Passwords — Your First Line of Cyberdefense

Passwords are a vital part of your cybersecurity plan. In fact, they may be your most important defense against hackers. Usernames and passwords are huge and the first target for cybercriminals. A recent study showed that 63% of all network breaches were the result of a weak username and/or weak passwords!

Most cyberattacks begin with a weak password

It would be awesome if we could still use these 5 Most Common Passwords:

  1. 12345
  2. Password
  3. 12345
  4. 12345678
  5. qwerty

What does a “good” password look like?

Which of these two passwords are the most difficult for a cybercriminal to hack:

^Y34)8*a Or MydogisSmart!!

If you guessed, “MydogisSmart!!” … you are correct! Cyberthieves have access to very powerful computers that can go through combinations of passwords with incredible speed. A “complex” 8-character password like: ^Y34)8*a would be nearly impossible to guess, but hackers are not guessing anymore.

An 8-character password like the one above has 645,753,531,245,761 possible combinations and can be cracked in about 83 days. That’s quite a while, and if you are changing your password every 2 months you might be OK … but most people don’t change their passwords every couple of months.

The password: MydogisSmart!! is 14-characters and has 3,111,928,305,110,923,294,648,827,904 different combinations and would take any modern supercomputer over 2 years to crack … and it is very easy to type, and easy to remember.

Creating a great password … actually, a PassPhrase is BEST!

When creating a new password try to adhere to the following characteristics:

  1. The password should be 14 characters or longer
  2. The password should have one capital letter and at least one other character or number
  3. It can be something easy to type
  4. It can be something easy to remember
  5. Your password should change once or twice each year

Remember, it is the length of the password, and not its complexity, that makes the password extremely difficult (if not impossible) for a hacker to crack.

Another important thing to remember: Do not use the same password for different accounts. If using a passphrase, try to tie the passphrase into that account by using initials, colors, or other identifiable items within that account. Never use the same password for email as you would for online banking or purchasing!

There are 6 main tactics of cybercriminals to hack your password:

  1. Social Engineering - The easiest way a hacker can obtain your login credentials is to pose as someone the user trusts and then simply asking them for their login information. Hackers pose as team members, employees at Microsoft or Comcast and even some pose as IRS agents! Social engineering is the art of using a person’s desire to trust others to gain critical information. (click here for more info)
  2. The Dictionary Attack - One of the most common tactics is called “the dictionary attack.” And just as the name implies, an automated software program tries every word in a defined dictionary to try and “guess” the right password. The “dictionary” is a huge database of the most commonly used password combinations, like 123456, querty, admin, password, and a host of others.
  3. Brute Force Attack – During a Brute Force Attack, the hacker gains access to your network or website by guessing the username and password. It is a trial and error method implemented through software and supercomputers that create millions of combinations until it cracks the login information.
  4. Phishing – By definition, phishing isn’t a hack, it is often actually a hack. Phishing is primarily implemented through email where the cybercriminal tries to trick the email recipient into clicking on a link or opening a file that is actually an executable virus or another malicious program. Sometimes the hacker actually calls the user on the phone and poses as someone in need to login credentials. (click here for full story)
  5. Spyware or Keylogging Malware – Following a breach, some hackers will deploy spyware or a keylogger within a network … most of the time without the user/company knowing. These programs use different types of digital surveillance to monitor and capture keystrokes, clicks, conversations, or downloads that a user or group of users has performed. This captured information is sent back to the cyberattacker for analysis. Cyberattackers look for passwords, credit card information, financial information, client information … basically anything that might be sold on the Dark Web.

Should I use a password manager?

Short answer – YES … end-users probably need some sort of password manager to manage all of their passwords – especially since the user should have different passwords for all of their accounts. For some, this will mean 20-30 different passwords which will be impossible to remember.

A password manager is a type of application that offers a plugin for a web browser and can automatically fill in your login credentials after saving them in an encrypted database. It can retrieve passwords and create passwords on demand if needed. A password manager will generate, retrieve, and keep track of very long, totally random passwords across all the accounts in use and is a very valuable tool in today’s crazy world.

Password managers not only protect passwords, but they also protect PIN numbers, credit card numbers, their CVV codes, security answers and questions and use strong encryption to protect all of this information from hackers.

Most password managers function from within a browser and therefore can follow the user from device to device. The tool acts as a digital gatekeeper, filling in login credentials when the user needs to access an account or website. All of this is accomplished through one master password that is used to access the Manager.

Does two-factor authentication secure my accounts better?

Two-factor authentication (2FA) relies on two different methods of confirming the user’s identity. In one scenario, the user knows the login credentials of the system and then has control of a cell phone or other physical device that receives another code or form of ID.

Other two-factor authentications include:

  • Fingerprints, readers, iris scanners (Biometrics)
  • PIN numbers
  • Using an email address to send a verification code
  • Mobile devices that can scan barcodes or QR codes for one-time use
  • Secret questions — although this is the least secure as they can be guessed!
  • Card readers or USB keys

Although a strong password is still the first step in your cybersecurity plan, the combination of another physical factor of authentication gives your cybersecurity efforts another level of protection.