t even matter if you use a different username. Because, as I mentioned above, the dictionaries with which hackers use to crack password hashes will contain that password.
My strong password sucked and so does yours.
At the end of 2015, a nefarious goon gained access to my PayPal account. After solving that dilemma, I began a quest to research password security beyond what general knowledge I have. I dove into a rabbit hole of cryptography, entropy, cracking, and multi-factor authentication and learned more than I ever wanted to know. It scared me.
I used a somewhat complex password, or so I thought, for most of my accounts. It was something I could remember easily. 1983T4bby! is the password I used most commonly. My wife’s birthday followed by her name with a 4 replacing the letter A and ending an exclamation mark. Genius! Plug this into any password strength tester and it will more often than not test as strong.
Ten or more years ago, before we have the beefy hardware that we have today, this password would have taken ages to crack. This password would now be relatively easy to brute-force. And, sure enough, it was. Last year this password was hacked due to some security breach, likely from the Gawker breach, and eventually the hackers got into my PayPal account and bought five $100 iTunes gift cards. I got lucky. I noticed this quickly and worked with my bank and PayPal to clear it up rather painlessly.
What to do about it.
My strong password sucked and so does yours. How do you make a password that is memorable, unique, and impossible to crack? You can try your best, but it is next to impossible to make an uncrackable password. Your best bet is to heed this advice. Make every password unique. I know this is an insurmountable task but it’s a lot easier to do than you think; it’s just daunting to start. Once your passwords are all unique, if one gets cracked it is only one account and not all of them (especially not your bank/PayPal.) Next, make sure your character set is big. This means including uppercase, lowercase, numbers, and symbols. The larger your character set, the longer it will take hackers to brute-force your password. Finally, make your passwords long for the same reason. For each character you add to the length of your password you are exponentially increasing the time it will take to crack.
I am going to do another article in the series to delve into more detailed security solutions but if you want to get started I will point you in the right direction. Start simple and slow. Choose a password manager. I recommend either LastPass or Keepass. When you sign up or make your password file, be sure to pick a long and memorable password. The password chickenStriking_hammerHard7& is a good example of something you can remember but is also complex. Even though this password uses common words, it will be nearly uncrackable due to its length alone. If you are going to be using a password manager though, this will be one of the only passwords you will ever have to remember.
The first passwords you should change are your bank passwords. Generate as strong of a password as you can and save it in one of the aforementioned password managers. For example, Wells Fargo allows a maximum password length of 14, which is actually deplorable for a financial institution, so you can generate a random password of 14 characters. XKV@9FbtJCAxM1 is one I generated that will take a bit of time to crack. Next, change your email password. Then change your social media passwords. Before you know it, you will have all of your passwords saved in a password manager.
My next post will go more in-depth on this as well as other alternatives.