Could Your Password Survive a Data Breach?
At this point, it’s simply a matter of time before another company asks you to change your password because something somewhere down the line got hacked.
In fact, in June of 2016, Fortune Magazine said, “It’s almost fashionable to become the victim of a data breach these days, or at least you’d think so, given the who’s-who list of companies announcing them.” In other words, everyone from Fortune 500 companies and hospitals to small businesses and tech giants are experiencing the rippling impact of a data breach.
DOES YOUR PASSWORD STAND A CHANCE?
As an individual rudely thrown into the middle of a data breach, the first thing you should do is change your login credentials as quickly as possible. The quicker you change your credentials, the less of a chance a group of hackers has to use your preexisting password to access your account. But this will really only work if your preexisting password has made it through the initial waves of cracking and hacking.
WHAT IS HACKING SOFTWARE?
Cyber criminals and hackers have developed a variety of software with the sole purpose of cracking your passwords. This can be done through a Brute Force attack where hackers try tens of thousands of password combinations within minutes. If the credentials are encrypted or hashed, this process can be a little more difficult.
However, as we saw with Ashley Madison in 2015, how the data is encrypted or hashed will simply determine how much longer it will take to decrypt the data or match up the hashes with the correct algorithm. As Ars Technica reported, the Ashley Madison passwords were hashed with a rather sophisticated algorithm; nonetheless, this particular hashing involved a number of programming errors, allowing 11 million of the stolen credentials to be hacked in less than 10 days. If those errors were not present, it would have taken centuries to crack as many as they did.
HOW ELSE CAN YOUR PASSWORD BE HACKED?
Cracking software is not the only way an account can be unlocked. This can go down in a variety of ways, and it doesn’t always involve a massive data breach.
You might receive a malicious email. The email will appear to come from a credible source, and it could potentially ask you to login to your account or send your information over for an “account verification.” Once you do this, the hackers will have full access to your account.
Just like a password, your security questions can also be hacked. People tend to answer security questions in the same way – simply due to the nature of the question itself.
For example, “What is your favorite football team?” only has a handful of legitimate answers, and people naturally want to answer it accurately to ensure they can recall it at a later time. In other words, a person isn’t going to say that his or her favorite football team is Pepperoni Pizza.
If malware has wiggled its way onto your connected device, this could also result in a leaked password. Some malware can track your every movement, and keyloggers can record every letter you type. If they’re tracking and recording at the right time, they could match up the right website with the right credentials.
WHAT DOES A GOOD PASSWORD LOOK LIKE?
When it comes to good ol’ fashioned hacking and cracking, it’s important to have a strong password. Like mentioned earlier, your password needs to be legit enough to make it through the initial waves of hacking and cracking – giving you the time you need to get to your account and change your password. Part of this will depend on how sophisticated the hashing and encryption standards are, but the other part of this will rely on the password itself.
The longer your password is, the more difficult it will be to decipher. But, at the same time, this also means that it will be substantially more difficult for you to remember. To make this easier on you, use phrases. These are simpler to recall than a long string of random letters.
But don’t use common phrases
Phrases are certainly better than standalone words, but that’s only if the phrase in question is unique and random. People are starting to use phrases as passwords more routinely; however, they’re also using the same phrases over and over again. And usually this consists of a phrase with the word “like” or “love” somewhere inside it. So instead of using “Ilikepeanutbutter,” use something more like “Mytummyenjoyspeanutbutter.”
Experiment with capitalization
There’s a huge difference in time when it comes to cracking a password with all lowercases versus cracking a password with all types of characters.
For example, a password that does not use a word out of the dictionary, that has eight characters and all lowercases should take around 2.23 hours to hack with a basic computer. If you throw a capital letter or two in there, then that period of time should bump up to 2.21 years. Quite a bit of a difference.
Now, if you did use a word out of the dictionary and you had a computer with some serious computing capabilities, this time would substantially decrease – however, a capital letter will still provide you with the solid buffer you need.
Throw in a character or number
If a capital letter increases the strength of your password that much, consider what it does for your password if you add in a few numbers or a special character (like an exclamation point or an asterisk). However, just as it is with using common phrases, make sure you aren’t using these numbers and special characters in obvious ways.
For example, just because you put “123” on the back of a word doesn’t mean this password is more secure. In fact, these combinations are attempted in hacking software automatically. But this also goes for letter replacements. For example, replacing an “E” with a “3” or an “a” with an “@”. These are obvious, and hackers will look for it. If you’re going to throw in a number or a special character, make sure it counts.
IS THERE ANOTHER WAY TO PROTECT YOUR ACCOUNT?
Passwords will only take you so far, especially if you’re subjected to sophisticated social engineering. These attacks rely on the human element to dupe you into dropping standard security procedures and releasing private information – like passwords. For this reason, you should consider implementing Two-factor authentication on any sites that offer it.
Two-factor authentication requires two separate methods of authentication before you’re allowed to login to your account. This might consist of your password and a code given to you via a text message or email. This could even be your password plus a security question. Most major websites have adopted two-factor authentication, and you can find an exhaustive list of supporters here.
On top of two-factor authentication, some websites (like Facebook) offer login approvals or login notifications. This means that if someone tries to login to your account from an unrecognized browser or device, you’ll be sent a notification (usually through an email). If this attempt was not made by you, then you will have the opportunity to change your password.
If you want to protect your data and online accounts, then two-factor authentication and login notifications are a necessary step. They create an additional layer of security and provide a much-needed facelift to a system of verification that’s outdated and out of touch with modern society.
HOW CAN WE HELP YOU?
If you’d like further assistance protecting and securing your online data, we can help. As an IT provider to many local businesses, we help secure massive amounts of data every day, and we can do the same for your business. Give us a call today at 940-382-8644 to learn more!