Password: Easy to Remember, Easy to Hack
Table of Contents
- By Bryan Lee
- Sep 09, 2022
Most people don’t worry about password safety until it becomes a problem. They find an email or notification from a website asking, “Is this you?” Or they notice unverified purchases from a credit card linked to one of their accounts. Only then do they take a moment and ask themselves: how secure are my passwords?
It doesn't take a reclusive genius to break most passwords despite what movies would have us believe. How vulnerable a password is to hackers depends largely on how a site stores sensitive data. In general, there are four ways to do this.
The most basic method to store information is in plain text. It’s also the most unreliable and quickly leads to account takeovers. If a hacker gains access to a server, they can read each password without additional steps.
For example, if your password is “Elephant,” it would be stored on that site’s server as “Elephant.”
Using encryptions is a better but still unsafe method for password storage. Encryption is a secret code used to hide information. You may have used it in school when passing around secret messages. So, a hacker could only read the information they dig up if they have access to the code.
The problem with encryptions is that many small sites store their information on a single server. This means that hackers skilled enough to access account credentials with this method will also automatically get the encryption key.
Hashing a password is very similar to encryption, except for one huge difference. There isn’t a key.
Websites generally use encryptions because they want an easy way to reverse engineer and recover a password in plain text. However, if a company doesn’t need to know its user’s passwords, then there’s no need for a key.
Hashing removes a critical weak point of encryptions and forces hackers to “guess” passwords if they want to compromise your information. While this might sound safe, advanced computing power allows hackers to guess anywhere from ten thousand to a billion passwords per second.
Unfortunately, not everyone creates long passwords for themselves. This means that even hashing by itself is unreliable. That’s why safety-minded sites will “salt” their stored passwords.
Salting a password means tacking on random characters at the beginning or end of it. The extra characters make passwords more complex and a less desirable target for hackers. Sites typically salt in addition to hashing for maximum protection.
Common Methods for Hacking a Password
Hackers use various options to break a password without much effort. Eighty percent of hacking incidents occur due to stolen passwords. So, if you’re not careful with managing your passwords, you may have fallen victim to one of the methods below.
Brute Force Attacks
Brute force attacks are exactly what they sound like. A hacker uses raw computing power to check every possible combination until they land on your password, including all numbers, symbols, and letters (uppercase and lowercase.)
For reference, it only takes a hacker 31 seconds to break a 7-character long password, even if it is mixed in symbols, numbers, and letters.
The easiest way to get around this weakness is to raise the number of passwords a hacker needs to check to guess the correct one. The longer a password is, the more combinations are possible. Even a computer checking billions of combinations every second will need a few trillion years if a password is long enough.
Dictionary attacks are much more focused than brute-force ones. They prey on people who use a password instead of a passphrase. By checking every word in the dictionary, if a user’s password is a single word, it’ll be broken instantly.
Cybercriminals use phishing attacks to deceive people into revealing personal information and stealing their identities. There are limitless ways to do this, but most involve impersonating an authority figure to pressure the target.
Most phishing scams will use a malicious link or download rather than ask for login credentials outright. A supposed message from a boss, bank, or hospital will discreetly download malware programs onto your device.
These programs will relay information to the cybercriminal without the user knowing. In extreme cases, one infected device could spread to others and create an entire network of compromised accounts.
How to Secure Your Passwords
Now that we’ve gone over the possible dangers, you’ll need to know how to defend yourself. The following rules should be your top priority when creating new passwords.
- Keep it impersonal: NEVER use personal information like birthdays, address numbers, or phone numbers in your passwords. Extra caution is advised now that hackers and scammers can find most personal data through social media profiles and professional pages.
- Convenience isn’t the goal: It’s tempting to make all your passwords easy to remember by using a single word or string of numbers. Doing this makes you stand out to hackers as an easy mark and further endangers your data. The longer and more complex your passwords, the better.
- Make unique passwords: Avoid repeating the same password for multiple accounts. If one account is hacked into, then everything else is in danger. You’ll have to go through the insanely tedious process of changing all your passwords. Using a random generator is an easy way to keep every password unique.
What are Password Managers?
A password manager is like a high-security vault for your login credentials and other information. This vault will quickly spit out anything you need, and you don’t even need to remember what’s inside.
These services naturally veer users from lousy password habits like the ones mentioned in the previous section. By automatically generating stronger passwords, users avoid repeated and short passwords that are easy prey for hackers.
Additionally, password managers automatically fill in the login credentials for any site on which the user has an account, removing the need to memorize many passwords. Password managers are beneficial for people with multiple emails or social media accounts.
Typically, having every password in one place would be unwise. However, password managers use the same protection as most banks and security firms, 256-bit AES encryption. The National Security Agency recognizes this encryption for its safety and as one of the most mathematically complex protocols available.