A friend recently told me a scary story about why he changed the password on his account with one of the leading online securities trading firms. He was perusing his six-figure portfolio when it occurred to him that he hadn’t changed his password a while. Quite a while, it turned out; about nine years.
He was further dismayed to realize that the password he had been using all that time –the name of a beloved pet followed by a single number – could probably be guessed by anyone who followed him on social media. For a sophisticated password cracking program, guessing it would be a layup.
Surprisingly, many online services don’t regularly challenge customers to change their passwords, despite the fact that password-cracking technology has advanced by leaps and bounds. Bad guys now follow their victims on social networks to mine keywords that they feed into malicious programs that use machine intelligence to test variations until the door is unlocked. A small fortune may be protected by the cyber security equivalent of tin foil.
No one likes passwords, but they are more important than ever these days. And the ones that worked for you five years ago are probably useless today. If your money, health records or any other personally identifiable information (PII) is at stake, you owe it to yourself to use a secure, random code that a machine can’t guess. As you go about resetting your passwords, avoid these eight common mistakes.
- Using the same password everywhere
The easiest way to remember a password is to use only one, but that’s also the fastest route to disaster. Once a successful phishing attack captures that password – and studies have found that as many as 97% of people can’t detect a phishing email – the attacker essentially has the keys to the kingdom. While it’s probably okay to use the same password for sites that don’t store any PII, you should use different and secure passwords in any situation where your identity or financial information could be compromised.
- Varying passwords with a single character
This is a trap many people fall into when asked to change their passwords; they comply by changing a “12” to a “13.” Password-guessing programs are wise to this trick and can sniff it out in seconds.
A variation of this dangerous practice is to include a non-alphanumeric character by tacking “!” onto the end of your existing password. That’s the oldest dodge in the book, and password crackers are wise to it. Non-alphanumeric characters should be used within the password, not at either end.
- Using personal information in passwords
Avoid using names of relatives, celebrities, sports teams, pet or any other common terms in your passwords. Cracking software automatically looks for the most common combinations like Yoda123. Don’t think that you can protect yourself by invoking personal information like the name of a loved one or your high school mascot. Social networks make it straightforward for crooks to harvest that information.
You also shouldn’t assume that adding a string of characters to a common name is protection enough. Password crackers know this trick and cycle through combinations of common names and numbers until they hit the right one. The only safe password is one with random – or seemingly random – sets of characters.
- Sharing passwords with others
You might have the strongest password in the world, but if you share it with someone who stores it in an email account protected by “qwerty,” it won’t make a bit of difference. Your passwords are for your eyes only.
- Using passwords that are too short
A decade ago, a five- or six-character password was enough to beat most cracking programs, but computers are so much faster now that a six-character password can be guessed by a brute-force attack. Think 12 characters at a minimum.
- Storing passwords in plain text
One easy way to remember passwords is to store them in a spreadsheet or mail them to yourself. Bad idea. Have you heard of ransomware? It’s the fastest-growing category of malware. Criminals hold your data hostage until you pay them a ransom. In the meantime, they scour your hard drive looking for anything that resembles a password list. Once they find it, the ransom payment is the least of your problems.
- Using recognizable keystroke patterns
“1qaz2wsx” may seem like a pretty tough password to guess until you look at your keyboard and notice the pattern. A random series of letters and numbers must be truly random to have a chance.
- Substituting numbers for letters
This used to be an effective technique, but “Spr1ngst33n” doesn’t survive a determined attack any more. The software is on to that trick.
Your best bet is to use a password manager protected by strong encryption. The best ones generate secure passwords for you and give you total protection with two-factor authentication.