logotipo

Password security check-up

Let’s be real. Who even goes to a bank nowadays? Most of our personal life is already on the Internet, accessible from virtually any connected device, which, of course, is great — since it means one can have access to their data no matter where in the world they are at the moment. Unfortunately, that also means anyone who can successfully impersonate you will also have the same access to such data.

How does that impersonation process happen? While it depends on the application and service provider, figuring out a single password is usually all it takes. So in this article we shall see how to keep that password as safe as possible.

Contents

Why passwords matter

As obvious as it may sound, password safety is very important. Not only does it prevent unintended people from accessing unintended data, it also helps preventing identity theft and fraud. Here is a short list with a few reasons you should be concerned:

  • If your password leaks, people can have access to private data;
  • With such data, you can become a victim of extortion (through blackmailing);
  • It may also permit criminals to perform identity theft and gain access to even more aspects of your life;
  • For a social network or a messaging platform, one could, while pretending to be you, apply social engineering methods on your friends and family, persuading them to get money.

So now we agree it is important to keep them safe, let’s take a look at how we can accomplish that.

Keeping your passwords safe

By now, you probably have a least a few online accounts with existing passwords. Here are the basics on what to keep those ones safe.

Never share a password with other people

This is really the most basic one, but people still insist in sharing their passwords, mostly with friends or partners. There are many reasons why that is a very bad idea, even if you trust the person:

  1. Things change
  2. The other person my not be aware of security practices
  3. The communication channel may not be secure

For the first one, remember people tent to act on their emotions and one small argument or misunderstanding may cause them to do something you would not like, you may share a password and forget it and, once that happens, things are mostly out of your control.

The second one is self-explanatory: you share something that should be kept safe with someone who does not know how to keep it safe — maybe they don’t even understand why that would matter. There also is the possibility they simply don’t care.

Finally, even before the points above have a chance to fail, the communication channel may be insecure, which means someone else could intercept your access details, maybe by eavesdropping, via telephone tapping or maybe because that chat app was not safe to begin with.

Never reuse a password for different accounts

This is a point some people are not aware of. Reusing a password for different accounts id bad. Here is why.

Even if you personally do not leak your password to others, as we discussed above, there still exists a chance the company where your account is located leaks it. As weird sounding as it is, it does happen, and it happens more frequently than you might imagine. This is a long subject on itself, but the summary is: there is always a chance the company (unintentionally) leaks some of your data, making your password accessible, to some extent, to the whole world.

When such episodes take place, the service provider will probably force you to reset your password as a means to prevent unintended access. The thing is: if both your email and password are somehow compromised, hackers could try and gain access to thousand of other services by using that same combination.

For clarity, let’s suppose you own a Gmail account and a Facebook account. Your Facebook login is me@gmail.com and your password is 123. Should your Facebook data leak, some ill-intentioned person can try to log in to Google using that very same combination. If your Google password is, in fact, 123 then they will be able to successfully authenticate.

In practice, Google, Microsoft and many big Internet companies actually implement some other security measurements in order to minimize such risk: they may log the IP addresses you usually access the service from, as well as your location history, so that they can block an attempt coming from an unexpected region. But that does not mean your password was not compromised, and, thus, cannot be used elsewhere ever again.

Do not change passwords unless necessary

This is something many IT department administrators will not agree with me on. While many workplaces have password policies that demand users to change their passwords within a certain period of time, there actually is a huge downside to that, which, arguably, turns that into a bad practice.

The more often you are required to change passwords, the more you’re inclined to using weaker ones. We will discuss the importance of strong passwords below, but, for now, let’s just focus on a qualitative understanding of “weak” vs “strong” passwords. For simplicity, let’s assume stronger passwords tend to be longer in number of characters and more complex by having more diverse characters.

Now imagine you are forced to register a new password every 30 days. Assuming an average person takes one week to memorise their password, that means one fourth of the lifespan of that specific password has already went by by the time it took for them to memorise it. By the way, a question is risen: during that one week, how was the person able to log in? Probably because they had the password written somewhere — which, in itself, is not a very great idea, and it gets worse when it is happening monthly.

If you periodically change your passwords and take note of it, say, in your phone or wallet, you are prone to have your behaviour analysed by a potential criminal who might find ways to get access to your wallet for just enough time to find your password.

Now, of course, that is not really the most likely scenario since, for most people, their colleagues are not really interested in impersonating them.

What actually is much more likely to happen is that, for being forced to change passwords often, people will then start using one of two approaches to circumvent the system: they will either use variations of the first password, often generated through a very simple (and, worse, predictable) way; or they will have a pool of say, three or four passwords and cycle through that pool indefinitely. Sometimes, users may use a mix of both methods.

Both tactics actually decrease overall safety of the system. We will better discuss why using variations of a password is bad below. As for the second approach, it totally defeats the point of even changing a password to begin with — if one of the passwords in the pool was compromised at some point, every three to four months it will be the active again.

So if this is not a good practice, why is it so common? I believe the reasoning behind it is that you cannot guarantee your employees are completely aware of how to keep their passwords safe, so it is easier to change them every now and them. And I agree we can never really now how the user behaves and takes care of their login information, I am just not so sure about the solution proposed.

Creating new passwords

Until now, we were taking a look at a few guidelines on how to keep your current passwords safe. In this section, the idea is to discuss a good approach for when you need to make a new one, be it for a new account you are about to register or because you’ve realised your old one does not provide you with enough security anymore.

Do not use variations of the same password

This is my first rule on creating new passwords: never use variations of something you have used before. Never. There are two main reasons why that is a bad idea, or, another way to see it is: there are two main ways a variation of a password may expose you.

The first one is when you use a very specific rule to generate new iterations and, somehow, two of these get exposed. Truth is, human beings are very predictable, and a close look at too similar passwords that follow a rule may easily expose the very rule that generated them, which, in turn, literally compromises all the variations at once. Let’s take a look at an example.

Mr. Cabbage is very concerned about having a strong password, so he decides to randomly generate one for his account. Using a trustworthy random generator, he comes up with 6MrU7JbKc<'(d3SdafBE. Wow! That seems to be very safe indeed. 20 characters, both lower and upper case, as well as some other special characters. Mr. Cabbage seems to know what he is doing. Besides that, he takes care to memorise it as soon as it is generated and never writes it down anywhere. A few weeks pass by and Mr. Cabbage needs a new password for another account he is about to register. When he thinks about all the effort needed to memorise another password, as complex as the previous one, an idea appears: he swaps the initial 6 from the first password with a 7. The result? Mr. Cabbage now has a brand new password, as strong as it can get, without all the trouble of memorising it again. It is such a great method Mr. Cabbage get carried away and repeats it a few more times.

Now, not only the variations are really not safe any more, the very first password, which actually was a good one, lost its quality as well. Imagine two of these variants get exposed by some undisclosed means. By comparing them, a hacker could easily figure out the rule, and start trying several variations of it as well, eventually finding the ones that did not leak. The story of Mr. Cabbage may seem a little far-fetched, but it illustrates the idea.

As for the second point we mentioned above, it actually helps turn the story a little more feasible: what if someone needed only one leak, not two, in order to find variations of it? Well, that does happen already. In reality, most variations people tend to use have already been mapped and documented by hackers. Swapping lower and upper cases, increasing or decreasing numbers, inserting special characters at specific positions in the original word. All of that has been done to exhaustion, so the bad guys have automation scripts that allow them to automatically test tens or hundreds of variations of a single word with the press of a button.

So, to put it simply: do not use variations.

Create strong passwords

This section is really not intended as a guide on how to come up with great passwords. The only person who can really find a method that works for you is, well, yourself. The idea here is to start a dialogue on things you could consider while finding that out.

Strong passwords in a very complex subject, where different people have different views on what makes one strong. There are many objective parameters that have been used in order to help with that matter: length, variety of characters and creation date are some of the most common ones.

However, what really should be considered as a strong password is that which is good enough to protect an account from unauthorised access, while still being accessible (easy to remember and type). Easiness of usage is important, mainly for frequently used applications and services, because if you need to open a manager or check a piece of paper every time you want to access it, then you are more likely to decide using an easier one.

Another important factor the be taken into account is the likeliness someone could guess that password. password is a very easy one to guess and no, appending 123 to the end does not make it any safer. Swapping the o for a 0, capitalising the first letter and adding an @ to end up with an awesome looking Passw0rd@123 would not help either. Remember, as we discussed above, password variations are weak .

Social engineering is also a real and problematic security issue. It is still very common for people to use meaningful dates and names, which helps in making it easily remembered, but also turns it easily guessable by any outsider which can find out your loved one’s name on Facebook

Very short passwords cannot be trusted either. Let’s take a look at the following table which shows the time it would take for a randomly generated password to be cracked by computer, according to its length and type1:

Type of passwordTime to be cracked
08 numbers2 miliseconds
12 numbers4 minutes
08 letters, single case5 seconds
10 letters, single case1 hour
12 letters, single case3 weeks
08 letters, mixed case22 minutes
10 letters, mixed case1 month
12 letters, mixed case300 years
08 letters and numbers, mixed case1 hour
10 letters and numbers, mixed case7 months
12 letters and numbers, mixed case2000 years
08 letters, numbers and special characters, mixed case8 hours
10 letters, numbers and special characters, mixed case5 years
12 letters, numbers and special characters, mixed case34000 years

By analysing the table, it is reasonable to say a password with only 8 characters is very short, no matter how complex you try to make it. Many specialists will recommend 12 characters, with mixed cases, numbers and special characters. I, personally, always aim for 16 — albeit some of my most important ones may be much longer.

Remember, though, this table only applies for randomly generated strings. It may seem that P@ssword1234 would take 34000 years to crack, but, really, it would take just a few seconds, minutes at best, since it is a very naïve variation of a very common base word.

Summary

If you were to remember only 20 words of this article, I would hope they were the following:

  • Do not share your password with anybody;
  • Never reuse a password for multiple accounts;
  • Variations of passwords are pretty bad.

Password security is definitely a huge topic, so I had to summarise a bit and make it more manageable. I would really appreciate some feedback on whether the article was too shallow or to deep. Also, share in the comments if you’d like more content on this subject! 🤪

External references


  1. Table data generated from How Secure Is My Password? ↩︎


Cover photo by Dan Nelson

Breno Beraldo

Just your average engineer-coder-gamer. Trying to catch up on my always growing backlog of personal projects and books to read. Firmly believes Python — not French — is the most romantic language.


Comments

Will be shown to all readers

Will remain private