You probably use personal identification numbers (PINs), passwords, or passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Tracking all of the number, letter, and word combinations may be frustrating, but these protections are important because hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.
One of the best ways to protect information or physical property is to ensure that only authorised people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of non-secure and inadequate passwords. Once a system is compromised, it is open to exploitation by other unwanted sources.
Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN:
Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.
Wondering what a strong passphrase looks like? See the table below:
PASSWORD/ PASSPHRASE | DIFFICULTY TO BREAK | EASY TO REMEMBER | COMMENTS |
password123 | Very easy(too easy) | Very easy(too easy) | One of the most commonly used passwords on the planet. |
5pagh3tti95 | Easy | Somewhat easy | Not too much more complexity than above with character substitution, and still short length. Easy to remember, but easy to crack. |
I don’t like pineapple on my pizza! | Hard | Easy | Excellent character length (35 characters). Complexity is naturally high given the apostrophe, exclamation mark and use of spaces. Very easy to remember, and very difficult to crack. |
You should consider using the longest password or passphrase permissible (8–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters and includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—for example, some applications limit the length of passwords and some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.
Once you’ve come up with a strong, memorable password it’s tempting to reuse it—don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to your other accounts with the same password. Use the following techniques to develop unique passwords for each of your accounts:
Passwords should be changed if:
After choosing a password that’s easy to remember but difficult for others to guess, do not write it down and leave it someplace where others can find it. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, makes it easily accessible for someone with physical access to your office. Do not tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (SeeAvoiding Social Engineering Attacksfor more information.)
Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.
Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.
There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.
For more information on passwords, multi-factor authentication, and related password topics, see Factors of authentication.