When it comes to passwords in the workplace, we’ve all heard the spiel:
- Create a password that’s easy for you to remember but hard for someone else to guess.
- Change your password every 90 days
- Passwords should include at least one capital letter and one character.
- Don’t share your password with anyone or write it down.
Time has done nothing to lessen the validity of these guidelines, but if we’re being honest, most of us pay about as much attention to them as we do a preflight presentation, which is to say not much. And for that, the hacker community can’t thank us enough because business for cybercriminals is booming these days.
It is estimated that cybercrime will cost the global business community $6 trillion this year, a shocking number that is expected to grow to $10.5 trillion annually by 2025. If cybercrime were its own nation, it would have the third largest economy on the planet behind the U.S. and China.
Hacking at its core isn’t that complicated, because it doesn’t need to be, given that 95 percent of all breaches are the result of human error and on average only 5 percent of a company’s folders are properly protected. And topping the list of security gaps are weak passwords.
Passwords present a quandary to most people because to be effective, they must longer and more complex, therefore making them harder remember and take longer to input. That’s why so many people resort to abc123 or 12345, which is kind of like not having a password at all.
The IT world has tried to give users work-arounds to the traditional password, but that technology has yet to be perfected itself. Recent technical gadgets like password managers have been found to be vulnerable to being hacked as have biometrics like facial or fingerprint recognition. That’s just what happened in 2015 when a cyberattack on the U.S. Office of Personnel Management yielded 5.6 million in stolen fingerprints.
Until alternate technology comes along that’s consistently better, the password is here to stay, which brings us back to the issue of using them effectively. Unlike previous eras, some experts today even recommend creating one strong password for each device or application instead of repeatedly changing passwords every 30, 60 or 90 days.
So, what makes a good password? Length and variety of characters for starters. Hacking a password is a numbers game, one that criminals try to master with very sophisticated IT tools including machine learning and algorithms that compile all possible combinations of characters with lightning speed. These tools can very quickly crack a shorter password – in fact, Ohio State University reported a 3-character password using only lowercase letters can be broken in 0.02 seconds, up to a 6-character, all-lowercase password giving way in 5.15 minutes.
From there, however, the efficiency of these brute force tactics degrades quickly, dramatically increasing the time it takes to uncover the correct combination with each character you add. Thus, a 7-character password takes 2.23 hours, an 8-character password takes 2.24 days and 9 characters take 2 months. Throw in an uppercase letter or special character and you render this kind of hack moot.
But how is someone supposed to actually remember a 10- or 12-character password that’s specifically written to foil professional cybercriminals? Carnegie Mellon University offers the following technique that more or less make a game out of the process.
USE A BIZARRE PASSPHRASE WITH SYMBOLS AND NUMBERS
Instead of trying to think of a 10-letter word, think in phrases, and offbeat ones at that. The more random the phrase the harder it is to crack, especially when you substitute symbols and numerals.
Example: 32 Seagulls deliver bologna sandwiches to Paris
Example: 32-Seagullsdeliver bologna5andwiches2Paris!
USE A PHRASE REPRESENTED IN SHORTCUTS/ACRONYMS
Think of a famous phrase or movie quote and change it into “text speak” of using letters instead of words.
Example: 2BorNot2B_ThatisThe? (To be or not to be, that is the question-Shakespeare)
USE RANDOM WORDS TO CREATE A PASSPHRASE
A hacker’s tools expect phrases to make sense and follow the rules of grammar. Stringing together four or five random words ("correct horse battery staple") creates a long password that is hard for someone to figure out, even if they hear it once.