A guide to safe passwords and extra digital security tips for the ultra paranoid
Passwords can be inherently vulnerable to attacks because they involve what is probably the weakest element in every security plan: users. Here's a safe guide to adding an extra layer of security to your digital life.
A large portion of breaches involve compromised credentials and accidental disclosure of passwords. Needless to say, your safety online begins with uncrackable passwords and effective methods of authentications - although not all passwordless authentication methods are equally effective. Therefore, having a good knowledge about how passwords get hacked, what makes them vulnerable or not, and how the main protection alternatives work is essential to keep your accounts and your data secure.
How does a password get hacked?
There are different tactics to hacking passwords, from cyberattacks to deals on the black market. If a criminal wants to, indeed, crack your password, they usually do it via one of the methods below:
- Guessing game: Trying as many combinations of symbols, numbers, and letters as possible to guess your password. Anything under 12 characters is considered vulnerable, so this is what makes password length an important element to protect yourself. Unfortunately, it only takes only a few clicks to get details on any internet user, so the guessing game is usually just a matter of time.
- Dictionary attack: An attack focused on words you'd find in a dictionary. To combat this technique, many people rely on multiple word phrases, like MachineDogBrushYellow, to outsmart a possible dictionary attack.
- Phishing: Social Engineering is when criminals manipulate people into giving up confidential information, usually through tech support scams via email, SMS or phone calls. Here, they might take you to a phony website that requires a new or old password. Once you register your data, they've got it.
- Credential Stuffing: When criminals test compilations of stolen or frequently used combinations to crack accounts. In 2020, the FBI released the information that since 2017 they've been receiving reports on credential stuffing against major US financial institutions, with nearly 50,000 accounts compromises. To protect yourself, avoid common combinations and constantly check if your data has been leaked. To know if your data has ever been breached, tools such as Have I been Pwned help you check whether your email or phone number have been compromised during a data leak.
- Offline Cracking: When hackers transfer hashed passwords offline to crack them more safely, making the attack almost invisible - with infinite login attempts.
How to create a strong password
- Make it long. Remember that anything under 12 characters is vulnerable and easy to crack.
- Mix of characters. The more you mix up letters, numbers, and symbols, the safer your password is.
- Avoid common substitutions. If using leespeaks (when standard letters are replaced by numerals), avoid usual substitutions, such as D00R.
- Avoid sequences. Forget about sequential letters and numbers. Same with sequential keyboard paths.
- Forget about easily guessable information. They're incredibly easy to crack via brute force, or via someone who knows you.
Two very effective methods of creating safer passwords: the revised passphrase method and the sentence method:
Revised passphrase method
Using bizarre and unexpected words combined that gives you a mental image to remember.
The sentence method
Also known as the "Bruce Schneier Method". Schneier is an American cryptographer and computer security professional that created this new method of taking a sentence and turning it into a password, with a series of characters to help you remember it.
Example: Once a day I like to keep my data safe = 1@dI<32K33pMDS!
How to use a password manager and a random password generator
We know how difficult it can be to remember passwords, especially when each should be long, unique and hard to guess. Just remember, a password doesn’t have to be hard to remember to be hard to crack. Resist the temptation to let your browser save all your passwords for you because if someone takes control of your device, they can control your passwords too. A password manager helps you keep track of all of your passwords and does all the hard work of remembering everything for you - as long as you remember the password to access your password manager. You can use the likes of LastPass or 1Password.
How does 2-factor authentication work?
Two-Factor Authentication (2FA) adds an additional layer of security to your online accounts. More than just the username and password, you usually need a second element to confirm and gain account access. Although most websites usually require you to at least authenticate via SMS once you log in to your account for the first time, this is not enough. SMS is inherently insecure, as it can be easily hijacked or swapped to a new SIM card. Alternatives to SMS authentication are software-based one-time-password generators like Google Authenticator or Authy.
Other 2FA Best Practices can help you to make the most of this method, such as avoiding using your personal number (a dedicated Google Voice number solves this) or email-based account resets. The more you combine authentication methods, the safer your data will be.
How about going passwordless?
When we talk about passwordless authentication, we're talking about biometrics, physical security keys, authenticator apps, and email magic links. Although they all vary, the goal is to enable users to safely log in without the need to create, store and memorise passwords. Some are also the methods used to set up 2FA for your accounts, so it's important to know how they work. With a wide range of implementations, we can consider three methods to be categorically passwordless:
- Biometric authentication (e.g. fingerprint, facial recognition, and voiceprint)
There are two main kinds of biometrics readers embedded in endpoint devices: face readers and fingerprint readers. Both are considered very safe, mainly due to their natural impossible-to-replicate condition and effectiveness. However, some limitations might be concerning to a certain level, such as devices that do not do 3D facial scanning could be easily unlocked with a picture, or even the possibility of a false positive fingerprint match.
- Hardware-based authentication
In hardware-based authentication, a physical device (like a Yubikey) is used to verify identification. One of the biggest advantages is that only you can control the device, which strengthens protection.
A Yubikey comes in many forms and usually requires touching it to sign/generate codes. It might be used as the only authentication process, although the most common use is still as a 2FA tool. They are manufactured by Yubico and are used by major companies for different types of services or applications. It runs on its own hardware and any service that supports Google Authenticator automatically supports Yubico Authenticator, such as Google, Slack, Github, Microsoft, Instagram, Snapchat, and cryptocurrency exchanges (where it's sometimes even mandatory).
- Certificate-based authentication
It's when a digital certificate identifies a user, device, or machine before granting access. One of its main benefits is that it can be used for all endpoints, including the Internet of Things (IoT). Its safety relies on the fact that it leverages the private key and the password guarding the private key, guaranteeing a high level of security and control.
A second tier includes not completely passwordless alternatives, such as One-time passcodes (or PINs), also known as OTPs.
Regardless of the method you choose, protecting the access to your accounts with passwords or passwordless methods is essential to protect your sensitive data from theft and leaks. For more on data protection, and making sure your business is safe, talk to our team to see how encryption-in-use can be an effective and easy-to-use solution.