How easy is your password to hack?

Have you ever gone to an ATM to withdraw cash and had a complete blank when you were asked to key in your secret pin?

What about when you’ve had to update your password on your email and then you sit in front a locked screen because you absolutely cannot remember what you changed it to. Or, maybe, you’ve keyed in the wrong password into your smart phone seven times and now it is locked and if you do it wrong one more time, you will be locked out for hours.

Passwords are the most widely used security control online. We create them and use them to control every aspect of our online environment. For something so important, most people are exceptionally lazy at keeping them protected. For example, a common password like “123456” would take less than a second to crack. Yet, in data breach paste sites that published hacked data, this password has featured over 23 million times!

So how do hackers do it? Passwords are vulnerable to a few things, including:

• Brute force attack – someone using an automated trial and error cracking attempt that cycles through commonly used passwords. 
• Credential stuffing – where criminals use stolen usernames and passwords from sites to access other online accounts that use the same usernames and passwords.

Here’s the answers to the most common questions IDCARE receives concerning passwords:

• How long should a password be? Security experts recommend password managers which often use in excess of 16 characters, but for those without a password manager the advice is between 12 and 15 characters, using symbols, upper and lower case letters and numbers.
• How often should I change my passwords? The more frequent the better, but aim for every 30 days.
• Is anything stronger than a password? Yes, having multi-factor authentication with your password and username. This is usually a code that is provided at a point in time that is then added to the username and password when logging in. Good email providers have this function, but most don’t have this as the default setting!
• What else can I do to keep my passwords safe? Don’t forget to change default factory setting passwords on non-obvious devices, such as modems, child monitors, and network storage devices.
• How do I know if your password has been stolen?

1. Your anti-virus detects malware, including “key stroke loggers” that capture the user’s typing of their password.
2. You’ve been locked out of an online account because someone has broken in.
3. You have checked your email against a data breach paste site – these tell you what information of yours has been compromised in a data breach. Some of these sites contain information that impact hundreds of millions of accounts.
4. You experience identity theft and notice strange things are happening, such as your phone going to ‘SOS’ (because of an unauthorised port), unexplained transactions from online banking, or new products and services have been order. Not all identity theft is caused by a stolen password, but some certainly is.

If you think your password has been exposed, here’s a list of what you can do NOW to keep it safe:

• Change it immediately.
• Check the relevant account to make sure that your recovery settings haven’t changed, like an unknown email or phone number is present.
• Think about where else you may have used the same email and password combination.
• Mix them up! 
• Think about a Password Manager. These services take the guess work out of having to remember long and complex passwords. Yes, they too are vulnerable, but in our view not as vulnerable as not having one.
• Write a list of what personal, account and credential information you think you had in the account that has been exposed about you and other people, such as family members.
• Book a time with an IDCARE Case Manager as a free and anonymous community service to work the angles on what can be done to protect yourself or family members that have had information exposed (you can do this at www.idcare.org).