Passwords are the keys to your entire digital life. They protect everything from your bank account and credit cards, to your personal and work emails, to your social profiles, and everything in between.
In other words, your passwords are highly valuable and should be treated as such. You need to protect them like you do your most valuable physical assets. Because just like criminals in the physical world try to steal money, jewelry, cars, and other valuables, cybercriminals try to steal your passwords and exploit your precious data.
Who are cybercriminals?
We tend to wrongly think of cybercriminals like this:
But the truth is, cybercriminals really look more like this:
Their “job” doesn’t look that different from the average nine-to-five job nowadays. Except instead of working hard to earn their paycheck, they work hard to steal yours.
In many cases, cybercriminals are attempting to retrieve your passwords in order to sell them for profit, or to gain access to your digital portfolio: your money (bank, credit cards), your communications (personal and work email), and your persona (social media).
You might rightly ask, “Why would they attack me? I’m not rich or famous.”
But instead of asking why you would ever be a target, remember that cybercriminals aren’t typically attacking individuals; they are attacking a massive group of people that you’re a part of in order to garner the most amount of data—and therefore value—as possible.
And who are the easiest victims of these large-scale attacks?
People who have weak or reused passwords across their accounts—aka basically everyone!
Why weak and reused passwords are a big problem
The most common way cybercriminals steal passwords is by stealing or buying password lists that become available after a hack or data breach.
You hear about hacks and breaches almost every week now. From Equifax, to Yahoo, to LinkedIn, to Dropbox, there are billions of exposed passwords available for purchase on the dark web and other sketchy sites.
Once a cybercriminal gets a list of stolen passwords, they use password cracking software—which is readily available online—to unearth thousands or millions of user passwords in one shot.
The reason cybercriminals need password cracking software is because password lists are almost never stored in plain text. For example, when a new user enters a password to create an Amazon account, their password gets hashed and stored on an Amazon server with all the other hashed Amazon user passwords.
What is a password hash?
A password hash is a form of encryption that takes your plain text password and turns it into a corresponding long string of random characters. This is a security best practice followed by most companies and services to protect user data from prying eyes.
Plain text password example: password123
Resulting password hash example: 3120983SKJNDdkjsab89231skjb9812OZNSjksO
How software cracks weak passwords
This is the part where I remind you that cybercriminals are trying to get the most bang for their buck. In this case, it means cracking the most amount of hashed passwords in the least amount of time.
Even though password cracking software can process thousands of more combinations per second than a human, there is still an unlimited number of different passwords that can be created on a keyboard.
So how does the software go about cracking them? There are four main ways:
- Brute force attack
When trying to crack a password, the most methodical way to do it—if you had an unlimited amount of time—is through software that executes a brute force attack. A brute force attack tries every possible combination of letters, numbers, and symbols one by one until the password combination is identified. So you would try, “a” then “b” and eventually “a1” and “a2,” etc.
While ultimately effective, a brute force attack is anything but efficient.
In fact, if someone uses a complex password, it can take more years to crack it using brute force software than there are atoms in the universe.
To speed up the process, cybercriminals typically eschew brute force attacks and launch attacks that focus on a more finite number of possible combinations.
- Dictionary attack
In a dictionary attack, the software tries every word in the dictionary as a potential password. This gives the software a much better chance of finding matches, because people like to use words they understand as their passwords—they’re easier to remember—and it does so in a reasonable amount of time, i.e. not eons.
(The lesson here is not to use dictionary words as your passwords. They are weak and easily exploitable.)
- Commonly used passwords attack
Another classic example of a weak password is a commonly used password. We recently analyzed 61 million passwords from a study at Virginia Tech on poor password habits, and we found a number of (sometimes hilarious) commonly used passwords.
“Starwars”—great movie, terrible password.
Software can take lists of commonly used passwords, like “Starwars,” and initiate an attack to crack all the matching passwords.
- Hybrid attack
Sophisticated software cracking programs also exist that can execute a hybrid attack. Hybrid attacks take word lists, like a list of dictionary words or commonly used passwords, and adds slight variations that mimic typical human password-creation strategies.
That means changing your password from “password” to “p@$$word123” is essentially meaningless.
Are you sensing a theme here? Weak passwords are low-hanging fruit, so every password cracking software listed above prioritizes cracking them.
And since these stolen lists can store millions or billions of passwords, there are likely to be tens of thousands of weak passwords. For cybercriminals, tens of thousands of plain text passwords is plenty to go on. They can now access user accounts and wreak havoc on digital lives through schemes like credit card fraud or identity theft.
That’s why we use strong passwords even if we don’t think we’re particularly rich or famous or “valuable.” Because you aren’t the target—your passwords are.
Any password that is part of a breach should be considered compromised for precautionary reasons, even if it’s strong. If a service you use gets hacked, change your password immediately.
That leads us to point number two: Weak passwords are bad, but reused passwords are worse. And weak, reused passwords? Forget it.
For the love of all that is good in this world, please stop reusing your passwords
When it comes to securing your digital identity, there is no silver bullet. The goal of all security best practices is to limit your risk as much as possible.
Another critical component of risk management? Eliminating password reuse. Completely.
Whether you use strong passwords or not, the minute a password becomes compromised, the threat of a cybercriminal trying it elsewhere online increases dramatically. That means every account that uses the same password is essentially compromised. This includes any slightly modified alternative password—cybercriminals can execute a hybrid attack on your original compromised password to crack all of your slightly modified passwords that were developed using your “password method.”
The absolute ideal scenario is to have a strong, unique password for each accounts.
How are you supposed to create strong and unique passwords for each account, and remember them all without writing them down?
Glad you asked.
Avoid weak and reused passwords by using a password manager
If you’re already using a password manager, congratulations, you’re one step closer to having nearly impossible to crack passwords for each of your accounts.
Why? Because no matter how many passwords you have, and how ridiculously complicated they are, a password manager remembers them all for you.
Think you’ll have a hard time coming up with random, secure passwords for each account?
Password managers have password generators built in. In one click, you can generate a secure password every time you create a new account. You can also generate new passwords for existing accounts that are currently protected with crummy passwords.
The kicker? The best password managers have a security dashboard that identifies accounts with weak, reused, or compromised passwords. From there, all you have to do is use the password generator to update those accounts, and you can become a cybercriminal’s worst nightmare.
Not using a password manager? Get one. Now. And no, your password book, Post-It, or patented password “method” doesn’t count. A password manager is literally the only way to safely and conveniently manage wildly complicated and unique passwords for an unlimited number of accounts.
If you have any questions, please feel free to leave them below, and I’ll do my best to answer them!