1234 won't cut it anymore

Header image for Interrobang article CREDIT: STEPHANIE LAI
Creating a password these days isn't as easy as it once was. '1234' won't cut it anymore.

Wired magazine writer Mat Honan lost his digital life two years ago when a hacker got a hold of his Google account. He lost his email address along with eight years worth of emails and everything on his mobile phone and computer, including irreplaceable family pictures.

While this was sometime ago, hackers haven’t gone anywhere. Just last month the New York Times reported that Russian hackers stole over a billion username and password combinations from 420,000 websites, the largest credential heist in history.

Honan lost pictures and emails, but he could have had his bank account hacked into and even his identity stolen. And it could happen to you, too. So here’s how to better protect yourself when it comes to passwords.

The average password is six characters long, all lowercase letters and takes three minutes to crack, according to the website Instant Checkmates. So first thing to do is to create strong passwords.

When it comes to password strength, Per Thorsheim, the founder of PasswordsCon, the only international conference on passwords, said, “length trumps everything else.”

In agreement, Mark Wales, the founder of HowSecureIsMyPassword. com, explained there are 308 million possible six-lowercase-letter passwords. While replacing some of the letters with numbers increases the possibility to 2 billion, adding an extra lowercase letter increases it to 8 billion.

“Numbers and symbols don’t actually add a great deal of complexity,” Wales said in an email.

He recommended using lines from films and songs, including spaces and punctuation. Not only are they typically long, he said, but also memorable.

Thorsheim added that such passwords may not look complicated, but they are from a hacker’s perspective.

But even a strong password doesn’t completely protect you from hackers. The Russian hackers probably did not get the credentials by trying every possible username and password combinations on over 400,000 websites. Chances are, they hacked the websites themselves to get a hold of the credentials. When this is the case, credentials should be encrypted – meaning the hackers can’t actually see them – but they aren’t always. And even when they are, Wales said, some websites use encryption that is easy to crack.

“You can never be sure that the site you’re giving your password to has gone through proper security measures,” he said.

If one account is compromised, then they’re all compromised. That is why using a different password for every website is a must.

“Imagine if you have the same password everywhere,” Thorsheim said in an email. “What happens then to your insurance? Bank account? Credit card? Health information?”

Though having different passwords for every site might seem more trouble than worth, Thorsheim has a tip – write them down. He suggests doing so in a password manager application, such as 1Password or LastPass. The trick to choosing a password manager application is to look if security checks have been done on them, he says, and if not, don’t trust it.

The other tip is one you’ve been told not to do by virtually everyone: write your passwords down on piece of paper and hide it.

“Yes, I’m serious,” he said. “The number of people able to figure out that you have [done] this and steal that paper is low, and most should preferably be people you can somewhat trust.”