Get bulletproof or get hacked: a simple guide to passwords
My investment account has been hacked!!!
Six words that nobody ever wants to say.
True story: One evening in Sydney I climbed into an Uber to go home from a night out. The driver was a friendly young girl and we started chatting immediately, as you do when you’re alone in an Uber.
She told me a few things about her life and I was shocked when she explained what had happened to her only a month before…
For the last six or seven years she had been scrimping and saving as much as she could, and investing all of it in securities online. She watched for years as her savings grew, all with one singular purpose: so that she could buy her dream home in Panama and live there for the rest of her life.
She was so close, she had already started to look for properties. She saw herself on the beach within less than a year, the smell of crisp ocean air in her mind.
But then one day she logged into her investment account and saw that every penny of her dream-fund had disappeared…
…her account had been hacked and everything she had was gone.
You probably already know that bank accounts and credit card accounts try to protect you from fraud. If there’s unusual activity on them, they often lock up.
But investment accounts are extra dangerous… they usually have WAY more money in them, and unless you went out of your way to get costly insurance, you’re liable for your own security.
This poor girl seriously got run over by these thieves… amazingly, she was very positive and using Uber to get back on the horse. I seriously admire her for that, because her story is devastating.
If you don’t want to have a story like this of your own, I strongly suggest you take cybersecurity seriously! And there’s no better place to start than your password!
If someone with bad intentions gets ahold of your password…
…it could smash the dreams you’ve worked towards for the last 7 years to pieces.
…it could expose you to public accusation of horrible crimes you didn’t commit.
…it could destroy a social media account for your business that you’ve busted your hump building.
No matter what form getting hacked takes, it always sucks!
If you want to avoid the possibility of suffering this yourself, read on. This post will help you to understand WHAT makes a good password, and HOW to come up with your own.
What does the perfect password look like?
I love efficiency and logic. It’s in my blood.
That’s why I find the idea of creating the most efficient password so damn intoxicating. And it’s why I’ve done the technical research to understand what it’s all about.
Here’s what the PERFECT PASSWORD needs to be:
- Impossible for a human to guess.
- Impractical for a computer to guess.
- Guaranteed that you will remember it (without writing it down).
- Unique for every account.
- As quick and easy to enter as possible.
First order of business: if we’re going to make our password strong we have to understand HOW passwords get hacked. So next let’s talk about password hacking.
How password hacking works
When I was 8 years old and I wanted to come up with a password on my dad’s brand new Windows 95 (how flash!), I tried to think of one that no one could ever guess.
How about five “spacebars” in a row? Or the name of my cat?
Back in the day, this was all you needed. Half the time the computer wasn’t even connected to the web.
Nowadays there’s a whole new kettle of fish to worry about: hackers.
There are a few ways that hackers can break into an online account. One example is a keylogger, which is malware that records every key you press and where you press it.
If you get a keylogger, your whole system is compromised — and a password won’t help you. The only way to defend against malware like this is to avoid browsing shady websites and be careful with strange emails.
Since we’re interested in creating iron-clad passwords, let’s focus on password cracking.
It’s pretty unlikely that a human will be able to guess your password (unless you get really lazy with it). That means we only have to worry about computers figuring it out.
Computers can hammer through an insane number of possibilities in a tiny amount of time. Since this kind of attack is very possible, your password is going to need a bulletproof vest.
Let’s break these “password attacks” down into two groups:
- Pattern attempts.
- Brute force attempts.
Pattern attempts
Pattern attempts are when the computer assumes the password follows some kind of pattern.
This assumption could be a set of rules, like ‘the first character is a capital’ or ‘the password is 8 characters long.’
Or it could assume that the password contains common words — this is also called a “dictionary attack” because it starts trying known strings of letters.
Attacks like this are the most powerful because they cover a ton of characters in a short amount of time, and they’re usually based on real data from millions of stolen passwords. This kind of data is really strong because humans naturally come up with similar little tricks and conventions for their passwords.
To give an idea of what I mean here, here are four of the most common passwords in the world according to the National Cyber Security Centre:
- password
- 123456
- qwerty
- 1111111
You probably know a few aunties and uncles that use exactly these.
Another common thing that computers quickly check for is certain letters being replaced by numbers that look like them. I’m sure you’ve seen “3” being used in place of “e” before… sadly those cute tricks are useless.
Okay, so what? What’s the moral here?
It’s simply this: You want to make your password immune to pattern attempts.
The way to do that is by (1) avoiding typical password tropes that people use, (2) not using a single word or name, and (3) avoiding common words in general.
Brute force attempts
A “brute force” attempt doesn’t mean a team of stocky, muscle-bound hackers are going to kick your door in — it means a computer is going to strong arm your password by trying every damn character under the sun.
If you successfully avoided common password B.S. and are not vulnerable to any pattern attempts… i.e. your password is “sufficiently random”… then this is all you need to worry about.
These attacks are like the blowtorch of the hacker world, trying to burn its way through each character. They are limited by the computing speed of the system that’s generating the attempts.
Let’s take a look at how to create a fortified password that can stand the heat.
How to create the perfect password
Recall what our PERFECT PASSWORD looks like:
- Impossible for a human to guess.
- Impractical for a computer to guess.
- Guaranteed that you will remember it (without writing it down).
- Unique for every account.
- As quick and easy to enter as possible.
We know we don’t need to worry about a human guessing it, so let’s start from the second bullet.
Impractical for a computer to guess
According to NIST, the ‘numero uno’ factor to a strong password is LENGTH.
All those tricks to try and complicate your password, like adding # and having two capital letters… all that stuff is a bit trivial. It’s not for the hackers… it’s for the user. It helps to make sure they don’t so something predictable.
If you keep your password sufficiently random, length does become the strongest factor.
Now here’s something you should know: the number 8 gets thrown around a lot. You’ve probably noticed a lot of services make you use a password of at least 8 characters.
It turns out this recommendation is starting to gather some serious dust…
On April 12, 1985, the Department of Defense Password Management Guide was published suggesting 8 characters as the ideal length for a strong password.
Using the pea-shooter modem that was available back then, they figured out that an eight character password should have a lifetime of 6 months. They cut that number in half (90 days) for safety and all the sudden “8 characters” bled into everyone’s minds.
Here’s the cold fact: an 8 character password made up of letters, numbers, and symbols is weaker than a 12 character password of just lower case letters.
What is the right length, then?
I threw together a chart below to help us to figure that out.
According to Tom’s Guide, the speed record for password cracking in Feb 2019 was 102.8 billion hashes every second. That was using eight state-of-the-art graphics cards that cost over 1,000 smackers each.
Without getting too technical, “hashes” are collections of gibberish that humans can’t read. Passwords are stored on computers as hashes to keep them safe.
To keep things simple, let’s assume with the speed above is 102.8B possibilities per second and, it’s the hottest blowtorch in town.
The chart below shows how long it would take to muscle through a password at this speed, showing various lengths and compositions:
As you can see, length (top to bottom) boosts the lifetime of a password way more than complexity (left to right).
That doesn’t mean complexity isn’t meaningful. If you add one symbol to your password, you require the hacking system to try symbols as well as every other character.
(That’s why I believe it’s important to throw at least one in there. Adding capitals and numbers is not important.)
So we’re going with the purple column. From the chart we can see that lengths above 9 require an outrageous amount of time to solve.
YES, computers are going to get exponentially faster in coming years…
…but that’s why you want to change your password every (so) often!
(Roughly once per year is probably a good idea.)
A note on password requirements:
Some accounts require you to have certain rules to your password (like 2 uppercase letters, etc.)
Again… they’re just trying to make sure you don’t follow a predictable pattern. If you run into one of these, you can add “A1” to the beginning. Since your password will be sufficiently random and LONG, it won’t matter where you put it.
OK… our password should contain at least one symbol and should be at least 10 characters long. What’s next?
Guaranteed that you will remember it (without writing it down)
Random gibberish is hard to remember. Easy words are out.
If you were wondering what I meant by “sufficiently random,” it’s that your password should be random as far as a computer is concerned.
Not as far as you’re concerned.
If you try to make it completely random and at least 10 characters, it’s going to look like d9P:`m&s3) and you will probably struggle to remember that mess.
But as long as you avoid common patterns and words, and use at least one symbol, your password should be random enough that a computer has no choice but to start trying everything.
The major recommendation here is using multiple, uncommon and unrelated words separated by symbols. For example:
reindeer=whistle=intrude
That’s 24 characters with symbols, using three *potentially* memorable words.
There’s a strong password generator here that you can use to give you an idea how this works.
Since we’re interested in making this easy peasy to remember, I like to use special memories that I already have. At the moment, I’m using a password that contains an old road name and the name of a pet I had while I lived there.
Unique for every account
You might be tempted to ‘recycle’ your password across accounts. Then you only have to remember one, instead of beating your head against the wall trying to recall 45 of them.
This is definitely a no no.
Make no mistake — if you follow the guidelines above, your password shouldn’t be getting hacked. And if you go ahead and change it out every year or so, even better.
But you still need to make each password unique. You ask why? I have two words for you: data breach.
If there’s an actual data breach, where a server that has your account details on it gets hacked and published, your password is fried chicken. Not only is that account compromised, but that password is now in a hacker dictionary.
That means every other account that shares that password is at risk.
Keeping your password unique will buffer any mayhem from getting outside that particular account. Then all you need to do is change that one password.
Augghh!! How am I meant to remember loads of passwords?!?
I hear you! Don’t worry — this is another place that we can be efficient!
There might be a few ways to do this, but I like to keep it simple: somehow use the name of the service in the password.
Let’s say your password is:
hatchet%sunset%coral
…and your using it for Facebook. You might use:
hatchet%sunset%facebook%coral
Then when you create a password for Twitter you can swap ‘Facebook’ out.
Since the password overall is sufficiently random, and you’re going to change it occasionally, I don’t believe there’s any risk with this.
The hacking system would have to (1) identify the name of the service as a word in your specific password, (2) know another service that your email is using, and (3) try it with that other service.
This isn’t impossible. But think about it this way: your password isn’t likely to get cracked (see chart above). And if there’s a data breach (they don’t happen every day) there will be an insane amount of different passwords in the list.
The likelihood that using the name of the service in your password is going to bite you in the rear is… microscopic!
There’s also a secret to remembering your passwords towards the end of this post.
As quick and easy to enter as possible
You now have a password that’s impervious to a blowtorch, sticks like glue to your memory, and is one-of-a-kind… are you done?
You could be. But I like to take this one step further. Since you might be entering this bad boy often enough, I recommend you make it as easy to enter as possible.
There’s not much to it.
Lower case letters are easy to get to on keyboards and phones. So most of the characters should be those. That’s not a security problem if you follow the advice above.
That leaves special characters, upper case letters (if you fancy), and numbers…
…just use the ones that are easiest to get to!
When you use symbols, use the ones that are easy to get to. If you look at this screenshot of my phone, the ‘comma’ key is right on the first page… so that’s the special character I use.
You now know how to build your very own, one-of-a-kind, heavyweight champion password!
But there is one thing I haven’t yet mentioned…
…the experts don’t do this.
In the next section, I’ll tell you why.
Password managers
The top recommendation that all the clued-in experts get behind is to use a password manager.
This is a piece of software that you can keep on your phone, tablet, and computer that generates super-strong passwords and remembers them for you. All you have to do is remember one strong password, and use it to log into your password manager.
The password manager can also change your passwords instantly if you want, so that’s no longer a chore either.
In terms of security and ease of use, this is definitely a killer option.
The obvious downside is if your password manager gets hacked. If that happens, you can access a log of all the passwords you had on the manager. That will make it easy for you to start changing them.
If you want to join the revolution, two of the top recommended password managers are 1Password and Last Pass.
Here are two links to pages where you can check if your email address has been hacked, or if your password has been leaked:
Your email address: https://haveibeenpwned.com/
Your password: https://haveibeenpwned.com/Passwords
A final note on strong cyber security:
Multi-factor authentication is king!!!
A powerful way to have bulletproof accounts is to rely on more than just a password… demanding a text messaged code, Google authenticator, or other methods make it extremely hard to break into an account.
If you have these tools on your important accounts, it’s a good idea to make use of them.
In the meantime…
I hope you enjoyed this article and you rest easy with your fresh password knowledge!
Peace.
