Today passwords protect almost every aspect of our personal and professional lives. If you’re a small business owner using password protected software to safeguard your customers’ personal and financial information, you have an even stronger obligation to ensure that it is not compromised. How do you think you’re doing? Do you have any of these bad password habits?
- Not using a strong password because it is too difficult to remember.
- Using the same password for your small business accounts and your personal accounts.
- Changing passwords to incremental variations such as password1, password2, etc.
- Using dictionary words—even long ones—as your password.
If you do, you’re not alone! A 2007 Microsoft study found that people have on average 25 password protected accounts, but on average use only 6.5 unique passwords to cover them all. A more recent 2012 Experian study of UK users found that 18-24 year olds have on average 40 password protected accounts each, and average only 5 unique passwords per 26 accounts. Another 2012 study of United States users found that 61% reused passwords across multiple sites, with 54% having five or fewer unique passwords, 28% having 6-10 unique passwords, and only 18% reporting having more than 10 passwords to cover all their accounts with logins.
With so many people re-using passwords across sites, you’d think that they would make a concerted effort to select strong ones. However, that is not the case. According to SplashData’s research, the top 25 passwords of 2013, compiled from files containing millions of stolen passwords posted online, were:
123456 • password • 12345678 • qwerty • abc123 • 123456789 • 111111 • 1234567 • Iloveyou • adobe123 • 123123 • admin • 1234567890 • letmein • photoshop • 1234 • monkey • shadow • sunshine • 12345 • password1 • princess • azerty • trustno1 • 000000
Do you recognize any of these? Read The Internet’s 25 Worst Passwords, and What They Say About You for a humorous look at personality traits associated with weak password users.
On a more serious note, with all the personal, confidential business, and financial information protected by our passwords, creating strong ones is critically important. Unfortunately, it is far more difficult than it used to be. While definitions of a strong password vary, the most common advice is to create at least an eight character password comprised of capital and lowercase letters, numbers, and special characters. However, today this is wholly inadequate. Even though that 96 character data set yields 7.2 Quadrillion possible combinations, it could be cracked in 83.5 days via a plain vanilla brute force attack using a fast computer. If it were only 6 characters, it could be cracked in 13 minutes. And, it could be done with free password cracking software readily available on the internet.
If that’s not scary enough, most hackers aren’t even bothering with brute force attacks anymore because lists of actual passwords are readily available. This began with the 2009 breach of online games service RockYou.com which exposed 32 million plaintext passwords (yielding 14.3 million unique passwords). This allowed hackers to replace their dictionary lists with the lists of real world passwords which they could bounce against passwords they were trying to hack. According to this post detailing how present-day hackers approach passwords, (Warning: If you’re not password paranoid before reading it, you will be when you’re done!), over 100 million passwords are published online each year, and they can be used to create “rainbow tables” that require very small amounts of hard drive space to store trillions of possible character combinations used for password cracking.
Even worse, not only do the data breaches expose actual passwords, but the large data set of compromised passwords also reveals many common password patterns. For example, nearly all capital letters are used at the beginning of passwords, most numbers and punctuation are used at the end, people often use first names followed by years (i.e. Lisa2009), numbers are often used to replace letters (i.e. P4ssw0rd), and people frequently use word inversion to create passwords (i.e. “bookkoob” which is “book” spelled forward and backwards).
So, what can you do to create passwords that are truly secure? One approach is to use a password management program to generate truly random and unique passwords for all of your accounts. These programs have you use a master password for them, and they then create passwords for each of your individual accounts, and change them regularly. The only password you need to remember is the one for the program itself. However, if you access your accounts from many different computers and devices, this may not be feasible—especially because many password management programs do not support mobile devices.
If you don’t want to use a password management program, and you need to create passwords you can remember but truly will be difficult for others to hack, there are some strategies you can follow. First, stay away from the password bad habits mentioned at the top of this post. Also, avoid the common password patterns identified in this Life Hacker post, including:
- Capitalizing the first letter of the password, i.e. “Ilovecandy”
- Adding a number, especially 1 or 2 at the end of the password
- Adding a common symbol (~, !, @, #, $, %, &, ?) to the end of the password, i.e. “Ilovecandy!!”
- Substituting numbers for vowels (“1Lov3c4ndy”)
- Shifting keys to the left or right (i.e. “[sddeptf” as the password with a right-shift for the word “password.”)
Other useful tips for creating stronger passwords include:
- Don’t use a dictionary word spelled backwards
- Don’t use a common misspelling of a dictionary word (i.e. “recievables” )
- Don’t use a dictionary word where letters are replaced with common numbers or symbols (i.e. 1 or ! for the letter “I”)
- Don’t use common sequences, such as numbers or letters in sequential order or repetitive numbers or letters.
- Don’t use adjacent characters on your keyboard—such as qwerty
- Don’t use any portion of your name, birthdate, social security number, or any other personal information; or personal information for your close family and friends.
With all those don’ts, what’s left? Do create passwords with 15 or more characters, include spaces if you can, and come up with your own unique pattern for password creation that will help you remember your passwords without providing an easy hacking pattern for thieves. You can test your password (or, to be extra safe, a password using the same pattern as yours) in this tool. Not only will it tell you how long your password will take to crack with a brute force attack, it will identify specific problems with it.
Also, pick your battles. Have one short easy to remember password that you use as a throwaway for sites where security isn’t an issue—such as registrations to access whitepapers and other sites where you are not disclosing any confidential personal information. That should cover about 75% of all password use. For the rest, be certain to create unique strong passwords for each one—and be certain that they do not resemble each other or your throwaway password too closely.
Another great option is using two-factor authentication, which requires more than just a password to gain access to an account. For example, Google has a 2-factor authentication option for Gmail and other Google accounts. First you enter your password, which then sends a text message with a one-time use code to your phone. You must enter the code to successfully log-in. Thus, even if your password is compromised it can’t be used to access your account unless the thief also has your phone. Two-factor authentication is still relatively new and not available for most sites. This Life Hacker post provides more information about 2-factor authentication, including a video example of it in use, as well as sites where you can take advantage of this added security measure.
See weekly Small Business Tips like this one by subscribing to our blog.
Image Credit: Dilbert. Com