A strong password provides essential protection from financial fraud and identity theft. One of the most common ways that hackers break into computers is by guessing passwords. Simple and commonly used passwords enable intruders to easily gain access and control of a computing device.
Creating a secure password can be deemed as the most important aspect of staying secure online. At the time of writing, 555,278,357 real world passwords have been exposed in data breaches.
There are three different password attacks that attackers will use: brute force, dictionary, and phishing attacks. Each of these attacks has their pros and cons, which will be discussed later in this article.
Brute Force Attack
A brute force attack is when an attacker tries guessing your password with every combination in the book, until they guess your password. The easiest way to counteract a brute force attack is to ensure your password is at least 15 characters long. With a long password, there is a very high number of combinations to try and will take a long time to guess.
A dictionary attack is when an attacker uses either common passwords, passwords leaked from data breaches and words from the dictionary, to attempt and guess your password. These attacks work against regular words, it is best to refrain from using any common word and use a phrase or combination of words instead.
For example, if your password was TheBrownFoxBlueTowel1, a dictionary attack would not work against your password. If we go to https://howsecureismypassword.net/ and type in our example password above, it’ll take an estimated 35 quintillion years to crack. Tool’s like this are great for checking password strength. However, it should be noted that it is not recommended to type in your actual password.
A phishing attack is when an attacker uses social engineering to try and trick, intimidate or pressure you into doing what they want. A phishing attack is typically conducted through the attacker sending out fake emails, containing a link that directs you to a malicious site.
Phishing attacks can also be conducted over the phone, where an attacker tries to sell you a fake service or product in hopes of obtaining your information.
What makes a password secure?
A strong password should consist of the following characteristics:
When it comes to creating a password, the more complex the better. Avoid common words such as password or qwerty. Make your password unique to you, and do not tell anyone else your password.
Complex passwords can be confusing and can be forgotten very easily. However, It is not recommended to use personal information within your password, such as your pets name or date of birth. This information can be obtained by an attacker through a social engineering attack, or sometimes just by performing reconnaissance on the target.
Managing Your Password
Password management is one of the most important aspects of a secure password. A password is only secure if used once. Using a password manager is a secure way to manage your passwords. Password managers also have a secure password generator, where it will create a secure password and store it for you as well.
Out of personal experience, I’ve always preferred KeePass. This is because KeePass uses AES-256 encryption and supports two-factor authentication, ensuring that you are the only one that can access your passwords.
But my biggest reason for choosing KeePass is that the data is stored in a database on your local machine, unlike other password managers where they are stored in the cloud. The issue with relying on a cloud-based password manager is that an attacker can perform a man-in-the-middle attack and potentially discover your master password for accessing the password manager.
One thing to keep in mind when it comes to password managers, if you forget your master password then all the data will be lost.
Using a secure password is one of the best ways a consumer can stay secure. Remember to use long, complex passwords and consider using a password manager to help keep track of your passwords.
Created by Cyber Security Analyst Taylor Melvin / @taylor_melvin09 on Twitter
Thanks for reading and stay safe out there 🙂
was formed in 2015 by a group of Cyber-security practitioners with experience in large enterprise. Our mission is to bring those frameworks and practices to help small to medium businesses get and stay cyber secure.
Our team can help you asses your current information Security and Privacy Controls to ensure that you are doing you due diligence in managing your corporate risk profile.
If any gaps or vulnerabilities are discovered, our team will document these as well as define a road-map to remediation.
Set up a free 30-minute Cyber Security Consultation!
TeamCISO provides comprehensive pen testing and PCI QSA services. The company can be contacted on 905-621-9925 or by email at firstname.lastname@example.org