Dr. Randy Boyle

Dr. Randy Boyle

Words matter. And some of the most important words you’ll use will be the ones to guard your money, data and privacy. Choosing a set of strong passwords is probably more important than you realize.

When hackers steal data from a company, they typically get all the usernames and passwords in the system. Considering the size of some of the recent data breaches, the chances you’ve been caught up in a data breach is high. Very high.

If you want to see the data breaches you’ve been in, you can go to http://haveibeenpwned.com and search for your email address (username). A search of one of my old email addresses turned up six separate data breaches.

It’s not just me. Most people turn up in multiple data breaches. Large data breaches are a common occurrence. Choosing a strong password can keep hackers out of your account. Just because they stole your password, doesn’t mean they can use it. They still need to “crack” it, and you can make your password too difficult to crack.

Most people use the same password at multiple sites. This is called password cross-pollination. Hackers know this and use stolen usernames and/or passwords to attempt access to additional sites.

Suppose an attacker wants to steal data. He’ll target organizations with weak security and lots of users. The attacker will then take the stolen information from one organization and try it on multiple sites.

A relatively small data breach at one organization makes five other organizations vulnerable. Even those that spend a lot of money to protect critical systems are vulnerable because one employee used a company password at sites outside the organization.

You need to choose strong passwords and not use them across different organizations. At a minimum, keep your bank, work, personal, social media and dumper (give away) credentials separate.

Here are four simple rules that will really help you choose a strong password:

At least 14 characters long

Change of case (not at beginning)

Digit (0 through 9, not at beginning or end)

Other keyboard character (~!@#$%%5E&()_+)

The password “iLove2eat4#sofChocolate” would be a strong password. It’s long, has a change of case, has a digit in the middle and includes a special character. Hackers would have a hard time cracking this password.

Notice that it’s not really a “word” but more like a “phrase.” Stop choosing passwords, and start choosing passphrases. Never choose a password that’s just a word right from a dictionary. These are cracked in milliseconds.

Most users think they can add a number to the end of the password to make it strong. Nope. The cracking software is designed to try all of these possible password variations. So, the hacker just has to try the word “password” and the cracking software will automatically try password1, password2, password3, etc. until it reaches password9999. It will also try numbers on the front of the password (e.g. 1password), and both sides of the password (e.g. 1password1). So, put the number in the middle of your passphrase, not at the end.

Even more interesting is that password cracking software will “mangle” each possible word in other ways to see if it can get a match for your password. It will try changes in case (Password), reverse the word (drowssap), double the word (passwordpassword), replace letters with numbers (pa55w0rd), etc. There are thousands of possible mangling rules that can be applied to each word, and a typical laptop can try tens of millions of possible passwords per second.

If you think trying a foreign word in your password will help, think again. Hackers have dictionaries from all languages. About 75% of passwords can be cracked in less than three days. Choosing a strong password makes it difficult for hackers to crack your password in a reasonable amount of time. They’ll just give up if it’s too much work.

Remembering many passwords is hard. You might want to use password management software (i.e. LastPass or Dashlane), or store your passwords in an encrypted file on your computer. If you’re creating new complex passwords, you should write them down and store that list in a safe place, so you don’t forget.

Creating strong passwords will help protect you from the data breaches you hear about in the news. If you get an email from a company saying your information was stolen, change the password at that company immediately. Don’t wait. In fact, it’s probably a good idea to change your passwords right now.

Dr. Randy Boyle is an associate professor of information systems in the John B. Goddard School of Business & Economics at Weber State University

See what people are talking about at The Community Table!