In last week’s blog post, we showed you how to check if your online accounts have been compromised. We’re all told that we should change our passwords regularly, right? That is even more important if one of your online identities has been leaked. So this week, we’re answering the question of why you need good passwords.
As usual, we’re going to have a look at how the underlying technologies and hacks work first. Then we can understand how to defeat those attacks in the real world. Let’s do it!
Why do you need more than one good password? If you choose something which is impossible to guess, and then use that everywhere, you’re safe aren’t you? Unfortunately not.
Imagine one of your passwords gets into the hands of hackers. The first thing the bad-guys will do is grab your email address and your password, then try it on every online account they know. All of a sudden your online fantasy football password is used to access your email, because you used the same one. Once they’re in your email, they can reset any ole account’s password they like and just intercept the password-reset email. Bad times.
So now we know why we need to use different passwords for everything. But what’s a “good” password?
More terminology for you, and this one is a fairly modern one. If you have heard of brute force attacking, this is similar. A brute force attack is trying every single combination of a username and password string, and eventually you will guess the right one. Think of it like a combination padlock – if you have the patience to enter every number possible, you will open it. Well computers can do that much more quickly, so can break passwords pretty quickly.
Credential stuffing is similar in that they take a list of usernames (usually email addresses) and a list of leaked passwords from any system ever, and try every combination of the two pieces of information. So if anyone else uses the same password as you, and their password leaked from somewhere, it might end up in one of these lists, and be used to compromise your account.
This one is pretty straight forward – let’s try all the words in the dictionary, and see if your password matches any of them. Usually an attacker will program their attack to slap a couple of words together, and try variations since modern systems force us all to have longer passwords.
So now you can see why you shouldn’t choose words which appear in the dictionary, and why you shouldn’t re-use passwords. But what does a good password look like?
The first thing to keep in mind is that, unless you’re particulraly gifted in this area, you’re not going to be able to memorise good passwords. For this reason we look to password managers like LastPass or Dashlane. These applications integrate with your desktop web browser and your smartphone to generate and remember complex passwords for all of your online identities. All you need to do is remember the master password, and hopefully use 2 factor authentication for it too.
The passwords it will generate will look like jibberish strings of letters, numbers and punctuation, because they are. Now you understand how password guessing works, you can see why this is a good idea.