Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you’ve heard it all already, though, today’s password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here’s what’s changed and what you should do about it.
Blast from the past is a weekly feature at Lifehacker in which we revive old, but still relevant, posts for your reading and hacking pleasure. This week, in the wake of the Heartbleed bug, we though it was time to revive this post and dispel some myths that are still very common.
Background: Passwords Are Easier To Crack Than Ever
Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.
Making matters much worse is hackers know a lot more about our passwords than they used to. All the recent password leaks have helped hackers identify the patterns we use when creating passwords, so hackers can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.
Take the password “Sup3rThinkers”—a password which would pass most password strength tests because of its 13-character length and use of mixed case and a number. Web site How Secure Is My Password? estimates it would take a desktop computer about a million years to crack, with a 4 billion calculations-per-second estimate. It would take a hacker just a couple of months now, Ars says:
Passwords such as “mustacheehcatsum” (that’s “mustache” spelled forward and then backward) may give the appearance of strong security, but they’re easily cracked by isolating their patterns, then writing rules that augment the words contained in the [2009 hack of online games service] RockYou […]and similar lists. For [security penetration tester] Redman to crack “Sup3rThinkers”, he employed rules that directed his software to try not just “super” but also “Super”, “sup3r”, “Sup3r”, “super!!!” and similar modifications. It then tried each of those words in combination with “thinkers”, “Thinkers”, “think3rs”, and “Think3rs”.
In other words, hackers are totally on to us!
What You Can Do: Strengthen Your Passwords By Making Them Unique and Completely Unpredictable
We’ve suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.
1. Avoid Predictable Password Formulas
The biggest problem is we’re all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of upper- and lower-case letters, numbers, and symbols, most of us:
- Use a name, place, or common word as the seed, e.g., “fido” (Women tend to use personal names and men tend to use hobbies)
- Capitalize the first letter: “Fido”
- Add a number, most likely 1 or 2, at the end: “Fido1”
- Add one of the most common symbols (~, !, @, #, $ , %, &, ?) at the end: “Fido1!”
Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers (“F1d01!”) or appending another word (“G00dF1d01!”) wouldn’t help much, since hackers are using the patterns against us and appending words from the master crack lists together.
Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.
The solution: Don’t do what everyone else is doing. Avoid the patterns above and remember the basics: don’t use a single dictionary word, names, or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it’s only secure if no one else is using that rule. (Check out IT security pro Mark Burnett’s collection of the top 10,000 most common passwords, which he says represents 99.8% of all user passwords from leaked databases, or this list of 500 most common passwords in one page.)
2. Use a Unique Password for Each Site
We’ll get back to password creation in a minute, but first: this is the most important security strategy of all. Use a different password for each site. This limits the damage that can be done if/when there’s a security breach.
If you use the same password for everything, and someone gets a hold of your Facebook password, they have your password for every site you visit. If you have a different password for every site, they only have access to your Facebook account—so at least all your other accounts are protected.
4. Use Truly Random Passwords
You’ve probably heard that a random, four-word passphrase is more secure and more memorable than complicated but shorter passwords, as web comic xkcd pointed last year. This is true, but often irrelevant, because like we said: you need to use a different password for every account. If you can remember 100 different four-word passwords, be my guest. But for most of us, it doesn’t matter how easy your passwords are to remember—there’s just too many of them. (Though the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password.)
Using a variation on the same password for each site isn’t a good idea, either. Say you have a password like ro7CSfac2V3p1 for Facebook, and you use the variation ro7CSlif2V3p1 for Lifehacker, and so on for all your other sites. If a hacker gains access to one of those passwords, they can easily guess the others by replacing “fac” with the letters that might match other sites (or figuring out whatever your algorithm is). It’s more difficult, but far from impossible, and it isn’t secure enough to rely on—if you can remember it, someone else can probably figure it out.
So: The most secure option is to use a password generator and manager. If you want to keep your accounts safe, you need to use a truly random, long, and complex password, and use a completely different one for each account. How do you accomplish this? Use a password manager like LastPass, KeePass, or 1Password. Not only will they save all your passwords for you, but they can generate random passwords for you. It’s easier to use and set up than you may think.
For more information, I highly, highly recommend you read our guide on how to audit and update your passwords with LastPass for detailed instructions. Remember, the only secure password is the one you can’t remember—and this is the only way to achieve that. Those clever password tricks we used to use just don’t cut it anymore.
Lastly, make sure you turn on two-factor authentication for all sites that support it! It is, by far, one of the best ways to secure your accounts against hackers—even if they get your password, they won’t be able to get access.