If a security measure is unfriendly and complicated, people just won’t use it properly, and it will ultimately be a fail.
A log-in system that forces people to use passwords like “&64^$sT_xV*@!3” will fail, because the passwords will inevitably get written down and left taped to the screen or in some other easily found spot.
For a security system to work in the real world, it has to be both secure AND easy to use.
A huge part of hacking into accounts involves getting passwords by using people’s habits and common behavior against them.
Millions of people regularly do not smart things like:
- write down passwords and leave them lying around;
- give them out by email or phone (when no legit company asks for them by email or phone);
- make ridiculously simple passwords like “123456” and “password” (those exact two are actually used by millions);
- do the above with their passwords from work, allowing theft of company databases full of client info.
If you’ve heard this all before, that’s because it’s common and it works for bad hackers.
The solution: Create passwords that are practically impossible to guess, keep them in your head, and give them to no-one.
Luckily, there is a really easy way to create passwords that are both super-secure and easy to remember.
It’s absolutely helpful to understand the basics of how passwords are stolen. Consider two situations.
First case is when a password is practically given away. It was written down and easily found, or handed out in reply to a fake email or phone call that seems to come from someone trusted, like, your bank or your IT department at work.
The second case is tougher. Passwords are encrypted when stored on company servers, so they can’t be read. So, bad hackers steal the data—encrypted passwords, usernames, and so on—and then try to decrypt (crack) the passwords.
This is what’s happening when you hear about data breaches where millions of accounts are stolen from big companies.
Password cracking is done on the hackers’ own computers. These could be normal PCs, or super powerful ones that can try billions (or even trillions) of combinations a second. Yep, billions. A second.
The easier approach to password cracking is called a dictionary attack, which just means trying a whole lot of likely possibilities. This could be every word in a regular dictionary, thousands of popular pet names, or a list of common passwords. When millions of passwords are stolen and cracked, they become dictionaries for future use.
If you make your passwords not obvious, dictionary attacks will fail. It’s that simple.
Next, bring on the more intense brute force attack, where every possible combination of characters is tried, really fast. That’s like, “a”, “ab”, “ac”, and so on. A lot of possibilities versus billions of tries a second.
Eventually, brute force will work. The key is, “eventually”.
If it would take years, decades or centuries for today’s faster computers to guess, then the password wins.
A password that has so many possible combinations, it would take centuries to crack…that’s the way to go. And that’s surprisingly easy to do, as you’ll see next lesson.