For many of us, not a day goes by that we aren’t logging into an account for various tasks, entertainment or work. As such, we've all heard stories of failed password protection ... the cousin who had their bank account emptied after their account was accessed or the friend who had their data stolen from a companywide hack.
Beyond the stories we share, recent statistics tell an even more compelling story in favor of strong passwords: According to recent studies, 81% of breaches at companies or organizations leveraged stolen or weak passwords (2020 Verizon Data Breach Investigations Report) and 1 million passwords are stolen every week (2019 Breach Alarm).
The ASU University Technology Office sat down with Zachary Jetson, director of information security, to dive into password protection and share tips to help design secure passwords and keep our information safe.
Exploring how hackers think
Understanding how passwords are cracked is the first step for devising an approach to designing good passwords.
“Hackers can automate the cracking of stolen password hashes between billions and trillions of passwords per second using high-performance supercomputers,” Jetson said. To do so, hackers apply brute-force cracking, an automated process that uses every possible letter, number and word combination to guess your password.
“To combat this, we moved to more complex passwords by adding characters, but even those have patterns that are replicable; like using the @ symbol to replace the letter A,” Jetson continued. He explained that this is a great place to start, but went on to share more details on how to create even stronger and more secure passwords.
Five tips for designing more secure passwords
Although no password is uncrackable, increasing the complexity of the password can make the process more difficult and has proven an effective method for dissuading hackers, ultimately keeping your accounts and information protected. Check out these five tips, provided by Jetson, to inform a more secure password strategy:
Tip 1: Length is the number one determinant for a secure password.
Passwords are at their strongest when they are over 14 characters long. A good strategy to create a password is to select four or five unrelated words that are strung together by a special character; think along the lines of horse-blue-rain-earphones (but please don’t go using this exact password now!) Using words that are unrelated increases the complexity of the password so that hackers cannot as easily guess.
Sometimes, there can be a password character limit that prevents the use of this strategy. In that case, another method is to think of a sentence — like “Jack and Jill ran up the hill” — and use every letter to create the base of the password. You can add further complexity with characters and numbers; for example, add a colon and a date to make it jajruth:2021.
Tip 2: Vary your passwords.
While it may seem easier to use the same password for multiple services and logins, it can quickly become a threat to all of your accounts. That’s because if your password gets stolen in one instance it can be used to access multiple sites and organizations you belong to. Databases of stolen usernames and passwords are used in attacks called credential stuffing and password spraying. When third-party services are compromised and improperly encrypted, user credentials can be leaked. Hackers then use these credentials in bulk to attempt login, with commonly observed passwords, significantly reducing the number of attempts.
This makes using different passwords across services critical. The good news is that password managers, like LastPass, are an effective way to maintain uniqueness and keep track of your credentials for all of the platforms we use on a day-to-day basis.
Tip 3: Utilize multifactor authentication.
While we strongly urge everyone to use different passwords across services, multifactor authentication can be used as an additional security measure against hacks that stem from a multitude of attacks against passwords.
Multifactor authentication requires something you know (a password) and something you have (a mobile device, YubiKey or hardware token) to log into an account. This prevents hackers, who may obtain your password, from accessing your information without your knowledge. The exception comes into play, however, if they have somehow also obtained the device to which the multifactor authentication service sends a verification code via text, call or push notification through a dedicated mobile app or acquires the hardware token.
Tip 4: Avoid malware.
Malware is software that is intentionally malicious, typically containing capabilities such as a keylogger. A keylogger is a type or a function of malware that can track every stroke you enter on your keyboard. As you could probably imagine, this can allow hackers to view your accounts and credentials that are being accessed. Avoid sites and links in suspicious emails that could be rife with malware like keyloggers. You can also stay proactive by having antivirus installed and updated on your device.
Another level of protection against malware can be to avoid using the administrative account on your computer. That’s because if malware runs under the administrator context on your computer, it maintains all the administrator capabilities, including disabling your antivirus or installing additional malware to embed itself deeply within the system. So even in the case that malware does slip through, if you don’t use the administrative account on your computer, it won’t have the same access to your files and information that you do under a “standard” user account.
Tip 5: Act quickly when a hack occurs.
Finally, even with the strongest measures, sometimes your passwords can be compromised. In that event, change your password immediately to mitigate illegitimate access to your information.
You can also find out more about the first line of defense to protect your and others’ information with these resources: