Every week, our researchers round up the latest security news and report our findings in these blog pages. If you’ve been reading, you may have noticed a particularly nasty trend claiming new victims week after week — data breaches. In the last two months alone, we’ve reported on the Ticketmaster UK breach, the Macy’s breach, the MyHeritage breach, the Prince Hotels breach, and the Equifax breach. And that’s only some of them.
Your passwords grant access into your own personal kingdom, so you are probably thinking ‘what are the best practices to create a strong password’ to protect your accounts against these cybercriminals. If your passwords were part of a breach, you will want to change them immediately.
So, what’s the solution? Uncrackable passwords. But before jumping to that, let’s first take a look at the various ways password can be hacked, so that you understand the most common methods being used today.
How does a password get hacked?
Cybercriminals have several password-hacking tactics at their disposal, but the easiest one is simply to buy your passwords off the dark web. There’s big money in the buying and selling of login credentials and passwords on the blackmarket, and if you’ve been using the same password for many years, chances are it’s been compromised.
But if you’ve been wise enough to keep your passwords off the aggregated blackmarket lists, cybercriminals have to crack them. And if that’s the case, they’re bound to use one of the methods below. These attacks can be aimed at your actual accounts or possibly at a leaked database of hashed passwords.
Brute force attack
This attack tries to guess every combination in the book until it hits on yours. The attacker automates software to try as many combinations as possible in as quick a time as possible, and there has been some unfortunate headway in the evolution of that tech. In 2012, an industrious hacker unveiled a 25-GPU cluster he had programmed to crack any 8-character Windows password containing uppercase and lowercase letters, numbers, and symbols in less than six hours. It has the ability to try 350 billion guesses per second.
Some brute force attacks use filters and masks to reduce the possible search space, helping them arrive at your unique password even more quickly. Anything under 9-12 characters is vulnerable to being cracked. If nothing else, we learn from brute force attacks that password length is very important. The longer, the better.
This attack is exactly what it sounds like — the hacker is essentially attacking you with a dictionary. Whereas a brute force attack tries every combination of symbols, numbers, and letters, a dictionary attack tries a prearranged list of words such as you’d find in a dictionary.
If your password is indeed a regular word, you’ll only survive a dictionary attack if your word is wildy uncommon or if you use multiple word phrases, like LaundryZebraTowelBlue. These multiple word phrase passwords outsmart a dictionary attack, which reduces the possible number of variations to the number of words we might use to the exponential power of the number of words we’re using, as explained in the “How to Choose a Password” video by Computerphile.
That most loathsome of tactics — phishing — is when cybercriminals try to trick, intimidate, or pressure you through social engineering into unwittingly doing what they want. A phishing email may tell you (falsely) that there’s something wrong with your credit card account. It will direct you to click a link, which takes you to a phony website built to resemble your credit card company. The scammers stand by with bated breath, hoping the ruse is working and that you’ll now enter your password. Once you do, they have it.
Phishing scams can try to ensnare you through phone calls too. Be leery of any robocall you get claiming to be about your credit card account. Notice the recorded greeting doesn’t specify which credit card it’s calling about. It’s a sort of test to see if you hang up right away or if they’ve got you “hooked.” If you stay on the line, you will be connected to a real person who will do what they can to wheedle as much sensitive data out of you as possible, including your passwords.
The anatomy of a strong password
Now that we know how passwords are hacked, we can create strong passwords that outsmart each attack (though the way to outsmart a phishing scam is simply not to fall for it). Your password is on its way to being uncrackable if it follows these three basic rules.
Don’t be silly
Stay away from the obvious. Never use sequential numbers or letters, and for the love of all things cyber, do not use password. Come up with unique passwords that do not include any personal info such as your name or date of birth. If you’re being specifically targeted for a password hack, the hacker will put everything they know about you in their guess attempts.
Avoid these top 10 weak passwords
Can it be brute force attacked?
Keeping in mind the nature of a brute force attack, you can take specific steps to keep the brutes at bay:
- Make it long — This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.
- Use a mix of characters — The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it.
- Avoid common substitutions — Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (*leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
- Don’t use memorable keyboard paths — Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed.
Can it be dictionary attacked?
The key to staving off this type of attack is to ensure the password is not just a single word. Multiple words will confuse this tactic — remember, these attacks reduce the possible number of guesses to the number of words we might use to the exponential power of the number of words we are using, as explained in the popular XKCD post on this topic.
The best password methods (and great password examples)
At Avast, we know a thing or two about cybersecurity. We know what makes a solid password, and we have our favorite methods to create them. The methods below give you some good password ideas to create your own strong, memorable passwords. Follow one of these handy tips, and you’ll be doubling down on protecting your digital world.
The revised passphrase method
This is the multiple word phrase method with a twist — choose bizarre and uncommon words. Use proper nouns, the names of local businesses, historical figures, any words you know in another language, etc. A hacker might guess Quagmire, but he or she would find it ridiculously challenging to try to guess a good password example like this:
While the words should be uncommon, try to compose a phrase that gives you a mental image. This will help you remember.
To crank it up another notch in complexity, you can add random characters in the middle of your words or between the words. Just avoid underscores between words and any common leetspeak* substitutions. (*leetspeak: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
The sentence method
This method is also described as the “Bruce Schneier Method.” The idea is to think of a random sentence and transform it into a password using a rule. For example, taking the first two letters of every word in “The Old Duke is my favorite pub in South London” would give you:
To anyone else, it’s gobbledygook, but to you it makes perfect sense. Make sure the sentence you choose is as personal and unguessable as possible.
The muscle memory method
In this method, your fingers do the remembering, instead of your brain. This works better for some people, and if you’re one of them — by all means, try it out. First, we recommend that you use a tool like the Avast Random Password Generator to spawn random passwords until you see one that looks “readable.” Memorize it (as phonetically as possible) and type it out several times until it’s held in your muscle memory.
Test your email address too
Check the Have I Been Pwned site to see if your email address has been leaked in previous data breaches. If it has, change your password on your email account immediately.
Sample test showing email “email@example.com” has been compromised
in a previous data breach
While you are at it, check if your password has been compromised in previous breaches. Enter your email into the Have I been Pwned Passwords page to see if your password information is being bought and sold on the dark web. If so, change your password immediately to a strong password following the information in this blog post.
Be careful who you trust
Security-conscious websites will hash its users’ passwords so that even if the data gets out, the actual passwords are encrypted. But other websites don’t bother with that step. Before starting up accounts, creating passwords, and entrusting a website with sensitive info, take a moment to assess the site. Does it have https in the address bar, ensuring a secure connection? Do you get the sense it is up on the newest security standards of the day? If not, think twice about sharing any personal data with it.
Two-factor authentication (2FA) and multi-factor authentication (MFA) add an extra layer of protection (which becomes your first layer of protection should your account details ever get leaked). These protocols have become the new industry standard for effective security. They require something in addition to a password, such as a code sent to your phone, biometrics (fingerprint, eye scan, etc.), or a physical token. This way, as simple or complex as your password is, it’s only half of the puzzle.
Note: given the recent Reddit hack caused by SMS-intercepts, we do not recommend using SMS as your second factor of authentication.
Security keys and the FIDO alliance
Security keys take security to the next level. A security key like the YubiKey (named for “ubiquitous key”) gives you the most state-of-the-art protection available today. It serves as your MFA, granting you file access only if you physically have the key. Security keys are available in USB, NFC, or Bluetooth versions, and they are generally about the size of a thumb drive. Last year, Google mandated all of its employees to begin using security keys, and the company claims it has not experienced a single data breach among its 85,000 workers since. They have even announced plans to market their own product called the Titan Security Key, designed specifically to protect people against phishing attacks.
For 2FA, MFA, and security keys: check out the FIDO alliance, which is working on creating strong authentication standards for desktop and mobile apps. If you’re as concerned about online security as we are, you want only to use FIDO-compliant services such as Microsoft, Google, PayPal, Bank of America, NTTDocomo, and DropBox, to name a few. When a certain security key, website, mobile app, etc. is “FIDO® Certified,” it satisfies the alliance’s high standard of authentication and protection.
It will take a while for developers to adjust the majority of apps to be FIDO-compliant though, so in the meantime you’ll need to rely on a security key, when available. Otherwise, two-factor authentication is recommended.
Use a password manager
A password manager does all the remembering for you, except for one thing — the master password which grants you access to your password manager. For that big kahuna, we encourage you to use every tip and trick listed above.
The password manager itself will remember all the other passwords to all your other accounts. Moreover, it can generate super-complicated, extra-long passwords that are infinitely more difficult to crack than any passwords a human might come up with.
In the early days of practical thought, Socrates doled out the sophisticated advice “know thyself.” We’re going to borrow from his book, upgrade the advice by a couple thousand years, and encourage all of you to do that which is absolutely essential today: Secure thyself.
Additional security tips surrounding passwords
Protect your login information further with these common sense high-security tips:
Use a VPN when on public Wi-Fi. That way, when you log into accounts, no one is intercepting your username and password.
Never text or email anyone your password.
When selecting security questions while creating an account, choose hard-to-guess options to which only you know the answer. Many questions have easy-to-find answers in social channels with a simple search, so beware and choose carefully.
When you’re done, take the time to tell your family and friends to protect themselves too. Breaches continue to happen, so just by sharing this blog post with friends and family, you will be helping your inner circle to protect themselves.