Easy-to-Remember Passwords Can Be Hard for Hackers to Guess
CREDIT: Shutterstock: fuzzbones
June has already been a bad month for getting hacked.
If it hasn't happened to you already, your chances of having a password stolen in the future are high, but there are new tricks to keep an account safe even if online criminals do get your password data.
All three companies advised their customers to change their passwords — LinkedIn went so far as to disable compromised accounts, forcing users to create new passwords — but that isn't enough.
Because attackers have new strategies, many companies have responded with better protection methods. Combined, these two factors have changed what it takes to make a safe password.
In the "old" days, criminals who wanted to crack used software relying on "dictionaries" of common passwords. Billions of combinations could be tried every second. That's one reason why you've been warned not to use real words found in a dictionary.
Maybe you don't even use words, but instead a string of random letters, numbers and a special character thrown in to comply with so-called "strong" password standards. However, technology has advanced so that even seemingly random strings can be generated in a fairly short time.
Even that hasn't proved efficient enough for some cybercriminals. By breaking into online company records, they could steal passwords and associated user information en masse. Why hassle with a one-at-a-time approach when you could get a list of millions, ready to exploit?
Today, most companies don't store account holders' passwords at all because it's too risky. Instead they encrypt the passwords, using algorithms to change a simple password into a long string of numbers or "hash."
The next step is to "salt" the hash. If breakfast comes to mind, you're on the right track. You add salt to boost flavor, and companies add extra characters to hashed passwords to increase security. (As it turned out, LinkedIn and eHarmony both neglected to use the salting technique.)
But the real problem for companies lies in the practice of using out-of-the-box encryption algorithms to protect data. Duplicated security makes it possible for sophisticated criminals to decode stolen data, again by running the same algorithms against password "dictionaries" to look for matches. (Salting hashes makes this more difficult, but not impossible.) And that can be a problem for you.
What can you do? Security experts urge people to dump their eight-character passwords and consider 12 characters as the new minimum.
Here's the difference. An eight-character password means there are 722 trillion possibilities for cybercriminals to try, based on 26 upper-case letters, 26 lower-case letters, 10 numerals and 10 special characters (such as an asterisk).
A 12-character password increases the possible combinations to 19 sextillion (19 followed by 21 zeros) — a number that for the time being is too big to get through.
Length won't necessarily make your new password harder for you to remember. Any four common, unrelated words that add up to more than 12 characters is now considered one of the most secure password configurations. Use an entire sentence if the site will allow it; the longer the better.
But one safety rule that hasn't changed is to never use a password for more than one account that contains sensitive information, such as your online banking account.
It's unlikely that a criminal could do much with your LinkedIn password. These types of passwords sell for $1 or less on the black market, compared with the $850 that a bank-account password can sell for, according to security firm Symantec.
But if you've used your LinkedIn account password for your bank site, you could be in big trouble. Those cheap passwords are relatively easy to steal and are routinely used by cybercriminals to try to unlock accounts on more lucrative sites. That's why you should use a unique password for each.
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess," Randall Munroe wrote in his now-famous cartoon on the blog xkcd.com last year.
So pick four words that are easy for you to remember, and you'll be safer than you are today.
This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.