Website-Security – Part-4 – Password-Protection
Password protection is everybody’s responsibility. In this article, we discuss passwords as a security issue.
Most of us have accounts on many different sites – everything from online banking, shopping, social media, email and more. Experts tell us that we should not use the same password for all these accounts for if someone gets the password for one account, it may allow access to many more – and they’re right.
However, keeping track of dozens of different passwords is not always practical either. Some users take to keeping a list of passwords somewhere safe, whether it be a paper or electronic version. Good – but if you lose that or someone gets a hold of it, you’re in trouble.
This article won’t attempt to tell you what you should or shouldn’t do in that regard, but we will discuss the difference between weak and strong passwords, based on how hackers will try to break in to your accounts.
Any password you create should have a high degree of complexity. Many sites will enforce password complexity when you set up an account. Typical requirements include password length and the use of uppercase and lowercase letters, numbers and special characters (!,#,& etc…).
What advantage do these measures give? Let’s consider this from a hacker’s point of view: Let’s say the hacker has already obtained your user name – not always that hard, often it’s your email address. By using an automated script, he can now automatically try may passwords until he finds one that works. And they do this – a lot.
Now let’s say your password consisted of only 2 lowercase letters. With 26 letters in the alphabet, that makes 676 possible combinations. An automated script would blow through that in no time. OK – but now let’s say we have 8 lowercase characters. Well that’s 208,827,064,576 combinations – much better. In fact, even at 1000 combinations per second, it would take more than 8 years to crack. Isn’t that good enough? Well no.
Most people don’t use a totally random set of characters for their password. They will usually use something they can remember. Sometimes it may be the name of a pet, a child, a place or a birthday – something that only they would remember. Seems like a good idea, but hackers are really good at what they do. This is where “social engineering” comes in. A lot of this “personal” information is readily available on the web – Facebook comes to mind.
If you look at a person’s Facebook page, you can usually find all of the information mentioned above. A hacker targeting you (and yes, it happens) can get that sort of information from Facebook, Twitter and many other online sources. So using a pet name for a password for example, can often be cracked quite easily. If your dog is names Lassie and that is your password, well, the hacker is in.
So this is where letter case, numbers and special characters come in. By mixing in these additional characters, the likelihood of a hacker guessing your password drops dramatically. Something like laSsie!122 all of the sudden becomes very hard to guess, yet may be easy enough for the user to remember. By using these additional characters, you make it much more difficult for hackers to guess your password.
One of the most common approaches that hackers use is to have their netbots troll the internet looking for log in pages. When they find one, their automated scripts try a large set of common usernames and passwords. For example, the username “admin” could be found quite often on a website CMS function. Combine that with a set of hundreds of common passwords and maybe they can break in. If not, they simply move on to the next site they find.
The trick is to avoid the common usernames and passwords – instead of “admin”, how about “admin871”, or “admin!24”. Combined with a complex password, these automated attackers will have little chance of breaking in.
Remember, hackers are always out there. There are thousands of the automated attacker scripts constantly trolling the web looking for an opening. It’s a very real threat and if you’ve ever been hacked, you know how unpleasant it can be. Yet the simple act of adding some additional complexity to your passwords may be all it takes to repel the hackers. If your passwords are too simple, change them now before it’s too late!