You’ve probably heard about this a lot, but the importance of strong passwords really can’t be understated. Unfortunately, a lot of the “common advice” you’re probably following isn’t doing you much good.
If you’re thinking, “We’re a small business. What aren’t a multi-billion dollar company… They won’t target us,” think again. With small businesses, the risk to a hacker is lower. The reward may be smaller, but the odds of success are better. And they prey on that exact false sense of security.
In fact, according to the 2017 State of Cybersecurity in Small and Medium-Sized Businesses by the Ponemon Institute, 60% of small-to-medium-sized companies rely on passwords to reduce attacks, yet 68% of those who use passwords do not enforce strong password policies. Data breaches range dramatically in cost, with average estimates anywhere from $130,000 to $1,027,053, depending on the size and scope of the data lost. Not all of those breaches were the result of poor password practices, but is that really a gamble you want your business to take, especially when 51% of SMBs experienced a ransomware attack (successful or unsuccessful) in 2017?
Don’t panic. We’ve got you covered. We’ll touch on the myths surrounding strong passwords and the better practices you can use that will keep your information safe.
Strong Password Myths:
- Adding numbers, symbols, and upper/lowercase letters to your password is the best way to make them strong
- Using words in the English language is fine so long as they’re combined with symbols and numbers
- More than 5 letters is good, but you don’t need to get crazy with the length
- A good way to incorporate symbols and numbers is to use them to replace letters
- Change your password every 90 days to better protect yourself
Here’s the thing: Crackers (programs that are designed to crack passcodes) are programmed by people. So if it’s something seemingly obvious to you, it’s not original, and it’s probably a strategy that’s been implemented in a hacking program. Your street name, your high school graduating year, your favorite number, the year you were married, the color of your car, the name of your children, etc, all of those are things hackers first try. And using 1’s for i’s and @ for a’s? That’s also out.
Take a peek at some common passwords and formulas to avoid.
Crackers Are Only Getting Smarter
Another major issue with password safety? Best practices that were widely touted for password strength even just a few years ago are now outdated. As technology gets faster and smarter, so, too, must password strategies.
Additionally, major password leaks only help hackers get smarter by revealing the patterns people use to create personal passwords.
Here’s what you should know:
Passwords are out. Passphrases are better, but…
Passphrases don’t simply mean stringing words together. A method that was popular a handful of years ago, the XKCD strategy, insisted that the best way to remember a longer passphrase was to string nonsense words together. The novelty of those words was supposed to make them harder to forget, even if that made the passphrase longer.
However, dictionary words are easily sifted through with powerful cracker programs, making that nonsense string of words hardly effective.
If it’s in the dictionary, it’s out
Cracker programs use English words (and more). In ARS Technica’s experiment, with brute force approaches alone, one hacker was able to solve 62% of a leaked password list in just 2 minutes and 32 seconds.
Another common strategy most passwords adhere to is a Root + Appendage formula, where the root item is often a pronounceable word (not necessarily a dictionary word, however) and the appendage is either a suffix (90% of the time) or a prefix (10% of the time). This is a terrible strategy, as hacking programs look for this, too. Please avoid.
Longer passphrases are better…
But studies show that most people can remember up to 9 elements before they start to forget. Despite the fact that George Miller’s study was published all the way back in 1956, his findings are still relevant today. The Magic Number is 7 (plus or minus 2).
However, chunking information is a good way to hack this brain fact; when you group things into memorable chunks, you can remember more than the standard 7 individual elements.
Here’s an example of this in action:
CEOCIOCFOCTOCMO = CEO, CIO, CFO, CTO, CMO
Another example of memory chunking is to use the method we refer to later on in The Magic Formula section (link to anchor in article).
Don’t change your passphrases every 90 days.
In fact, this advice has been debunked in the field of cybersecurity, by reputable figures among the likes of Bruce Schneier. (If you don’t know who he is, look him up. He’s kind of a big deal.) If you don’t mind falling down a rabbit hole, Schneier has tons of blog posts (no exaggeration) on passwords alone.
The more often you change your passphrases, the lazier you tend to get about it. Most people stop coming up with novel ideas and instead start tacking on numbers or symbols, which are one of the first variations hackers attempt when they know your previous passwords. This is what technologists refer to as transformations, and they’re incredibly unoriginal and easy to break.
In fact, according to a study done in 2010 on The Security of Modern Password Expiration, 17% of online hacks using transformations were successful in as few as 5 attempts. For offline attacks, the success rate was higher at 41% success in three seconds.
Say No To Stored Passwords
Yes, it’s easier. Yes, it saves time. Yes, you don’t have to remember a billion different passwords for that. But unfortunately, the ability to crack those stored passwords has been pretty easy in the past. While Google has since upped its security, it’s a good idea to consider a password manager.
While they may too be at risk for breaches from time to time, a good password manager takes protective caution, including masking your password from even their ability to see. If you’re curious about a password manager, this article has some great suggestions.
If you have concerns about the security of password managers (hello, all of my passwords are now in one place…), there are a few pieces of information that should put you at ease:
- Two-Factor Authentication dramatically reduces the chances of a successful hack
- Password managers generate unique passwords for EVERY online account you have. So if one gets leaked or hacked, there’s no chance for hackers to access ALL of your online accounts, as they could with most people who don’t use password managers
- The liability lies with your master password. Utilize The Magic Formula to ensure that this is strong and difficult to hack (but memorable).
Don’t Use the “Small Screens” Excuse
As our devices become ever smaller, typing in passwords over and over gets really annoying. Don’t sacrifice your safety and security over that annoyance. With the rise in IoT devices, this becomes an ever-looming issue you should be incredibly watchful over. Don’t get lazy; protect your IoT and do your research on devices before you purchase them.
The Magic Formula
Developed by an expert in the field of cybersecurity, The Schneier Scheme is a method Bruce Schneier created that works like this:
- Start with a phrase you can remember. The pied piper fiddled his way to town
- Use letters for each word in that phrase. TPPFHWTT
- Add symbols and numbers. TPpF#hwa2Tn!
- Create your own. (Obviously, don’t use this exact one for your own passwords.)
Schneier is an advocate of password managers and 2-factor authentication where possible, and we tend to agree with him. If you’re looking for some strong password managers, this article has a few suggestions.
Don’t Keep It Simple
Passwords are often an afterthought when the average person thinks about cybersecurity. These keys are incredibly valuable to hackers because they tend to open up an entire realm of personally stored information. Don’t make their job easier. Be smart about your passwords. Don’t reuse passwords for every site (we know it’s annoying, but just don’t, especially for business-related accounts). Implement the Schneier Scheme.
We want to keep you safe.
Subscribe to our blog