Passwords: Your Electronic Signature
Long & Strong | Unique | Compromised Passwords | Remembering Passwords
Some of the material on this page has been moved to separate pages for multifactor authentication (MFA/2FA), password managers and LastPass (includes my reassessment after the breach).
Passwords Secure Your Online Accounts
Increasingly, our lives are lived online: banking, shopping, donating, e-filing taxes, corresponding, posting on Facebook, etc.
According to Mozilla, the average person has 130 online accounts.
That's a lot of unique accounts — each requiring a unique password that is strong enough to resist hacking.
Passwords Protect Authority
Think of passwords as an electronic “Power of Attorney.”
Anyone in possession of your passwords can make purchases, access your bank accounts, access or delete files backed up or stored online, change settings, even post libelous comments about others on your social media accounts.
Your passwords need to be protected diligently.
Unfortunately, consumers seem to ignore such advice:
[A]bout half of consumers (45%) only change passwords for providers when prompted by the platform, when hacked, or not at all, with a similar percentage (44%) often reusing the same password on most of their accounts, leaving account information unprotected.
— MasterCard
Creating Effective Passwords
Several factors are involved in securing our online accounts with effective passwords.
- Generate long and strong passwords.
- Never reuse passwords on multiple sites.
- Don't use single sign-on (SSO).
- Change compromised passwords immediately.
Use a password manager in combination with multifactor authentication (MFA/2FA) to improve security.
These factors make it easier for you to keep your online accounts safe and quickly respond if a data breach reveals your account details.
Poor Password Choices Common
Unfortunately, most people view passwords as something imposed upon them rather than something that improves their security.
- 44% of respondents use the same or similar passwords despite knowing this could increase their personal security risks.
- 53% of respondents haven't changed their password in the last 12 months even after hearing about a breach in the news.
- 41% of respondents think their accounts aren't valuable enough to be worth a hacker's time.
- — LastPass
The fact that social media and advertisers expend so much effort to track your browsing history should tell you that information is extremely valuable to them.
NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered “unique.” — ZDNet
Poor security hygiene is a strong contributor to why so many people continue to have their accounts hacked or suffer from ransomware and other malware infections.
To protect ourselves from cybercriminals, it is essential to use a combination of characters when creating a password, use different ones for each account, use a long password, change it regularly and use two-factor authentication.
— Checkpoint
Make Passwords Long and Strong
Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases.
— Ipswitch
Generate passwords that are both long and strong to make them more difficult to guess and not easily discoverable.
Technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure and the password-cracking ability of hackers improves each year.
These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.
— Jeff Atwood (2017)
Bruce Schneier's Choosing secure passwords (2014) will give you a good idea of how passwords get hacked and reveals a great deal about hacker dictionaries (they contain lists of passwords that you'd think were great).
Longer Passwords More Secure
Passwords should be at least 12–15 characters long (I'd recommend longer where the site will allow it).
Given the considerable number of leaked passwords now available on the dark web, anything less than a generated 11 character password is asking for trouble.Of course, most of us don't know whether or not our data is on the dark web. The odds are that at least some of your passwords (and usernames and email addresses) are in a database of hacked accounts.
That's why reusing passwords is so risky; hackers can easily use the same login combination on other websites.
— LastPass blog
Strong Passwords Harder to Hack
Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.
You should preferably use complex random characters if the site supports that. Use a random combination of letters and numbers interspersed with other characters where possible.
- Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
- Including multiple numbers and other legal characters (such as the pound key, hyphen and the underscore) significantly increase the security of your passwords.
- Avoid starting with a capital and placing numbers and characters at the end.
Newer, more powerful computers are being developed all the time and this raises the bar for what is considered a secure password. Hacking by “bad actors” financed by countries have the resources to obtain and use such equipment regardless of expense.
Password Strength Meters
Many sites will indicate an approximation of the strength of your password.
Don't use third-party sites to check the strength of your password. Even if these sites aren't attempting to hack your accounts the mere fact that you've revealed a password to any site other than the one you use it to sign-in potentially makes it vulnerable.
Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g., “admin”) and passwords that are more vulnerable to a “dictionary” attack.
Password Restrictions
Many sites have restrictions placed on both the size of allowed passwords and their complexity (including the use of anything but alpha-numeric characters).
The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like /, \, < or >) may not be allowed.
- Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
- Some sites will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.
I find it annoying that many of these sites only tell you their restrictions AFTER you've attempted to enter a new password, particularly the special characters that are not allowed.
Server Choices Affect Security
Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable.
- Sites limiting passwords to eight alpha-numeric characters aren't bothering to encrypt stored passwords.
- If your password is stored in plain text then anyone, employee or hacker, has immediate access to your password and the other information the server has stored about you.
Most data breaches have occurred because of an employee either using a weak password that allowed access to the system or were themselves the perpetrator.
Brute Force Attacks
Brute force attacks refer to the process of testing one potential password after another until the password is discovered.
When a hacker breaks into a company, they usually look for and download the entire password database.In short, not all encryption algorithms are built equally, and even worse, many companies don't protect their passwords correctly.
Some hashing methods are old and weak, and as a result can be broken by hackers. More commonly though, hackers take the stolen hashes, and begin to extract the passwords with a few methods.
— Hive Systems
How Hackers Steal and Use Your Passwords discusses how hackers extract passwords from stolen password hashes.
This chart is a visualization of password vulnerability to brute force attacks in 2023:
Credit: Hive Systems
Using numbers, upper/lower letters and symbols in a password makes it harder to hack than a less complex password of the same length.
Notice how much longer the estimated time for cracking a password was in 2020:
Credit: Hive Systems
Longer passwords are less vulnerable to brute force attacks.
That assumes the use of random characters and lots of other factors can considerably shorten the indicated timelines:
- Hacker “dictionaries” are faster than brute force attacks.
- If your password has been hacked elsewhere (even if yours wasn't the account hacked) it will be more vulnerable.
- Restrictions on passwords to only letters and numbers or to 8 characters can considerably weaken them.
- Patterns like starting with a capital letter and ending with numbers or symbols increase predictability.
“Dictionary” Attacks
Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.
Data breaches have revealed personal information but also common passwords which are added to hacker dictionaries.
Don't Reuse Passwords
Would you feel safe if every apartment in your building used the same key?
Reusing passwords or repeating phrases within your passwords is just as risky.
Users tend to use a single password at many different web sites.By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay.
As expected, this attack is remarkably effective.
— Stanford Security Lab
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.Does this sound like something you do? If so, cut that bad habit now!
— LastPass blog
Once hackers catch on, all your accounts are vulnerable.
Generate Unique Passwords for Every Site
A unique password for every site limits the fallout if one account is hacked.
By generating a unique password for every site, each site obtains only your name, email and whatever other information you provided directly to that particular site.
Without the aid of password management software, people tend to reuse passwords or generate similar passwords with an extra number or other modifier. This is not security-smart.
Hundreds of online accounts can be compromised in a data breach on any given day. Reusing passwords could put your more sensitive accounts at risk.
Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are.They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network.
— Check Point blog
Compromised accounts are vulnerable from anywhere in the world.
Make Them Random
Unfortunately, people are creatures of habit and tend to follow the same sort of process in creating passwords such as familiar names (girlfriends, sports teams, etc.) and predictable patterns.
Respondents also retain a fondness for “keepsake passwords” including personally significant details as a family or pet name, a birthday or other important date, or a current or previous address, with 48% reporting that practice the last time they created or updated a password.
— PCMag
Patterns Make Passwords More Vulnerable
Passwords with simple phrases or common combinations are easily guessed.
If you can say your password (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.
We tend to start with a capital and leave the numbers and special characters at the end. This makes their discovery easier.
Avoid simple substitutions like @ for a, 3 for e and (zero) for o (e.g., N3wP@ssw0rd1922!).
In one 2010 case study, the top three compromised passwords were 123456, password and 12345678.
— Duo Security
Keyboard Sequences NOT Secure
Keyboard sequences like qwerty, or zxcvbnm or patterns like “Z” on the number pad appear to be complex passwords. 123456 is used by 17% of users.
This practice is known to hackers, yet is still common according to the information culled from recent exploits.
Single Sign-on Flawed
Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.
SSO may be convenient, but creates a single point of failure.
But for all its convenience, consumer SSO has some real drawbacks, too.It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed.
And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.
— Wired
While sites using SSO may not be provided with your Facebook or Google password, they can access information that allows them to improve their profile of you.
Logging in to a website using a service such as Facebook or Google allows the website to make a request for data about you.Linking two or more sites allows companies to collect more data, building an increasingly rounded profile about you.
Allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
— Natasha Stokes
Facebook and Google both collect vast amounts of data on users then resell it to others, threatening your privacy and control nearly all Internet advertising revenue.
Allows for BITB Attacks
A new “fake browser” phishing attack called “browser in the browser” can take advantage of JavaScript, SSO and a fake login window to obtain the user's password. The fake window can fool all but the most astute observer with some understanding of how JavaScript and the login should look.
Change Compromised Passwords
It is a good idea to change your passwords regularly but is critical after you become aware that one has been compromised in a security breach.
Frequent password change policies sound good, but they only work if you employ a password manager. Otherwise people tend to use weak passwords because they are easy to remember.
Sharing Passwords Risky
A surprising number of people share passwords without changing them afterwards.
Credit: LastPass.
When you share a password, especially if it is done insecurely, you create a vulnerability that could cost you your privacy or empty your bank account.
Sharing Streaming Passwords
Many people share their streaming passwords with friends, family and others.
You may justify this with cost savings, but sharing your streaming passwords is putting your privacy and personal data at risk.
Sharing Passwords Between Work and Home
What about using the same passwords at home and at work?
This reduces the protection of both your personal and your business accounts.
What's frightening is that 47% of survey respondents admit there is no difference in passwords created for work and personal accounts.Which means that one re-used password has the power to compromise an entire organization's network. A company's network security is only as strong as their weakest link — the employees.
Poor security habits can leave that door wide open for hackers.
— LastPass blog
