This is the first in a series of articles on good password practices. With hackers becoming better and better at cracking passwords, it’s up to us to protect ourselves.
Passwords are a fact of modern life. Want to check your email? Better know your password. Going to check your stock portfolio? You’ll need a password. Want to let some crook sell off your stocks and take the money? You need a better password. Have confidential information on your laptop? You need a stronger password.
Most of us probably had our first exposure to passwords as banks began to introduce the automated teller machine, or ATM. Account holders received a nice looking credit card, complete with embossed numbers and a magnetic strip. Account holders also received a four-digit personal identification number, or PIN. If you wanted to use your card at the ATM, you plugged in your PIN and voila–money was at your hands.
Four digit codes are often easy to remember. The problem is, they are also easy to crack. Most people who find a debit card on the street aren’t going to stand at the ATM and plug in all the possible PINs until one works. It takes too long to punch in 0000, 0001, 0002, 0003, 0004, 0005, 0006. With each number being one of 10 possibilities (0 through 9), there are 10,000 possible combinations. Plus, ATMs are probably programmed to “eat” the card after a set number of incorrect attempts.
Many online services today allow you to create passwords between 6 and 32 characters long. While shorter ones are easier to remember, they are vulnerable. Whether we like it or not, there are crooks in the world who will try to hack your password. Because many of us (by choice or by force) use our email address as the username, all the crook needs to do is crack your password using easily obtained software or hardware. (The second link features a homemade password cracker that churns through 28.6 billion passwords per second!).
So what makes a good password? It may be best to start by looking at what makes a lousy password. Back in 2008, a security service identified the worst 500 passwords of all time [contains some profanity]. Passwords like 12345, rosebud, porsche, and studmuffin are quite common. One of the biggest flaws with them is not only are the passwords short, they are made up of actual words in many cases. According to one resource, there are slightly over 1 million words in the English language as of July, 2011. If your password is one of them, that homemade password cracker will have your password in a nanosecond. That cannot be comforting.
Take this time to identify your various passwords and check them out using one (or more) of these measuring tools:
- Password Strength Checker
- Password Checker (from Microsoft)
- Brute Force Attack Time Calculator (Excel spreadsheet: put in the number of uppercase, lowercase, etc. to calculate)
- GRC’s Password Haystack (calculates brute force attack time in web browser)
Notice that the same password in different measuring tools will return different results. One checker might think your password is strong while another thinks it is merely adequate.
Now that you have an idea of whether your passwords are strong, it’s time to start thinking about strongerpasswords and more. Stay tuned for the next article in this series.