Protecting your passwords to personal or financial assets really should not be such a highly thought about task but actually with so many hacks and attacks taking place with business institutions, financial exchanges then onto personal timeline such email and social media account accounts, your data is not as safe as it would first appear.
These days it is simply not a good idea by any means to utilize a one-for-all password to access your online multi service accounts and data.
On the dark web, lists are available for popular email providers users and their respective logins – the hacker, or purchaser of these lists then tries logging into the relevant linked accounts like email, social media, banking and so on, if they get a ‘hit’, they will then try other accounts logins, using the same password. This could be by means of manually trying entries on the list or they may even use a computer script with a comma delimited file to process the accounts at a very fast rate using computer multiprocessing threads (Utilizing different IP address for each attempt).
There is a way to cut down on the risk significantly of a break in (with the password key) to your personal and financial data – do bear in mind that not all attackers are after your money but some aim to disrupt commercial services or personal links in communities, like vandalism of a product, fan or information page/website.
If you have the keys to the vehicle, you can pretty much take it anywhere!?
So what must we do to lessen the security implications of running with the same password and find a convenient yet safe solution?
The problem is that unless you have a hardware device such as the IDENTsmart ID50 Password-Safe TOP SECRET Password manager, a pencil and notebook for the traditionalists, or a super memory for complex patterns – you are not really safe. To keep all these complex passwords handy there are internet browser extension plugins available (which I use myself BUT – even these specialist online cloud computing services have the odd hiccup (security breach).
Just recently a researcher from Google Project Zero (which is a team of individuals who actively look for holes in security systems) reported to Lasspass about a bug which allowed the last website’s login and password to be exposed – ok this did included a series of events that needed to be prepared and put in place, however, the exploit was still there. It has been patched now and some other password manager companies followed suit in ‘updating their proprietary software too.. You can read the story “straight from the horse’s mouth” at https://blog.lastpass.com/2019/09/lastpass-bug-reported-resolved.html/
Before some advice, the most used passwords in 2019 are as follows:
Wowsers, have you a password there? It would not take very long with brute force software that uses set inputs, dictionary, or a random integer with advancing scales to ‘crack’ any of those passwords (These would, of course, be included in a dictionary attack word list…)
Ok, so let’s jump to beefing up your passwords!
It is best to use a combination of upper letters, lower letters, numbers and special characters in your password – If they are not using a randomly generated one for each (advisable).
You can easily convert a commonly used saying, personal to you, then additionally adding a special character or more, for example; we can turn:
On an average home computer, the first example uses combinations of known dictionary words (whether spaced of bunched together) and would take less than an hour to crack (using the dictionary method), brute forcing would take much longer:
|Standard Desktop PC||About 1 year|
|Fast Desktop PC||About 4 months|
|GPU||About 1 month|
|Fast GPU||About 21 days|
|Parallel GPUs||About 2 days|
|Medium size botnet||37 seconds|
The second example uses unknown recognized dictionary words and so would little likely be found using words from a multi-threaded dictionary type attack – unless, of course, h4x0r speak has been additionally inputted to the list ;P – with a brute attack this odd language spelling does not matter but considerably increases the possible ‘cracking’ time as follows:
|Standard Desktop PC||About 3 billion years|
|Fast Desktop PC||About 641 million years|
|GPU||About 256 million years|
|Fast GPU||About 128 million years|
|Parallel GPUs||About 13 million years|
|Medium size botnet||About 3 thousand years|
If you have to use the same saying or set of characters, use variations of them so they are not identical across your differing accounts.
Is password use to this extent infallible? Nope. However, there is a solution.
Otherwise known as ‘2 Factor Authentication’ or ‘One-Time Password – By this it means to have a setup time sensitive encrypted ‘token’ linked to your account for a single-session login or transaction.
To set this up, you grab a smart device (you will try not to lose), input a code, then verify using a secure handshake. Any time after this setup, as well as entering your login and password, you then have to input a code to access the service. This code change at set intervals, from around 10 seconds to 15 minutes dependent on level of security or user accessibility required.
Because the code and device are linked, only that device with its ‘tokens’ will be allowed a successful login. If an attacker managed to get your login AND password, they would not be able to get past the smart device authentication.
It is very easy to set up 2FA or OTP using Authy, Google Authenticator and other secure services available with your everyday and little used online accounts (if they additionally offer this extra layer of security). When you set this up, make a backup of the codes when setting up the QR code scanning bit, keep these away from your computer or smart devices (in case the machine is accessed without your knowledge, on that good old paper notebook 🙂 If you should then lose or misplace your 2FA smart device, you will still be able to access or reset your 2FA credentials.
Oh, I just have to add also that you should not use mobile device message authentication, if you can help it, the reason for this is that is is possible to spoof a text message so it appears from the proper source to try to trick you into entering credentials that can be used without your knowledge. It is also possible to listen to data traffic from the SMS system (as it is not encrypted) to gain your token data. Some services only offer this messaging service but any extra layer of security is better than none until secure entry systems are standardized.
If you are still stalwart on using the same password across different logins, change it every so often…
Be safe, out there.