Passwords provide the first line of protection against cyber attacks for your smartphones, PCs, WiFi networks, social media accounts or payment platforms. However, just any password won’t protect you. According to a study, published in April, by Troy Hunt in collaboration with the National Cyber Security Centre of UK, there are 4.4 billion internet users and while the majority protect their accounts with passwords, they don't do well enough. Most passwords are made up of easily predictable sets of numbers or alphabets. For instance, 123456 was used 23 million times, while ‘password’ was used 3.6 million times.
Security experts have often urged people to develop strong password habits. To emphasise the importance of it, the Registrar of National Day Calendar has nominated the first Thursday in the month of May every year as World Password Day.
How to protect yourself
It's important to know how hackers can crack your password. According to McAfee Labs blog, users should avoid consecutive keyboard combinations or dictionary words, as they are easy targets for 'Dictionary attacks'. Hackers use software like John the Ripper that can automatically plug common words into password fields, making password cracking easy.
Using birthdays or names of family member, spouse or children is also not advised, since they can be easily inferred by scanning users’ social media posts. This form of attack is also known as Spidering.
Of course, reusing the same password for all accounts is another common mistake because hackers can get access to all your accounts by cracking one password.
Another common attack used by hackers is Brute Force. Unlike Dictionary attacks, here they don’t work on a list of commonly used passwords. Instead, more sophisticated tools are used to calculate every combination of letters and numbers. Longer passwords make the task difficult for hackers as they have to work with more combinations.
Maintaining a strong password is not a single step solution. Users need to keep various things in mind to keep passwords strong.
According to McAfee Labs, in addition to using long and complex passwords comprising a random set of symbols, numbers and letters, specific to each account, users also need to keep security software up to date to avoid keylogger attacks, avoid signing into accounts on public computers or on their personal devices using public WiFi. A keylogger is malicious software that can track your keystrokes.
Complex passwords can be hard to remember. This is where password managers like LastPass and Keeper can come in handy. These solutions keep all complex passwords in an encrypted format and users can access them all with one master password. Besides the master password, some of the solutions use multi-factor authentication and sign-in forms.
While users should regularly update their passwords, keeping an eye on the passwords that might have been compromised in a data breach might help too. In March, Faceboook was accused by an independent cybersecurity expert for storing millions of passwords in plain text format on its internal servers. These passwords could be seen by anyone with access to these servers.
Facebook accepted the mistake but said the passwords were never visible to anyone outside of Facebook. Users can check which of their accounts or passwords have been compromised on sites like haveibeenpwned.com, created by Hunt.
Google recently added a password checkup extension for Chrome, which can tell which will tell users which of their usernames and passwords have been compromised and need to be changed.
Two-factor authentication has emerged as the second line of defence to passwords. After punching in their password, users are required to verify the sign in process using one-time password (OTP) sent through SMS, a six-digit code generated through apps like Google Authenticator, or through a small USB device like Google Titan Security Key or Yubico FIDO U2F Security key. This last step requires users to plug in the USB dongle into the PC and then type the specific code only they would know. For smartphones there are Bluetooth based Security keys.