You might not know it yet, but today is the most important day of the year. It’s not Christmas, it’s not your birthday, you haven’t forgotten your anniversary; today is Safer Internet Day, and – in terms of your business life at least – it’s about as important as they come. There are so many things we could talk about on this most illustrious day, many of which we’ve touched on over the years, but we’ve decided to go back to NOT basics to talk about the most unloved and misunderstood of all the security practices, passwords.
Which of these passwords is the strongest?
This #SaferInternetDay we’re asking how clued up you are with passwords. 1 of these can take up to 45 quintillion years to crack. Which one?
— UKFast (@UKFast) February 7, 2017
There’s a good chance that you – along with the rest of the Twittersphere – might not be too sure. It’s hardly surprising in this age of information overload, especially when so much of it is conflicting (you can find the results in this afternoon’s blog at 4pm). But it’s still pretty worrying when most people consider passwords the most basic of basic security steps.
Actually, though, they’re frequently misunderstood. Do you know how long your password takes to crack? In the case of one fake password I tried, it took less than three hundred picoseconds (which is a trillionth of a second)!
But, with attacks on companies both big and small happening daily, it’s never been more important to be prepared.
It’s been theorised over the years that passwords will be replaced, but at the moment they’re still the most common way of protecting an account. The problem is that as tech progresses, so does the tech that attackers are using.
How it tends to work now is that these password pinchers essentially use their high-powered tech minions to search through various dictionaries they have of known words to try out different password combinations, hoping to chance on yours. This means that even long phrases that were previously quite secure (like ‘halfb00kduckstereotype1988’) can now be cracked quite quickly. Basically, if it’s a recognisable word – even something like ‘k1araj0hns0n’, or any random combination that you’ve stored online at some point in the past – the system can break it.
So, how do you create the strongest possible password (note, this is against a dictionary attack – there are other kinds but this is a common method!)?
Cyber security expert Bruce Shneier has come up with the ‘Schneier scheme’, which tells you how to create a password the dastardly dictionary checks will miss.
He says: “My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence – something personal.”
Other examples of this method could be:
• WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
• Wow…doestcst = Wow, does that couch smell terrible.
• Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
• uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
He also suggests using “random unmemorable alphanumeric passwords (with symbols, if the site will allow them)” – literally as random as B3h4_[%}kgv), and then a password manager to create and store them. Often the password manager will create the passwords for you and then store them, so you only need to remember the password for the password manager, which is handy.
So, there you have it. Do a bit more research and educate both yourself and your team, see what’s out there, if you have your own site invest in two-factor authentication; but make sure you treat passwords with as much importance as you would Christmas, otherwise it’ll certainly end up being a very festive payload for the bad guys!
Come back at 4pm to see our videos answering the most searched questions about cybersecurity on Google – and the answer to the Twitter poll!