Skip to main content

blog

Websites Blog

Is your password really strong enough?

12th August 2015

Weak passwords are one of the leading causes to account hacking – common mistakes are having your birthday or child’s name as your password, however this would be easy for a hacker to find should said data be available online.

Many content management systems and password generators will tell you if your password is secure – if it contains part of your name, e-mail address or domain name this will make it much less secure so you should be avoiding these. The same goes for generic terms like “password” and “admin”.

Security application company SplashData announced its annual list of the 25 most common passwords found on the Internet for 2015 – thus making them the worst passwords that will expose anybody to being hacked or having their identities stolen. In its fourth annual report, compiled from more than 3.3 million leaked passwords during the year, "123456" and "password" maintain the top two spots that they have held each year since the first list in 2011. Other passwords in the top 10 include "qwerty," "dragon," and "football.

Here is the top 10:

Rank

Password

Change from 2013

1

123456

No Change

2

password

No Change

3

12345

Up 17

4

12345678

Down 1

5

qwerty

Down 1

6

123456789

No Change

7

1234

Up 9

8

baseball

New

9

dragon

New

10

football

New

The best type of password will have to features lots of different types of characters

You should try to use as many different types of character as you possibly can to ensure your password really is strong to significantly reduce the chance of hacking. Consider the following:

  • At least one upper case character
  • At least one lower case character
  • At least one number
  • At least one symbol (like an @ sign or a * symbol)
  • Maybe even a space

Using a combination of the above (in no particular order) will make for a strong password which would be extremely difficult to work out.

How to create a strong password

You should also avoid using the same password for all of your online profiles and networks – why this may be easier for you, it will also be easier for a hacker to wipe out all of your profiles using the same password. If you need to store these passwords somewhere secure so you don’t forget them, try a password management service like KeePass or LastPass.

Some handy tools you could try out for generating strong passwords are the following:

  • StrongPasswordGenerator.com - This site will let the user generate a password using a combination of different types of characters and with any chosen length. You are able to get rid of similar characters (such as O and 0), punctuation used in programming and even include phonetic words if you want them. Want to see an example of a super-strong 4096 character password? Click here!
  • The WordPress method - WordPress recommends either using a password manager or by creating a passphrase instead of a password – a passphrase is similar to a password, except that it’s based on a random collection of words, rather than just one. For example, copy indicate trap bright. Because the length of a password is one of the primary factors in how strong it is, passphrases are much more secure than traditional passwords. At the same time, they are also much easier to remember and type.
  • PasswordsGenerator.net - This site works in a similar way to StrongPasswordGenerator.com and lets the user choose a complex password by utilising all different types of characters, cases and allowing the user to have up to 2048 characters.
  • The Bruce Schneier method - The Bruce Schneier method is to take a sentence and turn it into a password. Something like "this little piggy went to market" might become "tlpWENT2m". This is achieved by turning the words into an acronym, randomly altering cases and replacing letters/words such as "to" with their number abbreviation (in this case, "2").
  • The Cosmic method - Here at Cosmic, one of the password creation methods we use is based on something developed by Mozilla (creators of Firefox) a couple of years ago. We find that it works well because it allows you to create a password that’s really easy to remember but secure and works across all of your accounts and websites. We put together a handy guide to take you through how to use this method.
  • The PAO method - Researchers proposed a “shared cues” system (pdf), asking you to first select a an image of an interesting place (for example, a baseball field) as well as a photo of a familiar or famous person (say, Bill Gates). You would then imagine some random action along with a random object to create a PAO story. For example: “Bill Gates swallowing a bike on the baseball field.”
  • Norton Identity Safe Password Generator - This site will let the user generate a password using a combination of different types of characters and with any chosen length. Working in a similar way to StrongPasswordGenerator.net, Norton will allow you to choose the length, include letters, mix cases, use numbers, symbols, avoid similar characters such as 0 and O and also generate a number of different passwords using your chosen criteria so that you can find the one you like most.
  • DinoPass - DinoPass is an excellent password generator targeted at children. The generator will create either a simple or strong password that will be appropriate for a child to use in their online activities, with a large number of preselected words and phrases so that any possibility of a non-child friendly password is greatly reduced. The website does a good job of explaining to children what the benefits of having strong and simple passwords are: "Simple passwords only have lower case letters and numbers. They are easier to remember but might also be easier for someone else to guess. Strong passwords have mixed upper and lower case letters, a special character (like @, $, ! and so on) plus some numbers. They are best to use for important things like email accounts." An example of one of their strong passwords for children is cu+eSalt62.

Encryption to protect your files

One of the big uses of passwords today is to protect encrypted systems, especially laptops and USB drives. Once an encrypted laptop is stolen, then the thief’s only hope of gaining access to the data on the laptop is to use brute force. Once the length of the password goes over a certain number of characters, this becomes impractical (see: www.grc.com/haystack.htm).

Two step authentication and what it means

Another way of keeping your accounts safe is by using two step authentication. Many systems that use passwords offer a two step authentication process for an extra layer of security. While it still requires a password, it also uses an extra step to safeguard you using a variety of methods, most commonly sending a text message your mobile phone with an authorisation code that you would need to enter into the website to gain access.

As a website owner, you should enable two-factor authentication on your accounts where possible. A compromised account can cause you to lose important personal data and valuable reputation for your site. Two-factor authentication can give you the ease of mind that your accounts and data are safer. 

Weak passwords make you more susceptible to a brute force attack

A brute-force attack is attack that can, in theory, be used against almost all types of encrypted data. It consists of a system checking all possible passwords until the correct one is found. When password guessing, this method is incredibly fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.

Using passwords like the ones displayed in SplashData's research will be incredible easy for these systems to crack, so take a look at some of suggestions we have made to minimise the chance of this happening.

Now what?

If you’d like more information on how to ensure your passwords are secure, and your data is encrypted, then get in touch with Cosmic’s technical support team – we’re more than happy to help guide you on ensuring your systems are secure.