Password security for any pro who uses passwords

Keep trespassers out

What does password security have to do with baseball? If you’re not a baseball fan, you might not know that stealing signs is legal. Those signals the catcher makes to the pitcher? It’s not against the rules for other teams to try to figure out what they are.

Password Security Baseball Strike

What is against the rules is one team hacking into another team’s proprietary database to find out their personnel strategies, draft pick strategies, and development programs. And that’s what former St. Louis Cardinals’ executive Chris Correa pled guilty to doing to the Houston Astros, from 2013 through 2015. When Correa got caught, the Cardinals were fined $2 million, they had to give their top two draft spots to the Astros and Correa received jail time and a lifetime ban from baseball.

So why am I mentioning it here?

I love baseball, but more importantly, Correa was easily able to hack into the Astros’ system because they had terrible password security!

One of the passwords Correa was able to guess was one based on a password another former Cardinals executive had used when he still worked in St. Louis. Correa just tried variations of the executive’s old password until he got it right. There was also a point when the Astros’ computer system had been reset so everyone had default passwords, which were not difficult to crack, which Correa was quickly able to figure out.

What’s the lesson here?

Everyone needs to practice good password security just like you need to lock your front door when you’re not home. Whether you’re a writer, marketer, accountant, attorney, computer programmer or mortgage broker, you need solid password protection.

You’ve got a lot of important information that you need to protect, so you owe it to yourself (and your clients) to use a password that will be extremely difficult to break.

Whether it’s your blog, website, social network, or even your own personal computer or company server, all your security starts with your password. And there are hackers who will try every method they can to break into whatever you’ve got just to see what’s inside.

So regardless of your profession, take some basic precautions just to make sure you’re following fundamental password security. Here are a few things to remember.

Related: 10 practices for creating and securing stronger passwords

How is password hacking done?

I remember the early, early days of computer password security, when hacking was done at the War Games level of sophistication. If you want to see what Hollywood knew about computers in the early 1980s, watch that movie. In it, young Matthew Broderick is able to hack into far-off computer systems by snooping out a password’s written hiding place or social-engineering another programmer’s personal life.

Password options then were simple choices like “PENCIL” or the name of the programmer’s son. As long as you could make the right guess, or knew where the school secretary hid the password for the school’s only computer, you were golden.

These days, a password like that would be cracked instantly, thanks to the level of sophisticated software hackers use.

 

In fact, there are several password cracking methods that enable hackers to bypass most password security:

Dictionary

This method basically runs through every word in the dictionary, so if you use a password like PENCIL or CARBURETOR, the software will eventually reach your choice. And don’t think that substituting special characters for letters will do it, like C@RBUR3T0R, because the hackers have already thought of that.

Brute force attack

That’s when the hacker tries every possible combination of letters and numbers, starting with aaaa0 to zzz99. Eventually they’ll get to yours, but it could take a long, long time. (I’ll explain why in a minute.)

Social engineering

This is when someone tries to do social research on you and your life to guess your password, so never use your pets’ or family members’ names. While a Dictionary attack might go through hundreds of thousands of words, if a hackers knows about your personal life, there is a much smaller pool of words to try, and they can get through it in a fraction of the time.

Phishing

This is when you receive an email telling you there’s a problem with your website, social network, bank account, or whatever, and you’re instructed to do something like “click this link” to fix the problem. You’ll be taken to a screen that likely looks identical to the real site, and you’ll enter your password, which will give the hackers what they need.

Related: How to spot dangerous emails

Spidering

Oftentimes, businesses will use passwords related to the things they do or what they make. A can manufacturer might use steelcanlids or corrugation98, which means the hackers have an easier time because it reduces the number of words they have to try. So don’t use passwords related to your job, your industry, or the things you write about.

Follow this password creation formula

For good password security, you need a password that is hard to figure out, has a lot of characters, but is easy to remember.

That means you can stop creating complex passwords that are impossible to remember, like *8)R83CRD[$3cuZGq. The guy who created those now says he made a big mistake in doing that, and many IT professionals have stopped requiring them.

Instead, you can use phrases like HeddyLamarLovesFastPitchSoftball or, better yet, a series of four unrelated words, like manpower-lite-feather-pacific. These are actually much better passwords because they take longer to figure out, and they’re easier to remember.

Password Security Neon
Photo: Matthew Brodeur on Unsplash

Now, to determine how good your password is, imagine a hacker has a piece of software that will let them make 1,000 guesses per second. Based on that rate, how long would it take a hacker to crack your password using a brute force attack (see above)?

GRC.com’s Haystack tool can tell you how long it would take a piece of software running 1,000 guesses per second to crack your password, starting with “aa0” and going all the way to “zzzzzzzzzzzzzzzzzzzz9.” Let’s look at the three examples I’ve mentioned in this section.

HeddyLamarLovesFastPitchSoftball will take “2.65 million trillion trillion trillion centuries” to guess. (No, that’s not a typo.)

manpower-lite-feather-pacific will take “7.32 hundred trillion trillion trillion centuries.”

*8)R83CRD[$3cuZGq will take 1.34 billion trillion centuries.

And just by adding a 7 to the end, HeddyLamarLovesFastPitchSoftball7 will now take “45.54 billion trillion trillion trillion centuries” to guess all possibilities.

Option No. 3, the “complicated password,” is the lowest performing option at only 1.34 billion trillion centuries. That means it’s a decent password, but there’s no need for it to be so complicated, since the other two options will take longer to crack.

Besides, you’ll probably update your operating system before then.

Use a password security tool

If you really want to protect your passwords, and don’t want to remember them all, there are password vaults, also known as password managers, you can use to create, store and sync your passwords.

These are software apps that will store your passwords, credit card numbers, serial numbers of your software, and so on. They open with a single master password (better make that one easy to remember, but hard to crack), so you only ever need to remember one.

They work on every operating system, they work on every device — laptop, mobile phone and tablet — and they work on every web browser. This way, when I come to a website that asks for my password, I type in my master password, and the vault does the rest. I never have to remember all my passwords, and I can use any kind of password I want.

And, each vault has a password generator, so you can choose between the random character password or the multi-word password, and the vault will save it for you. So whenever I sign up for a new web service, I just have the vault generate the password, and I’m done.

Personally, I use 1Password, although LastPass and KeePass are also options.

The vault you use doesn’t matter so much as whether you actually use one.

Your computer, website, and its data are only as secure as the password you’ve chosen.

 

So if you think p@ssword1 or Daisy1986 are enough to stop a hacker, think again.

Play it smart with your password security, get a password vault, and never use identical or even similar passwords between your different web services or on your computer.

Related: Tools to secure a website

Image by: rwats013 on Visual Hunt