The best passwords will thwart brute force and dictionary attacks, but it's also possible to make them easy to remember. Try these password ideas to make your accounts unbreakable.
Every week, our researchers round up the latest security news and report our findings in these blog pages. If you’ve been reading, you may have noticed a particularly nasty trend claiming new victims week after week — data breaches. In the last two months alone, we’ve reported on Carnival Cruises, ProctorU and Garmin. And that’s only some of them.
Your passwords grant access into your own personal kingdom, so you are probably thinking 'what are the best practices to create a strong password' to protect your accounts against these cybercriminals. If your passwords were part of a breach, you will want to change them immediately.
So, what's the solution? Uncrackable passwords. But before jumping to that, let’s first take a look at the various ways passwords can be hacked, so that you understand the most common methods being used today.
Cybercriminals have several password-hacking tactics at their disposal, but the easiest one is simply to buy your passwords off the dark web. There’s big money in the buying and selling of login credentials and passwords on the blackmarket, and if you’ve been using the same password for many years, chances are it’s been compromised.
But if you’ve been wise enough to keep your passwords off the aggregated blackmarket lists, cybercriminals have to crack them. And if that’s the case, they’re bound to use one of the methods below. These attacks can be aimed at your actual accounts or possibly at a leaked database of hashed passwords.
This attack tries to guess every combination in the book until it hits on yours. The attacker automates software to try as many combinations as possible in as quick a time as possible, and there has been some unfortunate headway in the evolution of that tech. In 2012, an industrious hacker unveiled a 25-GPU cluster he had programmed to crack any 8-character Windows password containing uppercase and lowercase letters, numbers, and symbols in less than six hours. It has the ability to try 350 billion guesses per second. Generally, anything under 12 characters is vulnerable to being cracked. If nothing else, we learn from brute force attacks that password length is very important. The longer, the better.
This attack is exactly what it sounds like — the hacker is essentially attacking you with a dictionary. Whereas a brute force attack tries every combination of symbols, numbers, and letters, a dictionary attack tries a prearranged list of words such as you’d find in a dictionary.
If your password is indeed a regular word, you’ll only survive a dictionary attack if your word is wildy uncommon or if you use multiple word phrases, like LaundryZebraTowelBlue. These multiple word phrase passwords outsmart a dictionary attack, which reduces the possible number of variations to the number of words we might use to the exponential power of the number of words we’re using, as explained in the “How to Choose a Password” video by Computerphile.
That most loathsome of tactics — phishing — is when cybercriminals try to trick, intimidate, or pressure you through social engineering into unwittingly doing what they want. A phishing email may tell you (falsely) that there’s something wrong with your credit card account. It will direct you to click a link, which takes you to a phony website built to resemble your credit card company. The scammers stand by with bated breath, hoping the ruse is working and that you’ll now enter your password. Once you do, they have it.
Phishing scams can try to ensnare you through phone calls too. Be leery of any robocall you get claiming to be about your credit card account. Notice the recorded greeting doesn’t specify which credit card it’s calling about. It’s a sort of test to see if you hang up right away or if they’ve got you “hooked.” If you stay on the line, you will be connected to a real person who will do what they can to wheedle as much sensitive data out of you as possible, including your passwords.
Now that we know how passwords are hacked, we can create strong passwords that outsmart each attack (though the way to outsmart a phishing scam is simply not to fall for it). Your password is on its way to being uncrackable if it follows these three basic rules.
Stay away from the obvious. Never use sequential numbers or letters, and for the love of all things cyber, do not use “password” as your password. Come up with unique passwords that do not include any personal info such as your name or date of birth. If you’re being specifically targeted for a password hack, the hacker will put everything they know about you in their guess attempts.
Avoid these top 10 weak passwords
Keeping in mind the nature of a brute force attack, you can take specific steps to keep the brutes at bay:
The key to staving off this type of attack is to ensure the password is not just a single word. Multiple words will confuse this tactic — remember, these attacks reduce the possible number of guesses to the number of words we might use to the exponential power of the number of words we are using, as explained in the popular XKCD post on this topic.
At Avast, we know a thing or two about cybersecurity. We know what makes a solid password, and we have our favorite methods to create them. The methods below give you some good password ideas to create your own strong, memorable passwords. Follow one of these handy tips, and you’ll be doubling down on protecting your digital world.
This is the multiple word phrase method with a twist — choose bizarre and uncommon words. Use proper nouns, the names of local businesses, historical figures, any words you know in another language, etc. A hacker might guess Quagmire, but he or she would find it ridiculously challenging to try to guess a good password example like this:
While the words should be uncommon, try to compose a phrase that gives you a mental image. This will help you remember.
To crank it up another notch in complexity, you can add random characters in the middle of your words or between the words. Just avoid underscores between words and any common leetspeak* substitutions. (*leetspeak: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
This method is also described as the "Bruce Schneier Method." The idea is to think of a random sentence and transform it into a password using a rule. For example, taking the first two letters of every word in “The Old Duke is my favorite pub in South London” would give you:
To anyone else, it’s gobbledygook, but to you it makes perfect sense. Make sure the sentence you choose is as personal and unguessable as possible.
All of the above methods help to strengthen your passwords but aren’t very workable, given that the average person uses dozens of them. Let’s review a few ways we recommend: use new complex passwords and a password manager, install an authenticator app on your smartphone, and purchase new hardware. Each of these can help with better and more secure authentications.
A password manager keeps track of all of your passwords and does all the remembering for you, except for one thing — the master password which grants you access to your password manager. For that big kahuna, we encourage you to use every tip and trick listed above.The programs also come with generators, such as the Avast Random Password Generator shown below, so you can create super-complicated, extra-long passwords that are infinitely more difficult to crack than any passwords a human might come up with. PC Magazine has a series of recommendations of password managers here.
Check the Avast Hack Check site to see if your password has been leaked in previous data breaches. If it has, change your password on your email account immediately.
Sample test using Avast Hack Check showing that the email “email@example.com” has been compromised in a previous data breach.
Security-conscious websites will hash its users’ passwords so that even if the data gets out, the actual passwords are encrypted. But other websites don’t bother with that step. Before starting up accounts, creating passwords, and entrusting a website with sensitive info, take a moment to assess the site. Does it have https in the address bar, ensuring a secure connection? Do you get the sense it is up on the newest security standards of the day? If not, think twice about sharing any personal data with it.
Multi-factor authentication (MFA) adds an extra layer of protection (which becomes your first layer of protection should your account details ever get leaked). These have become the new industry standard for effective security. In our blog post here, we explain how they are used and how you can add MFA to common social accounts such as Twitter and Facebook. They require something in addition to a password, such as biometrics (fingerprint, eye scan, etc.), or a physical token. This way, as simple or complex as your password is, it’s only half of the puzzle.
Further reading: How to use multi-factor authentication for safer apps
Note: given the 2018 Reddit hack caused by SMS-intercepts, we do not recommend using SMS as your second factor of authentication. This is a well-trod path by many hackers in the past few years.
The best MFA method is to use a specialized app for your smartphone. Google’s Authenticator (for Apple here, for Android here) and Authy are two examples and both are free. The app generates a one-time PIN that you enter as the additional factor during your login process. The PINs automatically change every 30 seconds. You’ll need to follow the instructions to set up MFA for your particular application and some applications don’t yet support this MFA method.
Security keys and the FIDO alliance
Security keys take security to the next level. A security key like the YubiKey (named for “ubiquitous key”) gives you the most state-of-the-art protection available today. It serves as your MFA, granting you file access only if you physically have the key. Security keys are available in USB, NFC, or Bluetooth versions, and they are generally about the size of a thumb drive. In 2017, Google mandated all of its employees to begin using security keys, and the company claims it has not experienced a single data breach among its 85,000 workers since. They have their own product called the Titan Security Key, designed specifically to protect people against phishing attacks.
For MFA and security keys: check out the FIDO alliance, which is working on creating strong authentication standards for desktop and mobile apps. If you’re as concerned about online security as we are, you want only to use FIDO-compliant services such as Microsoft, Google, PayPal, Bank of America, NTTDocomo, and DropBox, to name a few. When a certain security key, website, mobile app, etc. is “FIDO® Certified,” it satisfies the alliance’s high standard of authentication and protection.
In the early days of practical thought, Socrates doled out the sophisticated advice: Know thyself. We’re going to borrow from his book, upgrade the advice by a couple thousand years, and encourage all of you to do that which is absolutely essential today: Secure thyself.
Protect your login information further with these common sense, high-security tips: