Recommendations for Passwords on National Password Day

Earlier this month was National Password Day, and for a long time, the common attitude towards passwords was this: Make one, memorable password, and use it for everything. Unfortunately, while that password lifestyle made for easy sign-ins, it also negatively impacted our collective cybersecurity. What you need to remember about hackers is they often aren’t trying to guess your passwords
May 14, 2024
 / 
meritsolutions
 / 
Image

Earlier this month was National Password Day, and for a long time, the common attitude towards passwords was this: Make one, memorable password, and use it for everything. Unfortunately, while that password lifestyle made for easy sign-ins, it also negatively impacted our collective cybersecurity.

What you need to remember about hackers is they often aren’t trying to guess your passwords by hand. You may imagine someone targeting you, and thinking about what you might put as a password. This might happen occasionally, but the vast majority of hacking happens in one of two ways: One, bad actors obtain your passwords from a data leak; or two, bad actors use computers to try thousands of password options until they land on the right one.

Let start with data leaks: These happen all the time. A company, say, LastPass, will have their users’ credentials stolen in a large hack. Bad actors will have your username and password, and will subsequently try it with other account types you may have, including personal and financial accounts. If you use the same password for all your accounts, bad actors will have no trouble breaking into your bank account based on the info leaked from your LastPass account.

You might be shocked by how quickly a computer can crack the password you’ve been using for years. Sites like PasswordMonster and Security.org have programs that can estimate the amount of time a computer can solve passwords: You can plug in a password similar to yours (never use your own password, of course) and see whether it would take the computer thousands of years to break, or simply seconds. (“Password” is broken instantly, by the way.)

But let’s say your credentials aren’t leaked: If you’re targeted by bad actors, they can “brute force” their way into your account if your password isn’t strong enough. While some people may try to guess what your password is, one option after another, modern hackers use computers to guess your password thousands of times in a row. They’re not getting personal, either: They’re using math to figure out your password in as quick a timeframe as possible.

In either scenario, your password is compromised. If you reuse these passwords, you put more than just the original account at risk. That has ramifications for your personal accounts, but also all of your work accounts as well: This is commonly how businesses are targeted: One weak link in the chain allows bad actors to break into your company’s network, and compromise your entire business.

The key, then, is to make sure all the passwords you use are strong and unique. A strong password should be at least 18 characters (we recommend you try to exceed 20 characters) and is difficult for both a computer and a human to guess. That’s easier said than done, of course: You may think no one would be able to guess your password, but while it’s tricky for humans, it’s easy for computers. Instead, you need to employ some tactics are make it difficult for anything to guess your credentials.

You may already incorporate numbers and symbols into your passwords, which is one effective strategy. Another, however, is to use phrases along with upper-case, lower-case, numbers and special characters between words. Phrases make for easy to remember passwords that are difficult for computers and humans alike to guess: Try stringing together two or three words (carriage + pond + radio, for example). Security.org says “Carriage+pond+radio.29” would take eight hundred thousand years for a computer to guess. Pretty good. Of course, if you mis-spell a word or two and jumble things up with special characters (Thq.c@rr1agEp0_nDRadI0) that only strengthens the password. PasswordMonster and Security.org says it would take seven quadrillion years to crack that one.

But passwords also need to be unique, meaning you need a brand new password for each and every account you use. Your Microsoft Account password for work should not be the same as your bank account password, nor should either be the same as your Google Account password. That way, even if your unique password is leaked by hackers from one account, all of your other accounts remain protected.

It’s not as easy as using one password over and over again, but it’s infinitely more secure, and it protects both your personal data and your business. Using a password manager makes things simple as well: With it, you can add each strong and unique password to a digital rolodex, so you don’t personally have to remember any password but the one for the manager. When it comes time to log in, your password manager will remember the strong and unique password for you.

Share This

Leave a Reply



Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.