I manage at least a dozen WordPress sites. I recently logged in to one of them to find a message from WordPress telling me that my password was found on a list on the internet and that I would need to change my password before being allowed to log in.
Pretty scary stuff.
I don’t use common passwords like P@ssW0rd123 (Yes this is a commonly used password). I use more than 6 characters. My password is definitely not 12345678 (go ahead and try).
I thought my password was pretty secure since it was not a common word. In fact it was a word most people outside of my immediately family would not know exists, plus some random numbers and special characters.
I can almost guarantee that no one else is using this password.
Yet, the password somehow found it’s way to an online list somewhere.
My assumption is that an online account somewhere was brute-forced but I don’t know what account or where. It was likely not an account I care about. After you finish reading this you will understand why.
The Great Password Debate
There are lots of “theories” on what makes a good password. Most online communities and websites try to force you into using a combination of upper and lower case letters, numbers and special characters. They almost always require a password longer than 8 characters.
This theory would seem like a good policy but here’s where it becomes a problem. Password cracking software and the required computing resources have become increasingly more powerful. Meaning it is becoming easier to brute-force a password with the right software.
The right software is easily and freely available on the internet. I talk about some of it on this website.
Requiring such passwords also makes it more likely that the password will be written down somewhere, usually near the user’s computer.
If you knew how many times I visited someone who asked for computer help, and then took out a piece of paper or small notebook with all of their passwords and account information (including bank account information) written in it your eyes would jump out of their sockets.
And then they leave it in the open where I could easily read and/or take a picture of it. Lucky for them I am a nice guy.
Password Strength is important but let’s not over do it.
NIST (National Institute for Standards and Technology) recently changed their stance on passwords. After a study performed by NIST it was determined the complex procedures put in place by many online communities and employers was not accomplishing what they had hoped.
Longer passwords are more secure. The reason for this is it takes exponentially longer for password cracking software to brute-force passwords for each additional character. A 12 character password will take much longer than a 6 character password.
I don’t mean minutes longer. It can be measured in years or decades in some cases.
7 Tips for Better Account Security
- Use Song or Movie Titles, Quotes or Lyrics to make it easier for you to remember without having to write it down.
- Use a password manager like Keepass or Lastpass.
- Do not share personal information (like a favorite movie or your children’s birthdays) on the internet
- Use a password generator.
- Never share your password with anyone.
- Never write your passwords down on paper
- 2FA or MFA
For example I might use “ABronxTale2017#” as my password. I would not use this specifically (because some people know this is one of my favorite movies) but something similar.
Some people use lyrics from their favorite song or a line from a poem.
These are all good options as long as you don’t share that on the internet somewhere.
It’s not hard to forget your password especially if you’re used to using the same one for multiple sites. Now you have different passwords for every site it’s nearly impossible to remember all of them.
With a password manager you can store your passwords in the utility and retrieve them as needed. You can copy the password into the website or application that you need the password for. Certainly easier than typing.
Lastpass has a Chrome plugin, smartphone apps and Windows App to allow for even easier access to your passwords. This comes with inherent risks of course. If someone gains access to one of those devices they may now have access to all your passwords. The key is to create a strong password for Lastpass and your device, and be able to remember them. Newer devices allow for facial recognition or thumb print scans thus eliminating the need for a password.
I won’t get into how to bypass those types of security methods. You can do the math on your own.
You know those cute little quizzes on Facebook that ask you to list your favorite song and your favorite movies, etc..?
What if I told you they’re designed to socially engineer you? I don’t know if they really are but I would bet that some of them are.Stop revealing information about yourself on Social Media. The more information you provide the more a potential hacker has to use to guess your password.
I use the Symantec Password Generator. I don’t know why but I like this one the best.
At this point if I don’t have access to my password manager I am screwed because I don’t know any of my passwords. All I do is generate a 12 or more character password using the password generator and save the info to my password manager.
No one can ever beat a password out of me, that’s for sure.
Do I really need to explain this one?
That’s pretty self explanatory as well, right?
2FA is short for Two Factor Authentication. MFA is short for Multi-factor Authentication. They are essentially the same thing. 2FA and MFA just means that the application or device you’re trying to log in to requires a second form of authentication, usually in the form of a time based token.
Almost every social media site has this option available now. Set it up and use it. It might seem like a pain in the ass but it’s better than trying to recover your hacked account.
If you can avoid the SMS second factor then do so. It’s not hard to clone your SIM card. Once a hacker does this they now have access to all your texts. Get it?
This website uses 2FA. I have my password that was auto-generated using Symantec’s Password Generator. The password is saved to a password manager. I need this plus a time based token generated using Google Authenticator on my phone.
On the website I use a plug in called miniOrange 2-Factor. It’s pretty easy to set up and I talked about it on the blog post about WordPress Security.
Hacked accounts are on the rise. There are lists of passwords freely available on the internet. “Hackers” can use these lists to brute force an account. Once your password makes this list you better make sure to change it on every account you own.
Social Engineering is more common than you think. Look at your Facebook profile and tell me what shows and movies it says you watch, what groups you are in, most people have their birthday listed, pictures of themselves and their kids as well as names. So much info is readily available on Facebook alone.
Make sure your list of friends is just that, friends.
Go secure those passwords!