As one of Nashville’s top managed IT service providers, ImageQuest gets tons of questions from concerned clients every day. One of these is, “Are my passwords good enough?” The answer, sadly, is probably not.
If you are familiar at all with the Marvel Cinematic Universe, you may have caught the joke that Happy Hogan – head of security for Stark Industries – uses the word “password” as his password. Hogan gets ribbed about the blatant security failure and, hopefully, immediately rectified the issue. But how bad is “password”? According to Microsoft, it is the second most common string of characters tried by criminals when hacking into private accounts. This means that it is a sadly common password.
For the curious-minded, 123456 was #1 and 000000 rounded out the top three.
Password Managers helpful
Today, the number of passwords the typical person must keep track of has grown exponentially. This sometimes prompts users to store their passwords in a list on their computer or written down by their desk. Such measures can be easily stolen. It is better to use a reliable, secure Password Manager, which not only will generate and store strong, random passwords, but ease the log-in process through auto-fill. Password Managers mean you only have to create and remember one strong password – to open the Password Manager.
Regardless of password length or even generation method, most managed IT service providers recommend MFA or multi-factor authentication. Multifactor Authentication is a second step after a password to authenticate that you are you. Typically it is something “you have:” Your fingerprint or iris (biometric authentication), a code texted to your phone (SMS authentication), or a code from an app on your phone (e.g. Google Authenticator, Microsoft Authenticator, etc.) There is also enterprise-level authentication software some businesses use to control access to their systems. All Nashville businesses should utilize MFA, which is believed to circumvent up to 99.9% of password breaches. While there are a few sparse incidents of second-step authentication being hacked – usually via telephone text messaging – this remains exceedingly rare.
The 8-Second Rule
Passwords usually start out at six digits. Something many password creators do not realize, however, is that this can be broken into within eight seconds. Six digits equate to more than 780 billion character combinations using a typical keyboard layout. But gone are the days when hackers typed in passwords manually. Today’s cybercriminals have access to software that can do it almost instantaneously.
Bigger is Better
As Nashville’s leading managed IT service firm, ImageQuest routinely recommends passwords that are a minimum of nine characters, preferably 10 or more. Even with advanced code-cracking programs, it would take an online intruder more than 80 days to infiltrate an account protected by a nine-digit password. Add another character, and this jumps to 21 years. The number of possible combinations for a 10-digit password is in the quintillions (66,483,263,599,150,100,000 to be precise).
Length Is Not All
A password of fewer than nine characters is easy to hack. However, it is even more so if it is comprised of simply a dictionary word. One way that password creators can strengthen their online security is to use more than the 26 letters of the alphabet on the keyboard. Numbers and special characters are invaluable. Further, it pays to avoid predictable character patterns. For example, passwords often start with a capital letter followed by a few lowercase letters, a couple of numbers, and common punctuation, such as a question mark or exclamation point. In other words, avoid Pass123! like the plague. Something else to avoid when coming up with a password is personal information. This includes names, birthdays, or hometown (like Nashville). Managed IT service professionals cringe at these because they weaken a company’s network security.
Overall, considering that hackers have a list of a half-billion password combinations, it does not matter how long or intricate a password is. If criminals are using everything in their arsenal, it will not stay private forever, and changing the password frequently does not always help. Multi-factor authentication, which a managed IT service provider can easily establish, is today’s best defense against password pilfering.