If your password to anything is in the top 10 most hacked passwords, you’re just asking to be hacked. In this article I’m going to attempt to explain how your passwords may be insecure, and how to secure them.
Passwords, we all hate them. I mean, why do I have to jump through hoops just to get into a website? This is the main cause of people getting hacked. Your financial or other data like your mail, bank, or whatever, is in danger if your password is one of the most hacked passwords.
It’s impossible to remember every password to every site, so people take shortcuts. Either they write all of their passwords on sticky notes around their computer, or they use the same two or three over and over again.
When we build websites, the client always gets passwords to the server, and the website dashboard. We create strong passwords, but it is essential that they are kept safe. A compromised password to either of these could wreck havoc on a site
What about encryption?
Websites tell you that your passwords are encrypted, so what’s the problem? Can’t we trust the bank? In reality, if your password is “123456”, it doesn’t matter how encrypted it is. The hacker can guess it.
Most Hacked Passwords
In a recent report from the CNBC, using data from the NCSC, here are the top 10 most common passwords. See if you are using any of them:
- 123456
- 123456789
- Qwerty
- Password
- 12345
- 12345678
- 111111
- 1234567
- 123123
- Qwerty123
As a matter of fact, “123456” was used over 23 million times.
How to better secure your passwords
one: Use two factor Authentication
Two factor authentication (2FA). is where there are two things you need to log in to something. One is something you know (the password), and the other is something you have (like your phone). In attempting to sign on, the website or app will either send you a text message, or ask for a code from your authentication app. See this article from my personal blog here for a more detailed explanation.
two: Use a password manager
A password manager is a service that remembers all of your passwords for you. That way you only have to remember one password: The one to the password manager. There are many password managers available. Some of them are Bitwarden, 1Password, and Dashlane. The one I use and recommend is LastPass. Here’s how it works: You create a strong master password (please don’t make it “123456”). A good way to make a long, strong password that you can remember is to use a memorable pass phrase disguised as a password. For example, pick a bible verse, then using the first letters, change both the capitalization, and some letters into numbers and symbols, and maybe add a number at the end like your childhood phone number. Then “For God so loved the world, that he gave his only begotten Son” could become “f6Sl+WthGh0b56995605”. Using Steve Gibson’s password checker, it would take at least 1.15 thousand trillion trillion centuries to guess that password.
After you have created your password, you can access your vault and start entering your website’s and app’s passwords. Going forward, LastPass can create passwords for you like this one I just let them generate: “C5NL48PxejQLB&rfhZ%ntjtWw” (8.91 trillion trillion trillion centuries to guess).
Like I said, Lastpass is the password manager I use, and no, this is not a paid endorsement. I’m sure other password managers work very similarly. Pick one that you like.
What if the password manager gets hacked?
If you’ve created a strong master password, you will be safe even if the password manager gets hacked. I can’t speak for the other managers, but this is my experience with LastPass. They have only had one incident of anyone breaking into a server in their 14 year history. That was back in 2015. Here is part of the notice we received:
Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.
You read that right, your password is encrypted 5,000 times, the salted and encrypted another 10,000 times.
Here is a link to the full notice and an explanation of their security.
Bottom line is, your data is safe with a secure password manager like LastPass. I would hope the other managers have done the same due diligence as LastPass has.
With a super strong password and a password manager, you can still be hacked.
A password is only as strong as the user. My next article will address the ways you can still be hacked even if you use a super strong password.
See you then.
Larry
