Best Computing Practices 101: Improve your password security
Posted on
November 18, 2014
Use secure password practices to protect your data.

Is your most terrifying dark secret that you’ve used the same password on every website you’ve visited for the past 10 years? Are you worried about the security of your financial, e-mail and social media accounts? Hackers have tools at their disposal that allow them to gain access to your password, but they all require that you first make a mistake. By following some simple password security practices, you can protect the security of your accounts from prying eyes.

How Do Hackers Steal Passwords?

If you’ve watched too many Hollywood movies, then you might have a mental image of a hacker sitting behind a computer screen running software that automatically guesses each character in your password until it locks in on the correct value. Fortunately, this isn’t really possible because almost any website will lock out your account after repeated login failures. How, then, do hackers gain access to the accounts of unsuspecting users?

One of the easiest ways for hackers to learn your password is to simply ask you for it. Don’t think that you’d fall victim to this type of attack? The data says otherwise. In Microsoft’s most recent Computer Safety Index, released in 2014, the company estimated that phishing attacks affected 15 percent of adults last year.

Phishing attacks have become increasingly sophisticated over the past five years. Emails originating from Eastern Europe written in broken English are a relic of the past. Today’s phishing attack is well written, uses logos and brand markings of legitimate companies and redirects users to a carefully crafted decoy website that appears legitimate. Once users enter their password, hackers use it immediately on the legitimate site, sell it on the black market or store it away for future use.

Another common way that hackers gain access to passwords is to eavesdrop on your network communications. If you use a public wi-fi network without using encryption technology, then your password is open to interception. Think carefully the next time you access an account from an airport, coffee shop or other public location. If you’re not connecting to the website via an HTTPS connection, someone across the room could be eavesdropping and stealing your password.

Hackers don’t need to trick you to obtain your password — they might be able to obtain it directly from the website where you created an account. Websites need to store your password in a database so that they can verify your login attempts. If a hacker gains access to the website’s database, they can steal thousands or millions of passwords at a time. This is the type of attack that results in headlines like “Millions of passwords compromised.”

To protect against this type of attack, well-designed websites don’t directly store passwords in their databases. Instead, they store a copy of the password that is irreversibly encrypted using a technology known as hashing. When you attempt to log in to the website, the site hashes the password you provided and compares it to the hashed value in the database. Using this technology slows hackers down, but they still may be able to determine your password by hashing millions of possible passwords and comparing those values to the hashed value.

Protecting Your Passwords

The situation may sound bleak. Indeed, hackers have many tools and techniques at their disposal that help them gain access to your secret passwords. Fortunately, there are steps that you can take to protect your accounts from unauthorized access.

First and foremost, you should always use strong passwords. Choose a password that is at least eight characters long and consists of a mixture of letters, numbers and symbols. Avoid using dictionary words, names, telephone numbers or other values that might be easily guessed. All of these measures dramatically increase the number of guesses that an attacker will need to make before successfully stumbling upon your password. It’s time to throw out all of those “password12” passwords that you created years ago and replace them with something more like “1+rILCitt!”. Think that’s hard to remember? Use a mnemonic device like “One positive reason I like cheese is the taste!”

Next, you need to use different passwords on every website you visit. Burdensome as it is, there’s really no way around this requirement. The simple truth is that hackers know people reuse passwords all over the place. When hackers steal a password database from a low security website, the first thing they do is try those username and password combinations on high value sites. If the same password protects your social media accounts and your online banking accounts, you’re a victim in the making.

Protecting your passwords also means protecting yourself from phishing messages. If you receive a strange email from an organization you do business with, think twice before clicking the link it contains. If you suspect that it’s fraudulent, visit the company’s website by typing the URL directly into your web browser. You can also pick up the phone and give them a call to verify a suspicious message.

The ultimate way to protect the security of your accounts is to supplement your passwords with other authentication mechanisms. Many websites, including banks, Twitter, LinkedIn and Google, now offer two-factor authentication technology as a free optional service. When you enable two-factor authentication, the website prompts you for your username and password in the normal fashion. After you successfully provide your password, the website sends a code to your phone that you must type into the website before gaining access. If you enable this feature, hackers will not be able to gain access to your account unless they have knowledge of your password and physical possession of your phone.

Can’t Remember All Those Passwords?

We’ve known for years that using unique, complex passwords greatly enhances Internet security. So why don’t people use them? The most common complaint is that it’s simply too hard to remember a long list of complex passwords. Fortunately, technology can come to the rescue here as well.

Password managers centralize the management of your passwords across many different accounts. They store the passwords in an encrypted database protected by a master password. The password manager automatically generates complex passwords for each website that you access and then fills those passwords in for you, saving you from the burden of remembering many different passwords. If you’d like to give this technology a try, some of the products that you may wish to evaluate include LastPass, OnePass and KeePass.

If you decide to use a password manager, remember that the password used to protect access to that account truly provides the “keys to the kingdom.” If someone learns that password, they will then not only have access to all of your passwords, they will also have a laundry lists of all of the sites where they may be used! For this reason, you should always use a very strong master password that is completely unrelated to any other password that you’ve ever used. Commit it to memory and guard it carefully! Better yet, consider using two-factor authentication to protect your password manager account.

Hackers do have a wide variety of tools that they can use when attempting to gain access to your passwords. By following the advice in this article, you can reduce the risk that you’ll fall victim to their attacks and protect the security of your online accounts.

About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.

Posted to topic:
Tech Know