top of page

Passwords: Facts, Myths, and Misconceptions

Passwords, they seem to be linked to almost every aspect of life these days. Whether your banking, ordering groceries, or chatting online with friends you have to use a password. They seem like such a simple concept, you have a secret code that lets you access things, and that's it, right? Not always, and sometimes that secret isn't so secret after all. So how do you keep your password safe? Should you frequently change it? Make it insanely complex? Just do whatever the IT guy at work says to do? Lets delve into passwords and find out the best way to keep people out of your accounts


Lets start with the basics, what makes a good password? There are a few key things to keep in mind. First, you want to make sure it isn't easy to guess, If your password is password1234, well, its not hard to figure out and you may want to be a little more creative. So maybe us Adaf(j#42jaf(!?Fadfj$# instead? While that certainly wont be in anyone's first thousand guesses, how likely is it that you will remember it? Probably not very likely at all, which means you may end up keeping everyone, even yourself, locked out of you account. So we need to come up with something that's hard to guess and easy to remember. Maybe try a "passphrase" instead, and replace some letters with numbers and symbols, so its hard to guess AND easy to remember! For example, your favorite animal is a dolphin, you like the color green, and 72 is your favorite number. Maybe you could use Gr3eNd0lph1n72$. It's long, meet complexity requirements, and best of all, you wont be calling support to reset it next week!


What about some common myths? Lets start with the elephant in the room. Many people believe that requiring you to change your password every 30 days will keep your password secure. Makes sense right? In theory it sure does, but studies show in practice, not so much. Most users will either reuse old passwords, add an ! to the end of their current password, change a number sequentially, such as password1 to password2. Ultimately, people don't like having to change their passwords, and as a quiet way of showing their displeasure in the annoyance, do very little to change it. Those that do change their password in a more secure way, are far more likely to forget their new password and end up locked out of their account. The next myth is that requiring upper, lower, numbers and symbols will may a secure password. Password1! meets those requirements, but is not at all secure, and is likely one of the first guesses an attacker would use. Lastly is complexity, and as we showed in the last paragraph, sure it makes it hard to guess but its useless if you cant remember it, which doesn't make it a good password. Ultimately a good password is balanced between length, complexity, and easily remembered.


You have probably heard that your shouldn't reuse passwords, and while that definitely helps prevent multiple accounts from being breached from one password being discovered, without assistance it simply isn't practical to have a different password for every account. Who has the ability to remember a hundred different passwords and which accounts they go to? Luckily there are many services that assist with this called password managers. Services like LastPass can generate and store thousands of passwords for you so all your accounts have a different password but you don't have to remember them. These work by allowing you to only have to remember a single "master" password, and use a second form of authentication to keep that account safe, and then keep all your logins saved in an encrypted service. While not for everyone, it is definitely something worth looking into!


Multifactor authentication, adding a second, or sometimes even a third, requirement to log in means that just because someone has your password doesn't mean they can log in. You have probably run into this having to have Google Authenticator or Authy to generate a code to log into an account. This is a great security tool! Unless an attacker learns your password and gets a hold of your phone or device with timed codes they cant get into your account! While timed codes are the most common type of MFA, you may also have something like a YubiKey, or physical token you need to plug into a computer to go along with a password. Whenever its available its highly advisable to use MFA with your passwords, because by doing this you make it exponentially harder for someone to break into your account!


With all these security features and suggestions you're secure now right? Well, that depends on you. While many people imagine hackers using advanced computers typing into a command line and breaking into an account, that is actually the exception and not the rule when it comes to illicit account access. Most cracked passwords come from social engineering. You may have seen the Facebook posts to list your favorite color, street you lived on, first pets name, favorite sports team etc. While it may seem innocent enough this information can be used to make a file used to crack your password. This is called a dictionary attack, by creating a list of words you are likely to use in your passwords, a special program will generate and attempt possible password combinations based on the dictionary generated from the Facebook post your replied to. You also have phishing attacks, where emails send you to a fake website to log in, but instead of logging you it, it logs your credentials and gives the attacker your username and password. Avoiding these attacks can be as easy, simply avoid giving away this information, and always go directly to websites by typing them in a browser rather than through links in emails. While this wont stop all attacks, it will beat quite a few!


We have discussed a lot of information about passwords, so lets sum it up. Passwords are critical to many daily tasks, and keeping them safe is extremely important. You need to find the right balance of complexity, ease of remembering, and length to ensure you can access your accounts but attackers cant. If you have the option, multifactor authentication is a great second layer of security to prevent attackers from accessing your accounts. Lastly, don't give your information freely online, as this allows attackers to more easily gain access to you and your accounts.


As technology progresses, there is a good possibility that passwords may become a thing of the past. Things like biometrics, or using fingerprints, face scans, voice prints, and other "bodily" forms of authentication, are becoming more common place and easier to access. You may even already be using passwordless authentication without even realizing it. Can you look at your phone and unlock it? You just used a biometric login, which is much harder to attack than a password.


All in all, if you follow the steps we talked to make a complex but easy to remember password, using MFA along side it when possible, and a password manager to keep passwords unique, you have are a step ahead of the bad guys. The goal of cybersecurity is to make gaining access not worth the effort, and by following these steps you are very likely to achieve that goal!




6 views0 comments

Recent Posts

See All

Comments


bottom of page