Just a few years ago, if you asked someone how to create a safe password, most people would all say the same thing: Use a mixture of upper- and lower-case letters, symbols and numbers so that it’s too complex for hackers to guess, and you should be safe.
Fast-forward to 2019, however, and you will find more and more people recommending that you use a ‘passphrase’ instead. But what is a passphrase, and why are experts all recommending we use them instead of the traditional password?
There are two main reasons that passwords are becoming outdated – cyber criminals using increasingly sophisticated tools to crack them, and plain old human error when people create them.
Password Cracking Tools
Cyber crime and cyber security both grow in tandem. Meaning, as soon as criminals create a new means of taking advantage of people, security researchers create a means to stop them – and as soon as a new innovation in cyber security is created, hackers are quick to try to find a way around it.
As security systems have become ever more complex and competent, cyber criminals have realised that the ‘weakest link’ is often to target the people involved, and cracking passwords has naturally become a focus for them.
Cyber criminals amass vast databases of passwords from previous breaches and try all the common ones that people use when trying to gain unauthorised access to an account. Passwords like ‘123456’, ‘qwerty’ and even ‘password’ remain incredibly popular, and are likely to be cracked almost instantly should a hacker want to gain access to an account that uses them.
Password re-use leads to more hacked accounts
Memory also plays a significant factor, as studies have shown that most people re-use passwords heavily across their various services. Cyber criminals know this, so if they get access to a user’s email and password for one service, they will attempt to use that combination to log into any other services you have as well. This means that if your account is breached on one site, chances are other that your other accounts are left vulnerable as well.
The above technique is known as “credential stuffing” and has proven to be an effective means of hackers getting access to accounts that they shouldn’t. People will often have one password that they use for multiple sites, but perhaps they vary a letter or number so that they’re not using the exact same one for all their websites – unfortunately, criminals know this too, and use automated tools to try many combinations of the password that they do know until they find the correct variation.
So what IS a passphrase?
Simply put, a passphrase is a type of password, but consists of a sentence instead of a word. There are two main benefits to using a passphrase over a password: They are harder to crack using machines, and they are easier to remember (and hence vary per site).
Traditional advice would say to create a password such as ‘Sn0opyD0g!123’, whereas a passphrase could be ‘My dog is a Collie called Snoopy!’. Without having to remember complex combinations of symbols and numbers, it is easier to create unique passphrases for the various websites you may use. Whereas old guidance recommended using passwords that are at least 8 characters long, passphrases would typically be 20+ characters long, with many services allowing you to enter phrases of over 100 characters.
Most password-cracking tools used by hackers, even the most sophisticated ones, seriously struggle to crack passwords longer than 20 characters (unless you are using a previously hacked password) due to the sheer amount of variations it could consist of. Hence, just by making your passwords longer, you are seriously reducing the chance of it being cracked by malicious actors.
2-factor authentication is still king though
With all that said, passwords (and passphrases) are inherently insecure, as they can be hacked or even leaked. In many cases, hackers don’t obtain your password because they have tried to crack your specific account, but because they have hacked the website or service you are using and obtained it from them. Even passphrases aren’t immune to poor security of the databases used to store them.
The most popular means of ensuring that only you can access your accounts and your sensitive data is to use multi-factor authentication, also commonly called 2-factor authentication. This means that when logging into your account, you will need a specific code in addition to your password to log in. This could be a code that is texted to your mobile, or that is generated by an app such as Google Authenticator or Authy on your mobile or PC.
Let’s say some hacker has obtained your password, and they attempt to log in to your account with it. After successfully entering your password, they are then prompted for your 2FA code, which has just been texted to your mobile. In most cases, the hacker isn’t even in the same country as their targets, so obtaining physical access to your phone is going to be next to impossible. Furthermore, you will get the text that someone has tried to log in, (hopefully) recognise that it wasn’t you, and know that you should change that password immediately.
So in summary, how do I keep my accounts protected online?
Use longer passwords/passphrases, don’t re-use passwords between websites, and above all, ensure you have 2-factor authentication enabled on any service that allows it. See the link https://www.telesign.com/turnon2fa/ for tutorials on how to turn on 2FA for common websites such Facebook, Gmail and more.
Follow those simple steps and your account will be as safe as it can be in 2019, and hackers will have an extremely hard time gaining access to your sensitive data!