Use better passwords

Everyone can be hacked

There are multiple ways a hacker could gain access to your bank account, a social media account, a cloud storage service or really anything else. There are always new bugs and exploits found, which then get sold for insane amounts of money. Usually software manufactures are pretty fast with fixing known issues, but they can only help you if you keep your software up to date.

But most hackers don't use special exploits to gain access to your accounts. They could just try a lot of common passwords or gather information about you, like old nicknames, the name of your pet or names of family members and combine this information in a lot of different ways to figure out your password.

Why should I be a target of an attack?

There are multiple reasons why a hacker might be interested in hacking you.

The most obvious being money. Everything is online and digital nowadays: your Bank, your communication with business partners or friends or your photos. Imagine someone hacking your email account, imitating your "style of writing" an email and sending invoices to your consumers. Or a hacker might imitate a friend, who needs you to lend them some money and send it to a new bank account. Those are some obvious techniques, but hackers can get really creative when they find a good target.

An other type of hacker could be someone from your personal live. Maybe someone who hates you and wants to harm you in any way or someone who likes you to much and wants to find out every detail about your live. They might be interested in reading your private messages on a social media platform or gaining access to your cloud storage to find private photos or important documents.

How can I prevent that?

A hacker will always ask themselves if the potential cost of hacking you is lower than the potential gain. So, in order to not get hacked you either need a security system that only can get cracked if a hacker uses more resources (for example money) than they would get by gaining access to your accounts. For example if you have 10.000 euro in your bank account but in order to hack you a hacker would need to rent out a computer for 20.000 euro they probably wont do it. But if they could get instead of 10.000 euro, 100.000 euro, an "investment" of 20.000 euro does not seam so bad.

A very important rule when choosing a new password is DO NOT EVER REUSE A PASSWORD. Big companies are targets of attacks all the time and emails with the corresponding passwords get leaked regularly. Its fairly easy, if you have a huge list of email-password pairs, to just try them out on a lot of other different websites.

If you want to find out if your email appeared somewhere in a data breach before, I can recommend the website have I been pwned. It stores information on a lot of the major data breaches in the past and can tell you if and where you email appeared before.

Some people also change their email for every new account they are creating, so if one email got leaked somewhere, they directly know which account got compromised. This might be a little over the top for a lot people but it is always a question of how much a hacker could gain by hacking you.

The most common passwords in 2021 according to nordpass were:

123456
123456789
12345
qwerty
password
12345678
111111
123123
1234567890
1234567
qwerty123
000000
1q2w3e
aa12345678
abc123
password1
1234
qwertyuiop
123321
password123

Its obvious the most common passwords are bad passwords. Even if 99.9% of users would decide to use good passwords, good passwords would never make it to the list, because as soon as multiple users use the same passwords, they are not a good anymore.

How do I choose a good Password?

The best way to choose a password is to not choose a password yourself, but let it be generated by an random password generator. There are tons of websites that do that for you, but if you want to be really secure you should generate your password yourself, for example with a little python script:

import random
import string

def generate_password(length):
    charset = string.ascii_letters + string.digits + string.punctuation
    password = ''.join(random.choice(charset) for _ in range(length))
    return password

password = generate_password(12)
print(password)

Having a good Password means having a password, that is really hard to guess. The more possibilities there are, that a hacker needs to go through to guess your password, the better.

For example if your password is completely random, 4 characters long and consists of lower- and uppercase letters (a-z and A-Z = 52 different characters), a hacker would need to try 524 = 7.311.616 different combinations to figure out your password. That might sound like a lot at first, but going through and creation a list of all those possibilities took my Laptop (MacBook Pro from 2019) on average 1.25 seconds. Here is the script if you want to try that out yourself:

from time import time
import itertools

letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
passwords = []

start = time()
for combo in itertools.product(letters, repeat=4):
    passwords.append(''.join(combo))

end = time()

print('time: %.2f seconds' % (end - start))

How long should my password be

If you have a typical american QWERTY layout, there are 95 different characters to choose from (including Upper- and Lower case letters, numbers and symbols). If you generate your password with this alphabet, your password should be at least 10, but ideally 12 or more characters long to make very unlikely to crack your password. If a computer could try out one billion passwords per second, it would still take nearly 1.900 years to go through every combination of an 10 character password, where as with our 12 character password it would already take 17.000.000 years. To put this into perspective, going through every eight character password, with this supercomputer, would only take 2.5 month.

Bits of entropy

You can measure the strength of your password in bits of entropy. If you have a pool of possible passwords N you can calculate the bits of entropy E with log2(N). For our example of 958 different passwords, that would be about 53 bits of entropy. We can use these numbers to compare passwords, that are generated from different alphabets and with different length.

How to secure your passwords

Now that we know how to create secure passwords, we have to remember them. But since not everyone of us has an perfect memory, we need to store them somewhere. There are several different options to do that.

Create a file on your desktop named "passwords.txt"

This is by far the worst option. The good thing about doing that is having them easily accessible for you, but also for a hacker. Gaining access to files on a not encrypted hard drive is fairly easy if you have physical access to the computer in question. There are also often new exploits found that let hackers access files on your device, therefore you should not store them in plain text on your PC.

Just write them down on paper?

Writing your passwords down on paper is theoretically a good idea but it looses points in practicability. If you use paper to write down all your passwords its very easy to fall back into the habit of reusing passwords or coming up with them on your own instead of letting them be generated randomly.

Using a password manager

A password manager is a program which stores all of your logins and passwords (ideally encrypted) somewhere, for you to access them when you need. You just need to remember one Password to access them all, the obvious drawback being, that a person who wants to hack you, just needs access to your computer (which stores the encryption keys) and only one "master-password". Using a password manager like 1Password, Dashlane or Bitwarden is in my opinion the best compromise between security and convince.

Some people might think having an online password manager defeats the purpose of having a password manager, because if the programmers did something wrong in their code, all of your passwords could get compromised. An alternative would be to use Offline-only password managers, or write the most important passwords somewhere down on paper.

Conclusion

I hope this article gave you a good Introduction on how you can handle your passwords in the future. If you found out that your passwords are unsafe please change them as soon as possible.

There are of course a lot more ways to secure you accounts on the internet, for example two factor authentication, I would definitely recommend turning that on where possible, at least for your important accounts, like your email or banking.

If you have any feedback, questions or thoughts, don't hesitate to reach out and lets have a chat about them.