Your Eight-Character Password is not as Strong as you Think
While online security has been an issue worth discussing for a long while now, it is still most definitely a subject worth addressing. While the average internet user might not necessarily be extremely technically minded or savvy, here are a few things that anyone who uses the Internet for serious things, such as correspondence and making payments for services, should consider.
- X-Force Red, IBM Security's team of white hat hackers, recently ran an experiment to crack an eight-character password.
- The experiment was run at what one would call "low power" – IBM's security team only used 80 GPUs, which is just a fraction of the power available to actual bad actors who have botnets at their disposal.
- The control group of users for this experiment were asked to register and create their own passwords and said password was then protected in the usual manner.
- The white hats running the experiment only used tools freely available online.
- The average time it took for most eight digit passwords to be cracked was about half a minute.
- Introducing a greater number and variety of symbols into the password than just letters increased the time it took to crack said password dramatically, sometimes - to more than a day and a half.
What does this all mean for the average internet user?
Well, it means that simple to remember eight digit passwords can't be relied on to keep your important personal online accounts safe. Even longer passwords are not good enough if they are comprised entirely of letters and don't include what would otherwise be considered "gimmicks" – such as symbols, etc. All in all, it's a good idea to adhere to a higher standard of security when choosing your passwords. Here are a few guidelines to follow:
- Make lengthier passwords. The length of the password you choose is directly linked to how much security that password actually provides. There are multiple studies, including the one mentioned above, that demonstrate that eight symbols are insufficient to keep an account safe. Experts recommend a minimum of 12 characters, and while significantly longer passwords are more difficult to remember and input, you should strive to make passwords as long as you can manage to ensure maximum security – even when the site in question does not ask for it.
- Vary the content of the password. The abovementioned study found that including capital letters, lower-case letters, numbers, symbols increases the time it takes for a bot to crack your password dramatically. Therefore – do so. Include as many of those as possible in your password.
- Try not to be predictable. There are certain things you can do with your passwords that may seem clever or might look like they are a good idea, but actually aren't. Substituting the letter "A" with a 4 will not actually change how difficult your password is to guess by a bot. Putting random symbols, capitalizations and numbers here and there, however, will. Do that instead. Setting up your password to be something along the lines of "incorrect", "followthewhiterabbit" or "thisismypassword" is an extremely bad idea as well. If you use words in your password, make sure it's not something obvious that sees a lot of everyday use, or something lifted directly from pop-culture. Make it something personal, a word or phrase related to a personal experience that no one else is likely to have had. A bot is unlikely to pull that out of a dictionary or online data dump any time soon.
These are the core practices that you should take into consideration when you compose a new password. Doing so will result in your passwords being more complex and thus – difficult to potential hackers to crack, even if they have advanced tools and more raw computing power at their disposal. In other words – this will noticeably increase your cybersecurity.
The downside is that you making longer, more complex passwords will likely interfere with your ability to remember and input them. This is especially true if you have multiple important correspondences, business or payment accounts that you need to access frequently. Unless you employ a password manager, longer passwords are a hassle, even if the extra layer of security they provide is undeniable.
However, no matter how much of a bother that may be, remember - you should NEVER fall into the trap of re-using the same password twice.