In the digital age, making sure that your private data stays truly private is paramount. If you’re one of those people whose password is “password,” “starwars,” “12345678,” or anything on say, this list of most commonly used and compromised passwords, I have some news that you probably already know: Your password sucks.
You may be wondering why it matters, though, if you consider yourself a regular joe with nothing to hide on the Internet, and if the only people you know who might ever try to hack into your Facebook are your mother and your regretful ex.
However, your concern with your passwords should not be with the people you know, but with the people, and their botnets, that you don’t. I can’t be the only one who’s ever had a strange online credit card purchase appear on their statement, an onslaught of spam emails suddenly, or unusual activity on one of my social media accounts. Even if you haven’t, the likelihood that you will is increasing: according to SecurityWeek, 4.2 billion online records were hacked and released in 2016 alone. That’s up from 1.1 billion in 2013.
So what can you do to make your passwords as hack-proof as possible? I believe the best plan of action starts first with understanding just exactly how password s can get cracked. Sophisticated password-jackers don’t just sit in front of their computers manually typing guesses. They automatically spam the password fields on sites, servers, and routers with precompiled wordlists or “dictoniaries,” which offer guesses in the hundreds of thousands and millions. One of the most common ones, rockyou.txt, is so big that even just trying to read it as a simple text file nearly crashes my l’il laptop. (Also, for reference: if you’ve ever seen Mr. Robot, if you look closely, you can see Elliot using tools like this on Linux to hack his “friends”).
Equipped with enough processing power, a real hacker’s computer can file through these wordlists so fast, that passwords can be owned within a matter of hours. There are also ways of making the process even faster using terminal/command line utilities such as crunch. Crunch allows hackers to set up a rubric for the order or pattern they think the password will be in. For example, if you know there will be characters first, numbers second, and symbols third, you can specify this. Plus, this doesn’t include key words and numbers such as the birthday and pet’s name listed on your Facebook profile, that someone somewhere may’ve gathered about you via social engineering.
So, now that you know this information, what can you do to keep yourself safe? Here are some tips I’ve gathered, from personal experience and various readings across the Internet.
- Use complex passwords, especially for banking and email.
Complexity is, for example: the more, characters the better, as many in the double digits as you can remember; a combination of alphanumeric and symbolic typing, such as AK&T!5V8F9; intentionally scrambling or misspelling dictionary words, so “cat” or “house” become tca and shuoe.
- Change your passwords often, and use different passwords on every site.
Even if you have the most obscure password on the planet, and even if the website you’re using encrypts your password as you type it, it doesn’t mean anything if the plaintext of your password has somehow become visible to hackers. One of the ways this can happen is if a hacker is able to steal raw data from a database, where the company keeps your password so the site can remember you.
While some companies willfully under-invest in their cybersecurity practices, there are many major corporations, some of the most secure in the game, who still fall victim to clever gray and black hatters besting them (I don’t think I have to tell you what we’ve heard about Yahoo! lately). In 2015, The New York Times released an interactive tool for people to check which major websites and services have had customer data leaked.
Most companies will inform their customers when breaches happen, but often times, breaches can go unnoticed by them for days, or even years. Because you never really know who’s able to get into what when, the safest way to play it is to make sure the data that someone hypothetically could have on you, is constantly changing and inaccurate.
- Physically write your passwords down, or use a Password managing software.
Having unique complicated passwords, across multiple sites, means that you’re probably going to forget them often. Personally it has helped me to keep a list of passwords in a notebook, in a place where only I can find it of course. As of this date, there are no known ways that a computer can sift through a record I keep between a hardcover in a locked closet.
Password managers such as Lastpass and Roboform will generate hard-to-remember-passwords and fill them in for you when you log-in. Check out PCWorld’s comprehensive list for other similar helpful programs.