Exa News
World Password Day 2024
- Date Posted:
- Read time:
- 6 min read
- Written by: Exa Networks
Yesterday (May 2nd 2024) marked the 11th World Password Day, so we’re taking the opportunity to talk about strong passwords and how they play a part in securing your online presence. As tends to be the case with computer security, the answer to “what constitutes a strong password” has changed over time – and beyond that, it’s now not the only consideration you need to make when securing accounts.
Threats to your online presence
Security is a cat-and-mouse game between those defending computer systems and those attacking them. In response to the the general public being more security-conscious than ever, malicious actors are using increasingly sophisticated methods to gain unauthorised access to online accounts and technical infrastructure.
Supply chain attacks, impersonating legal authorities and the commercialisation of hacking tools are just some of the emerging threats. Advances in artificial intelligence, especially large language models, are allowing attackers to perform phishing attacks that are more convincing and with much less effort.
Consumer-grade computer hardware is more powerful than ever, allowing attackers to crack passwords at home without breaking the bank. Those inclined to do so could even rent processing power on extremely high powered servers from one of the many public cloud providers.
Years of data breaches and poor password security have provided hackers with huge datasets of user credentials that can be used to speed up their password cracking attempts, or (as is the increasingly popular option) to perform password stuffing attacks.
This technique takes advantage of users re-using their passwords on multiple websites. A malicious actor works through a list of credentials and tries to use them to sign in to a given website. Although straight-forward, password stuffing has enabled a number of high-profile data breaches in recent years:
23andMe’s breach really demonstrated not just the ease with which cyber criminals can exploit weak passwords but also the severe and wide-reaching consequences of such breaches. Hackers gained access to 14 thousand accounts, allowing them to download the personal details and genetic backgrounds of 5.5 million people.
A weak password can have an affect beyond just the person that chose it – only a quarter of a percent of those with their data leaked had their account breached.
Picking strong passwords
In the past, you may have seen advice like “choose at least 8 characters”, “use a mix of numbers, lowercase and uppercase letters” or “don’t use the same password for Facebook as you do for your bank”.
Despite this, many users still pick extremely weak passwords and re-use them on multiple websites. Research by NordPass found that of the 200 most common passwords stolen in data breaches, most would likely take less than 1 second to crack.
Cracking a password basically involves guessing the combination of characters that make it up. The more guesses an attacker has to make before they’re correct, the stronger your password is. Therefore, the strongest way to create a password is to pick a long series of random characters. A password like this has no patterns (like words or phrases) that allows an attacker to guess it quickly. Make sure to use a unique password for each website or account you have!
You can visualise this with Bitwarden’s password strength checker – https://bitwarden.com/password-strength/. Look at how the time to crack the password goes up as the length increases:
Password
|
Time to crack
|
---|---|
WW91IGZ
|
17 minutes
|
WW91IGZv
|
3 hours
|
WW91IGZvd
|
1 day
|
WW91IGZvdW
|
12 days
|
WW91IGZvdW5kIGFuIGVhc3RlciBlZ2chCg==
|
Centuries (ie, never!)
|
In a sense, strong passwords are really inconvenient for humans. We’ve all heard of the “password on a post-it on the monitor/keyboard” scenario – complex passwords will lead to sloppy security practises in absence of some way to manage them easily. Nobody can be expected to remember “48656c6C6f20616761696E21”. For this reason, we highly recommend adopting a password manager – they make managing your passwords an awful lot easier, and can generate extremely strong passwords for you.
Beyond passwords
Picking strong, unique passwords is an excellent start to securing your accounts. However, a good cyber security policy should account for more risks. What if, through no fault of your own, your password falls into an attacker’s hands? In other words – how do you defend against account compromise, even if someone else knows your password?
Multi-factor authentication (also known as MFA, 2FA, 2 factor, etc.) is the go-to method for staying secure in this scenario. When you use MFA, websites will impose a second step during the sign-in process that helps ensure you are the person signing into your account. For example, they’ll text or email you a code that must be entered into the login form, or they’ll require you to enter a code from an authenticator app (such as Google Authenticator or Microsoft Authenticator). You could also invest in a hardware authentication token – websites that support these will require you to have the device plugged into your PC before they will allow you to sign in. A hacker would have to know your password and steal the token from you before they could impersonate you – not likely!
Another way to ensure your accounts are secure is to sign up for a service that monitors the news for security incidents (like Have I Been Pwned? or Apple’s compromised password alerts) which can alert you if your email or password is compromised. This will help you find out if your password’s been leaked in a timely fashion – at which point you can change your password and stay safe using our guidance above.
We’ll be discussing online security in more depth over the coming weeks, so make sure to subscribe to our newsletter to ensure you don’t miss out!