Password Stylized Image

How to Create a Strong Password and Avoid Password-Related Threats

Helga Smith

A password is arguably one of the most underrated security tools nowadays. They are so ancient as a phenomenon, seen in so many applications and services, that understandably, people who use them for protection don’t know how problematic it is to break a strong password. Login credentials are a Helm’s Deep of any targeted system. Theoretically, they can be brute-force cracked, but it takes millions of years to break a good password. In this post, we shall cover the related security issues and advise a little on password management.

How to Come Up With a Strong Password?

Users tend to underestimate passwords imagining hackers just like they are depicted in movies and computer games. Access denied? No problem! Initiate an “ice-breaker.” But that is an unrealistic scenario. Password breaking via brute-force attack is a rare procedure, rather theoretical than practical. But we shall touch on that later. What is crucial is that the password strength defines whether it is realistic to break it with a blunt variant guessing.

  1. Don’t use the same password on different, let alone all accounts. If criminals lay their hands on one of your watchwords, make no mistake, they will take it as a possible base for your other passwords. This tip does not relate to the strength of the particular combination, but having different passwords is a very important aspect of data protection in general.
  2. Use letters of upper and lower case, digits, and special symbols. Following this rule will make your password virtually unbreakable. It will still be possible to brute-force it, but this will take some time. Billions of years, not less.
  3. Avoid using data that means something to you. Birthdays, names of beloved ones, slogans, and idioms – none of these are decent to be a base for your password. Hacking attempts nowadays are often parts of spear attacks. It means hackers usually know something about their victim and try to pick the password not randomly but by developing variants of what could probably become one.
  4. Do not use keyboard combinations like “zxcvb,” “qwerty,” or “poiupoiu.” They only seem random, but in fact, they are pretty predictable consecutive pressings on neighboring keys that you can quickly strike with one hand. Codebreakers have card files of such combinations loaded in their password-picking software.
  5. Log out if you leave your workplace. And definitely do not forget to log out if you had to use someone else’s computer to log into your accounts. In case you forgot to log out, you can always use the feature of remote logout available in the settings of most of the online services.
  6. Use two-factor authentication. You will need to confirm your identity via another device every time you enter your credentials. Google has made 2FA obligatory, and so should you. The current feature is not related to the password strength, but it significantly strengthens this chain link.

Don’ts in Managing Passwords

Theoretically, hackers might go for a brute-force attack on your password. But whether they succeed depends on its quality. The temporal difference between cracking a weak password and a strong one exceeds the current lifetime of our universe. That means a “0000” will be picked in less than a second while a strong password will keep the same code breaking program busy for quadrillions of years. The following points are the things that should be avoided to make brute-force attacks a little bit costly in terms of time required and passwords unobtainable.

  1. Don’t stick to same passwords for too long! Change them! This requirement is so important that most of the services automatize meeting it. However, corporate security might need scheduled password changing by the employees done even more frequently.
  2. Do not log into your accounts on questionable devices and wireless networks. Spyware and keyloggers, programs that record keystrokes, are a concern here. In the case of wireless networks and mobile devices, it is even more dangerous. A man-in-the-middle attack is a hack that places a cyber thief right between you and the Internet, most likely via special software installed onto the wifi router, to steal your credentials.
  3. Do not share your passwords with anyone. You don’t. Just as simple as that.
  4. Do not leave your passwords written where other people would find them. People are often vainglorious when it is unjustified but rarely cautious enough when it comes to data protection and Internet security. However, crooks need our data for pretty mercantile reasons. Therefore, the thought that we are not interesting to anyone should not be a reason for carelessness.

How do hackers beat or bypass passwords?

Phishing attacks

Phishing is one of the most effective ways to get in possession of the victim’s credentials. These attacks can do without malware; the only thing required for a successful phishing attack is social engineering and spoofed websites and emails. The crooks impersonate a trustworthy company and claim that the user either needs something like to change an account password, receive a pending delivery, or take part in a survey. There are many ways to deceive an unprepared person. Along the way, the thieves casually ask the victim to enter a password. They present it as a necessary and purely technical procedure. In fact, for the sake of this moment, everything has started. Since the form that the victim is offered to fill looks just as if it was an official page of the company the scammers are trying to impersonate, an inexperienced user most likely delivers the precious password to the crooks.

Phishing Email
A typical password-requesting phishing email with a spoofed letterhead.

The best weapon against phishing is vigilance. Always examine the website link and email address of the sender. Also, know that no company will ever ask its clients via email to enter their passwords.

Form-Grabbing Malware

If cyberthieves manage to install form-grabbing software onto the victim’s system, they will be able to receive the data from the filled sign-in forms unbeknownst to the victim. Such software is usually downloaded by Trojans, or it may be their initial payload. As for the origin of these programs, the story is old: questionable email attachments, unchecked Internet links, untrustworthy installations, and peer-to-peer network downloads.
Should malware like the form-grabber plant itself in your system, be sure that a decent antivirus solution like Loaris Trojan Remover will kill a form-grabbing intruder in no time.

Brute Force Breaking

Trying to pick a password with brute force implies exhaustive trying of all possible character combinations until the right one is guessed. Frankly speaking, brute force is only effective against weak passwords. Not to squander the capacities of modern computers and yet somehow succeed, hackers have modified brute-force procedures inventing dictionary attacks.

Brute-force effectiveness
This table shows the effectiveness of strong passwords against brute-force hacking.

Dictionary Attack

A dictionary attack uses the automatized codebreaking employed in brute-force attacks sophisticating it with an algorithm that defines the words that fit the role of a possible password basis. The breaker does not try all possible combinations but the variations deriving from the dictionary.

The logic behind dictionary attacks is that humans rarely think of random combinations but rather base their secret word on existing names or terms. Although it is counterintuitive, statistics show that dictionary attacks are much more successful.

If the hackers know the words meaningful for their particular victim, making it a spear dictionary attack, the password can be hacked even faster.

Keylogger Malware

Keyloggers are malware whose purpose is to record keystrokes. The keylogger works on the victim machine and sends the obtained data to the hackers. Keyloggers installed on public machines where people are more likely to input passwords manually pose even more risk.

There are three main ways to protect yourself against keyloggers:

  • Do not let hackers infect your system with it (precautions mentioned above.)
  • Use a virtual keyboard. It might help against most keyloggers.
  • Install security software. Loaris Trojan Remover gets its malware databases regularly updated. The keylogger will be removed as soon as it penetrates your system.

Password Stealer Malware

Password stealers are harmful programs that can extract credentials from applications (mostly, web browsers) that store them on the device, not the cloud. Attacks involving stealers are becoming obsolete, but some programs are still exposed to this type of malware. The best remedy against a stealer infection is an antivirus program.

Leakages

It has already been said above that passwords stored in the cloud are safe in most cases. But the cloud is just a word. We are talking about a server that is also subject to attacks. In addition, information leakage can occur due to someone’s evil will or accident. In short, from this, of course, no one is protected. If you are not the target of an attack, then be calm. Upon learning of the leak (and if we are talking about Facebook or Google, they will trumpet about it), immediately change the password to a strong one.

Conclusion

The tips listed in this article are a basis for decent data protection. An anti-malware solution installed and running – is its second part. Phishing attacks require vigilance and leakages – news monitoring. But at the end of the day, the main thing is to be serious about cybersecurity in general, with passwords being its crucial component.

Keyloggerpasswordphishingstrong password

0 Comments

Leave a Reply

More great articles

IP-address

What is an IP Address Location?

An IP address is a unique device identifier on the network, a set of digits. With these identifiers, computers can…

Read Story
Smurf Attack

Smurf Attack

What Is a Smurf Attack? Smurf Attack Definition It is a distributed “denial of service” (DDoS) attack in which an…

Read Story
vishing

Vishing Definition: What is a Vishing Attack [Examples, and Protection Tips]

Recently, the popularity of this type of fraud as "vishing" is growing. Its essence is that contact with the victim…

Read Story
Arrow-up