I thought I had really strong passwords (I had wrongly assumed that a longer password was necessarily more secure than a shorter password), and I was outright shocked at how insecure my passwords actually are.
The article is definitely worth a read (especially if you’re a little on the geeky side), but here are few take-aways for those not inclined to read the whole thing:
1. Password cracking isn’t done by trying to log in to a website over and over until the hacker hits the right password. It’s done offline after someone hacks the website’s servers and illegally obtains a list of passwords in their encrypted form.
2. Depending on how a website has stored your passwords, hackers can try several BILLION (with a B) combinations per SECOND.
3. There are lots of FREE resources online to help hackers crack your passwords.
4. The more convenient your password is for you, the less secure it’s likely to be. And even passwords you assumed were secure may take only a few seconds to crack.
5. The length of the password is less important than the way it’s constructed. A somewhat shorter password made of *RANDOM* upper and lowercase letters, numbers, and symbols is better than a longer password with a simpler or more predictable structure. For example:
CHOOSE “C6:rwsm@” or “/m?>7A3%”
DO NOT CHOOSE “momof3g8kids”, “1368555av”, “ILoveChocolate46,”, “n3xtb1gth1ng,” “Sh1a-labe0uf,” “Philippians4:6-7,” or even “qeadzcwrsfxv1331”
6. Hackers don’t simply crack passwords through brute force, ie. trying every possible combination; they also take advantage of the kind of patterns listed above, because they know how people usually choose passwords. This is why a long password that seems secure to you (like “Sh1a-labe0uf”) takes no time at all for a hacker to crack. This was probably the single most enlightening fact in the entire article from my point of view. (essentially: “You weren’t nearly as clever as you thought you were when you picked that password.”)
Make sure your passwords are a minimum of 11 characters, contain upper- and lower-case letters, numbers, and symbols, and aren’t part of a pattern. That last bit is really, really important so I’m going to say it again: AREN’T PART OF A PATTERN.
On one hand, this is kind of tragic, because it means you’re in bigger danger than you thought, your passwords just got a whole lot harder to remember, and you may need to resort to using a password manager. On the other hand, it’s actually good news, because you just learned how to minimize your chances of having your passwords cracked.
As for me, I’m off to change my passwords….