There’s been a security breach at CompanyX… user accounts compromised
These are some words that you don’t want to hear if you’ve got an account at CompanyX. But as you may have seen recently there have been numerous reports just like this of security breaches at some large organisations, such as LinkedIn and Twitter.
Here we look at what this actually means for those users and the things you can do to help protect yourself online by generating a memorable yet secure password.
So a hacker has got your account details…
If you’re a user of CompanyX, the important thing to know is that even if your account details have been compromised by hackers, it probably doesn’t mean they can now simply log into your account. Most servers will encrypt the passwords stored in their databases, so even though there has been a security breach the hacker only has an encrypted version of your password so for the moment your password is still unknown.
What does the hacker do?
The hacker will take the data they have stolen from CompanyX and create a file containing all the encrypted passwords (including yours), they will then try to crack as many as possible.
To do this the hacker will create as many potential passwords as they can. They will then encrypt each one in the same way as CompanyX did when they originally stored your password in their database. The encrypted versions of the hackers passwords are then compared to each of the encrypted passwords in the stolen file, if one is a match then they have cracked the password.
There are a number of methods used for generating these potential passwords. These will range from a dictionary attack to a brute force attack.
Dictionary attack
As the name suggests a dictionary attack will check every word found in a dictionary, this is the quickest and simplest way to crack passwords. If you just use a single word as your password then this type of attack will find it fairly quickly.
A hacker will know that most people will try to make their passwords more secure by adding symbols or numbers. For example you might start with the word password and change it to become pa$5w0rd. Admittedly this is slightly more secure than just the original word but so many people will change an ‘s’ for ‘$’ or ‘5’ hackers know these changes and build them into their programs to try to guess your password.
Brute Force Attacks
If a dictionary attack doesn’t manage to guess your password the hacker might move onto a brute force attack. This is where the hacker will write a program to generate every possible combination of letters, numbers and symbols and test check each of these generated words. Using a brute force attack will make it possible to crack every password eventually, you just need to make sure that it’s not feasible for the hacker to crack yours.
How do I create a strong password?
The strength of a password comes down to two things, the length of the password and it’s complexity. You can create stronger passwords by increasing either of these things.
The other important thing to remember is not to re-use passwords on different sites. Once a hacker has cracked a password, they can try this on other sites hoping that you would use the same one.
Password Length
Obviously a longer password is stronger than a short one. For example, if you just used lower case letters in your password for every extra character in length, you’re make your password 26 times stronger.
Various studies have shown that the average password length is about 8 characters.
Password Complexity
The complexity of a password is to do with how many different characters are used to make it up. These can be letters (upper and lower case) numbers and symbols. If you use every possible character on your keyboard (lower case letters, upper case letters, numbers and symbols), each extra character in length you make your password 96 times stronger.
How strong is a password?
The table below shows how long it would take to crack passwords of different types:
| Length | Characters Used | Possible Characters | Possible combinations | Time to crack* |
|---|---|---|---|---|
| 6 | only lower case letters | 26 | 308915776 | 10 minutes |
| 6 | upper and lower case letters | 52 | 19770609664 | 10 hours |
| 7 | only lower case letters | 26 | 8031810176 | 4 hours |
| 7 | upper and lower case letters | 52 | 1028071702528 | 23 days |
| 8 | only lower case letters | 26 | 208827064576 | 4 days |
| 8 | upper and lower case letters | 52 | 53459728531456 | 3 years |
| 8 | numbers and upper and lower case letters | 62 | 218340105584896 | 13 years |
| 8 | all possible characters | 96 | 7213895789838340 | 457 years |
| 9 | all possible characters | 96 | 692533995824480000 | 44,000 years |
| 10 | all possible characters | 96 | 66483263599150100000 | 4,200,000 years |
*This is the time taken to generate every possible password. It assumes a cracking speed of 500,000 passwords a second.
What can I do to create a long memorable password?
The main problem with a secure (long) password that contains a combination of upper/lower case letters, numbers and symbols is remembering it, especially if you shouldn’t base it on a word. Here are a couple of methods you could try and see what you think is best.
Multiple words
If you start of with 4 completely unrelated words you can easily create a long password which isn’t too difficult to remember. For example I could choose the words brick, tomato, triangle and england. Putting these together would give bricktomatotriangleengland which is a 27 character password. Which based on the same cracking speed as above would take 10,150,882,108,408,600,000,000,000 years to crack. With this method, you need to ensure there is nothing to connect the words that a cracker might be able to use to predict the password.
Phrase/Song lyrics
Another method you could try which could be easier for you to remember would be to think of a phrase or some words to a song, the more obscure song/phrase the better. You then take the first letter of each of these words to form your password. For example, if you take the first lines of We Will Rock You by Queen: Buddy you’re a boy make a big noise, Playin’ in the street gonna be a big man some day. You get: byabmabnpitsgbabmsd as your password, this would take 1,263,834,912,177,160 years to crack.
With both of the above methods, adding capital letters, numbers and symbols would make them even more secure.
Password manager
If you want a really secure password and don’t want to worry about trying to remember it, you could use a password manager program to organise your passwords for you. The password manager runs on your computer and stores all your passwords so whenever you need one you don’t need to remember them, you just need to remember a single password for the program itself. Some password managers have the ability to work with your web browser so they automatically fill in your passwords on any website you log in to.
Almost all password managers also have a password generation tool so you can generate truly random passwords that will be extremely secure.
In summary…
Passwords are the most common method for user authentication used on the Internet and they will be for the foreseeable future. The number of hackers trying to get their hands on your password is likely to keep rising too. Therefore it’s worth deciding on a password generation method and using it every time you need to create a new password. This will then help you remember more secure passwords and more importantly stop you from re-using them for different sites. All this can help to keep your accounts and information safe online.