Using technology to crack passwords is not a new concept. In fact, if you think back to how Alan Turing cracked Enigma during World War II, as shown in The Imitation Game, the same principles exist today.
These days, it takes less than one second to crack the password ‘123456’. Something a little more complex like ‘qqww1122’ can be figured out in less than an hour. While harder passwords can take days and even months to crack, with time, anything is possible.
In this blog, I’ll be sharing how brute-force attacks work, along with six best practices that can make all the difference between keeping your accounts secure and potentially exposed.
What is a brute-force attack?
Let’s first start with the very reason why we must be so diligent about password security: brute-force attacks. These attacks occur when hackers leverage technology to continuously try every possible combination of words, popular keywords and numbers to break into accounts.
Brute-force attacks are becoming incredibly problematic as hackers apply hardware and/or software with a tonne of RAM and processors in the public cloud to simultaneously attack as many passwords as they can at once. Many of the programs leveraged by hackers are becoming increasingly more accessible and affordable (and sometimes even free) to access, making the average internet user an easy target.
Here’s how to improve your password security:
1. Create complex and hard-to-crack passwords
Think of a password like a bike lock. A cheap lock (or simple password) will be easier to break into. The better the lock (or the more complex the password), the less likely it can be cracked. The bike thief (or hacker) will only spend so much time trying to break into it before giving up.
One of the best ways to avoid falling victim to a brute-force attack is by ensuring your password is stronger than the next one. To achieve this, it should include:
– At least 16 characters
– Upper and lowercase letters
– Symbols (and even spaces if the program allows it)
Along with length, you should also consider your password’s complexity. Despite our best efforts to create something entirely random, it’s human nature to connect patterns between words and characters when thinking of a password. Many users try to incorporate ‘unique’ spins on classic passwords like shifting all the characters over to the left or right by one on the keyboard. Unfortunately, with the use of technology, these tricks are becoming easier to crack than you think.
If you are being targeted, it’s likely the hacker has done their research through your social media channels to learn more about you. This means they could know about your hobbies, pets’ names, family’s birthdates and more — all of which tend to be common password choices. Even if your social media profiles are private, you never know who has access to the accounts of your list of friends.
To avoid any identifiable words, phrases or numbers, we recommend using a random password generator to ensure your password is entirely unique and as hard as possible to crack. To take it a step further, making up fake (but memorable) answers to the security questions asked on websites to avoid someone resetting your password. You simply can’t know what information about you is out.
2. Use a nonsensical passphrase as your password
Passphrases — when you string 4-6 random words together — is another option for creating a strong password. In fact, a 2020 article by ZDNet reports the FBI recommends passphrases over password complexity. When compared to a short, complex password, the FBI explained “a longer password, even if relying on simpler words and no special characters, will take longer to crack and require more computational resources.” Still, when using a phrase, your password should include the basic principles (i.e., upper and lower cases, numbers, etc.) listed above.
If you would rather create a passphrase yourself, be sure to use at least four unrelated words that are each five characters or longer (i.e., Autumn Kangaroo PurpleRiver93!4). Avoid using names or dates that can be easily guessed, such as those of your children, spouse , parents or pets. Remember, the more random you make it, the harder it will be to crack.
One advantage of using a passphrase is that it will be easier to remember. At the same time, it will also be easier for someone else to remember if they happen to catch a glance of you typing it without the characters being hidden by asterisks.
3. Make your passwords different for each account
Using the same password for multiple accounts makes life easier but it’s a mistake many users still make. If a hacker gets into one of your accounts and you use the same password for others, it’s likely they will continue accessing as many accounts as they possibly can. If you’re not convinced of the importance of diversifying your passwords, entering your email address into have i been pwned?can serve as a real eyeopener. Take it a step further and test out your passwords to see how many times they’ve appeared in a data breach (and should therefore never be used).
To avoid third-party hacking, it’s also important to never log in to a website using your Facebook, Google or Apple account credentials — an increasingly common option when registering with a new website. As tempting as it may be to link to your pre-existing logins, it’s always better to create a unique username and password for each account.
4. Keep track of all your passwords
Keeping track of several random passwords can be a challenge. Instead of clicking ‘remember password’ on your browser, or worse, keeping a list of your passwords on your phone or computer, opt for a Password Management tool like Last Pass to keep them organized securely.
5. Enable multi-factor authentication
The surest way you can add an extra layer of security to your accounts — whether social media, email or banking — is by enabling two-factor or multi-factor authentication. When you or someone else attempts to log in to your account, a text, phone call or email will be sent which contains a one-time code that must be submitted to complete the process.
6. Use an authenticator app to make accounts more secure
While sending a text is the standard, it isn’t the most secure method of accessing your accounts. Aside from the issues of connectivity, like when Rogers was down for a full day, cellphone companies are notoriously bad at protecting your phone number. A hacker can easily target you, call Rogers, Bell or TELUS, get a SIM card that’s attached to your number, pop it into their phone and intercept the authentication texts or calls.
Instead of depending on these texts or emails, consider installing an app such as Microsoft Authenticator App or Authy. This way, the hacker must log in to the account and the app that is installed directly on your device to gain access to your accounts. Alternatively, hardware solutions such as Yubico offer an extra thick layer of security by ensuring the person accessing the account has the physical key in their possession.
Returning to our analogy above, using an authenticator app is like having the most heavy-duty bike lock available. Even if a hacker happens to crack your password, once they come up against an authenticator app, they will be out of luck and be forced to move on.
The reality is that even the most tech-savvy people can fall victim to cyber crime. At Ricoh, our team applies each of these best practices to ensure the security of our accounts. Additionally, all our RelativityOne users are required to sign in using Microsoft Authenticator App.
Discover a new way to work
Ricoh's Digital Workplace Solutions combine the right services, expertise and technology to optimize the flow of information, so you can improve employee productivity, better serve your customers and grow your business.