Introduction
By the end of this article, you will know:
How Passwords are Stolen
Online security is a major concern for most online services providers, some providers protect their online users through multi-factor authentications, and up-to-date most provide 1 level authentication - the password.
The password is the first line of defense between your data and hackers.
As we use more online services (including internal networks – Intranets), we are forced to create and use more and more passwords, and if we go via the simple route, we will end up with using the same password everywhere. And may be something simple to remember (weak password), especially where some online services providers allow for weak or bad passwords, see Worst Passwords of 2012.
The matter is serious when it comes to online bank accounts like PayPal and banks’ sites, or corporate portals and online network resources, email, blogs, online storage services, social networking sites, or your operating system.
So, spending some time to strengthen your passwords could save you a lot of time and headaches in the future.
Today, I will talk about protecting your online account by creating a strong password that is easy to remember, hard to crack or brute-force attacked, avoiding bad or weak passwords.
How Passwords are Stolen
When you are creating a strong password, it can help to know the tactics hackers use to steal them. Here are some of the most frequently used tactics:
1. Guessing
Programs that often use personal information found online – such as names, birth dates, room numbers, check or card numbers, phone numbers, pin numbers, parents or friends names, pets name and more names or numbers that are related to them - as a starting point. These programs can even search for a word spelled backwards.
TIP: Stay away from using any personal identity information when creating a password.
2. Dictionary-based attack
Programs that run every word in a dictionary as a password in hope of finding a perfect match. This type of attack works because many users insist on using ordinary words as passwords. Dictionary attacks are rarely successful against passwords that are multiple-word phrases, and unsuccessful against passwords that are combinations of uppercase and lowercase letters mixed up with numbers and symbols.
TIP: Stay away from dictionary words, even in a foreign language, use phrases or complex combinations as passwords.
3. Brute-Force attack
Programs try usernames and passwords, over and over again, until they gain access to account. These attacks can take several hours, days, months, and even years to run. The amount of time it takes to complete these attacks is dependent on the complexity of the password, and the strength of the computer(s) being used in attack.
TIP: The best way to beat such an attack is with a long, complex password that uses upper and lower case letters, numbers, and symbols.
To help prevent brute-force attacks many systems only allow a user to make a mistake in entering their username or password three or four times. If the user exceeds these attempts, the system will either lock them out of the system or prevent any future attempts for a set amount of time.
4. Phishing
Phone phishing
You may get a call from a service you use asking for username and password for solving a problem.
TIP: Treat all unsolicited phone calls with skepticism, and don’t disclose your password or any personal information until you make sure they are legitimate, and tell them that you will call them again.
Email phishing
You may get an urgent IM or e-mail message from a service you use to alarm or excite you into responding. These e-mails often direct you to phony web sites designed to trick you into providing personal information, such as your user name and password.
TIP: Don’t click a link in any suspicious e-mails, and don’t provide your personal information unless you make sure they are legitimate.
Many service providers warn their clients that they don’t request the clients’ passwords under any circumstances.
5. Shoulder surfing
Passwords are not always stolen online. A hacker who is lurking around in a computer lab, cybercafe, library, airport or any public place may be there for the purpose of watching you enter your user name and password into a computer or an online account.
Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures in any public place to observe data entry.
TIP: Try to enter your passwords quickly, without looking at the keyboard. Also, try to shield the paperwork or the keypad from view by using one’s body or cupping one’s hand.
Strong Password Creation
A: Manual creation by strength strategies
You can create a strong password that is virtually impossible for a hacker to figure out or crack using brute force methods using the following strategies:
1. Make the password at least 10 alphanumeric long
The longer, the more complex and more secure. Longer passwords are harder for thieves to crack.
2. Include numbers, upper and lower case letters, and symbols
The more varied your password is, the harder it is to guess. If the website allows it, use a $ instead of an S or a 1 instead of an L or include an & or ! – but note that $1ngle is NOT a good password. Password thieves are onto this. But Mf$1avng (short for "My friend Sam is a very nice guy") could be a great password, symbols that can be used like !@#$%^&*()_+|~-=\`{}[]:";’<>?,./
3. Create passwords that are easy to remember but hard for others to guess
To create a complex password, do not think of passwords as words, rather think them of as a phrases of your interest such as "I always go to my work on time, and leave on time" and create an acronym (use the initial of each word) like this: "Iagtmwotalot.", then substitute numbers or symbols for letters in an easy-to-remember way "I@gtmwota1ot", in this way you create a strong password that is easy to remember, hard to crack or brute force attacked.
4. Keep it fresh
Password-cracker programs follow the strategies and guidelines declared in password strength check sites to crack any password. So, change your password regularly, at least every six months, but for online banks (e.g. PayPal) and e-commerce sites (e.g. eBay), I generally recommend users change their passwords every 30 to 90 days – the more money, the more often.
Why should you change your password periodically?
Passwords are often stolen without the knowledge of the victim, and stolen passwords often aren’t used immediately. They’re collected, sold to organized crime, rebundled and resold, and left unused for some time. Even if you’re not aware your password was stolen, if you change it periodically you may change it before a thief has an opportunity to use it. Second, while we are constantly working to strengthen your password security, computers are also always getting faster. It’s possible to guess your password through sheer persistent computer effort. With current technology, this takes months if you have a strong password. If you change your password every six months, any brute force attack that takes longer is ineffective. For more info Why should I often change my password?
Change your password immediately if
- There have been any security breaches in the service like what happened in Yahoo, Linkedin and eHarmony, and the change is required by the service provider policy
- Or you had fallen for phishing
- Or you saw signs of strange activities in your account
- Or you lost your device that has the password stored
- Or someone else captured your password.
5. Use the virtual keyboard
Utilize the virtual keyboard when you write your account password to prevent keyloggers malicious software (which can’t be detected by your antivirus) from capturing your keystrokes.
6. Use password manager to securely store and manage your passwords
Do not write down your password anywhere where it might be seen or found, passwords should be kept secret, and as there exist lots of passwords for many services or sites, the matter is difficult to remember all passwords which changed periodically.
So, we are in need for a solution to store and automatically refill passwords for us, this is what is called password managers or wallets.
Password manager is a safe app or services where you can store different password for each service or site, then when next visits data are autofilled.
7. Make your password a total mystery to others and avoid using bad or weak passwords
- Dictionary word "Mohammed"
- Common name "football",
- Easy to guess "P@ssw0rd"
- Hobbies and interests
- Your login
- Your friend’s name
- Your family member’s name
- Your personal information like your name, birthday, or driver’s license number.
- Keyboard sequences or repeated characters like 1234567890, 2222222222, abcdefghij, "qwerty" or "qazwsx"
8. Don’t recycle them
Create new, unique passwords. Never re-use one from the past or its variant as it can be used to predict the new password easily.
9. Don’t invert words
It’s not hard just to reverse a word and find a password.
10. Don’t just use one password for different websites
If someone finds that one password, they could use it to break into your accounts at other sites.
B: Automatic creation by password managers
There are excellent several apps and web services which create a different, strong password for each of your sites, store them encrypted, and then autofill them each time you visit the site. All what you need is to remember the very strong master password of the password manager, and the solution does the hard work for you.
If you just use a computer, try downloading the Mozilla Firefox Web browser and using its built-in password manager or use the paid Kaspersky Password Manager. Make sure you create a master password to protect your list. Other web browsers will save your passwords, but they’re not protected by a master password.
If you access secure sites on your smart phone as well as your PC, you’ll want one solution that works on all devices such as Lastpass, RoboForm and Sticky Password - more password management software -which works on PCs, Macs, Android devices and iOS devices.
Although these apps or services have the option to remember the master password on your PC, laptop, tablet or smart phone, it is recommended that you manually enter your master password on a laptop or mobile device as they could easily fall into the wrong hands.
Passwords are stored in an encrypted "vault," which is actually a dedicated database stored on your device, as well as the company’s servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don’t have to worry about synchronizing or backing up your data.
For a lot more on password management, see "Facing the pain of passwords"
Password Strength Checking
If you manually created your password, and you doubt its strength, you can check it on one of the following:
Where you get a feedback of your password strength, the more green the password strength meter the more stronger is your password. Do not type your password, it could be stealing your password, use a similar one.
The site tells you how long the average PC would take to crack it. For example, cracking "Aothuw1!" would take 3 days, "Aothuw12!" would take 275 days, and "Aothuw123!" about 58 year, and " Aothuw1234!" about 4 thousand year, and so on, also do not type your password. The password "Aothuw123!" needs 94^10 = 53861511409489970176 max trial to guess it and this will take tens of years to guess for moderate PC.
The site tells you how good enough your password is, based on many criteria.
Where password strength is checked against many patterns and total tested passwords with the same pattern.
Use Your Password Safely
1. Never give out your password to anyone
Never give it to friends, even if they’re really good friends. A friend could accidentally share your password with others or become an ex-friend and abuse it or use it on a machine that is not secure. Possible exceptions are kids who share with parents or spouses who share with each other.
2. No passwords on computers you have no control
Don’t use public computers in your Internet cafes for anything other than anonymous Internet browsing, as they may be equipped with keystroke loggers.
3. Password strength is useless if
The service provider has security holes or there exist keyloggers that capture every keyboard’s keystroke, or fallen for phishing.
4. Enable 2-factor authentication
Do not rely only on password, as any password regardless of its complexity can be cracked, it is a matter of time and effort, so try to consider looking for 2-factor authentication if possible, to make your accounts more secure.
A growing number of sites allow for 2-factor authentication where something you know (user name, password, PIN or answers to questions) and something you have (soft token or access card ). So, if the site or service you use has 2-layer security, then you should enable it, with strong password and 2-step verification, your account can’t be hacked even if password is guessed.
Some sites like Google and Facebook only require it if you are on a new device, others require it each time like financial and bank sites.
5. Don’t fall for "phishing" attacks
6. Don’t give your password over phone.
7. Enter passwords on web sites only if
You have opened by typing the address or selecting from your bookmarks, the site is using a secure HTTPS connection, and you have verified the site’s identity using its certificate.
8. Make sure your computer is secure
The best password in the world might not help if someone is looking over your shoulder while you type (in real life or virtually) or if you forget to log out at a shared computer. Malicious software, including "keyboard loggers" that record all of your keystrokes, can steal passwords and other information. To increase security, make sure you’re using up-to-date antivirus software – which could detect and block many types of keyloggers-, operating system, and use the virtual keyboard instead of hardware one.
9. Consider a "password" for your mobile phone too
Many phones can be locked so that the only way to use them is to type in a code. People can find or steal unlocked phones and use them to steal your personal information, make calls, or send texts that look like they’re coming from you. Someone using your phone could send texts that look like you’re harassing people in your address book with inappropriate images or words.
10. Keep aware
Most people know that strong passwords are a good idea, but don’t realize hackers are becoming increasingly sophisticated at password "cracking." You have to change your password frequently, and stay aware of what techniques hackers are using to steal passwords, if you want to stay ahead of the bad guys.
If you found this post useful, kindly share it as much as you can. And for any question, inquiry or advice, feel free to ask me via comments.
For extra details, you could visit:
He is Desktop, Web, Phone, Service and Solution developer and Team Leader.
He is Egyptian working for Qudra-Tech, Riyadh, KSA.
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
Set 16 chars + lower\upper\number and 1-2 symbols