Yes, I said “longphrasesarethenewpasswords”. You’re probably thinking “huh, what is this language?” I meant, long phrases are the new passwords. Make more sense now? If not, I’m here to explain how (and why) password best practice has evolved in recent times, and what you should do now to ensure password security and protect yourself from losing access to your accounts.
For many years (decades for some), we’ve been told that our password needs to contain lots of random characters, numbers and even the odd special symbol ($%&”) to be secure. Yet, if you speak to anybody that works in IT this has all changed – but why?
Previously, the easiest tool that hackers (and other curious people) used to “break” passwords would be a dictionary attack (going through literally every word in the dictionary, one at a time). So the good guys said to use special characters in your passwords like %$£”$, then these dictionary attackers would be stopped in their tracks. This worked – for a short period, until the bad guys got new tools…
The other main way of breaking passwords is to make a brute force attack, which uses every combination of letters starting at a, and ending with zzzzzzz, etc. Years ago this approach wasn’t very widely used, mainly due to the speed of computers which meant that if the password was over about 8 characters, it would take years to crack on a standard desktop computer.
However, that all changed with the advent of graphics cards. Instead of using a desktop computer – which originally just had 1 thread of “power”, and now has 8 (or even more) – graphics cards can have upwards of 4,000 power threads. Suddenly, what previously might have taken 16 years on a single threaded computer could take only 1.4 days. Those passwords with special characters don’t look anywhere near as safe now, do they?
This is before we even talk about cloud computing, which offers the ability to pay on demand for the resource that you want and which can be used by hackers for their own ends. Want 500x GFX cards just for an hour (or equivalent)? Cloud services allow you to hire this with no upfront cost, from as little as $24 an hour. Faced with this scenario short passwords (those under around 12 characters) don’t seem such a good idea, whatever they contain.
So, if passwords with special characters are no longer good practice – what is?
Using these three techniques will make your cyber security better than 99% of people:
1. Use a long string of words as a password, like the title of this post. It’s 29 characters long but actually really easy to remember – much easier than a combination of random letters, numbers and characters. Alternatively, use a password manager service such as LastPass or OnePass to generate and store long (20+ characters) passwords. (At an organisation level, at Box UK we use Passwordstate to manage passwords across teams and departments, in line with our ISO 27001-accredited Information Security Management System).
2. Do not use the same password on multiple sites. If one of the sites gets hacked, unless the site owner practised good security (which is unlikely, if they got hacked) then the attacker might be able to work out the password you used and access more of your accounts with it. As above, using a password manager can help you store these different passwords securely, to save you having to remember them.
3. Finally, use two-factor authentication where possible. This means you won’t just need your password to get into your account, but also another “token” of some description – this is usually an email/text message, or a specially-generated number that changes within an application on your phone. With two-factor authentication even if an attacker steals your password, they still cannot access your account without this secondary method.
Security on the internet is a constantly-changing landscape, and as hackers continue to find and use more tools, users need to adapt accordingly in order to stay ahead. You can do this by following the tips above, listening to industry leaders, and always following the current best practices, to help keep your online accounts safe and secure.