Why should my passwords be unique and strong?

In this post, you will learn why it's important to use unique and strong passwords for your online accounts.

This topic is especially important if : 

  1. You're concerned about online security

  2. You have signed up for many online services

  3. You are reusing the same or similar variants of the same password across multiple sites

Actually, this is the first article from a 6-part series on password management that will be released over the next few days:

  • Part 1: Why should my password be unique & strong?

  • Part 2: How to generate unique and strong password

  • Part 3: Overview of three password managers for iPhone, iPad & Mac

  • Part 4: How to use iCloud Keychain on iPhone, iPad & Mac

  • Part 5: How to use 1Password on iPhone, iPad & Mac

  • Part 6: How to use LastPass on iPhone, iPad & Mac

Introduction

Imagine that it's Saturday morning and as usual, you're looking at your email inbox. 

A popup menu appears, asking you to enter the password of your email account.

You try several times without success and you're 100% sure you did not make a mistake.

Your suspicion increases as you receive more and more concerned and angry SMS messages from your friends.

You open the Facebook app on your iPhone and you notice postings, supposedly from you, that you don't recognise. Among those, you spot hateful and defamatory comments about some of your friends.

Later on that day, you go shopping and your credit card is blocked. 

You call the hotline of your credit card provider and after verifying your identity, they tell you that the monthly limit has been reached.

When you ask why, you learn that there has been 10 Amazon purchases made with your credit card over the past 24h.

Pretty scary, isn't it?

Let's dissect what could have happened in this fictitious scenario:

  • Step 1: Hacked Facebook account

    1. A hacker found out what your main email address was

    2. He/she sent you a fake email resembling one from Facebook

    3. You unwittingly revealed your password when entering it in an almost identical login page

    4. Now your Facebook account is compromised

  • Step 2: Hacked email account

    1. The email account password being very different from your Facebook account, the hacker initiated a password reset

    2. The hacker could easily find the answers to your security questions based on personal information found in your Facebook profile.

    3. Having full access to your email account, the hacker could change its password, as well as the one from your Facebook account

  • Step 3: Hacked Amazon account

    1. Your Amazon password being similar to the one used for Facebook, the hacker managed to guess it relatively easily

    2. Having access to your Amazon account, the hacker entered a new delivery address and changed the 1-Click setting

    3. Using the 1-Click feature, the hacker was able to make several orders without needing to know your credit card information

Similar attacks can be deflected by using Two-Factor Authentication, as explained in one of my previous posts.

The point I'd like to make today is that most of your online activity requires you to have a username and a password:

  • email accounts (Gmail, Yahoo, Outlook, etc.)

  • social media (Facebook, Twitter, LinkedIn, etc.)

  • Apple ID for iCloud, iTunes and the App Stores

  • cloud storage (Dropbox, Google Drive, OneDrive, etc.)

  • music or video streaming services (Spotify, Netflix, BBC iPlayer, etc.)

  • online shopping (Amazon, Ebay, etc.) and more (magazine subscriptions, etc.)

This means that the larger your digital life, the bigger the attack surface.

Problem

Here are the 3 threats that we face regarding the safety of our online accounts:

  1. Passwords can be guessed

  2. Online service providers get hacked

  3. Supercomputers can try out billions of passwords (every second)

Passwords can be guessed

Password_can_be_guessed.jpg

Believe or not, a lot of people are still using '123456' or 'qwerty' or even 'password' as their account password.

In fact, the passwords used by the vast majority of people fit in a list as short as 1000, and hackers know that.

This means that by first trying out the top 1000 or 10000 most commonly used passwords, more often than not, they can get in.

If that does not work, they then proceed with words found in the dictionary, as well as combination of them. 

Afterwards, they'll analyse public information about you, like:

  • your birthday and birth place

  • your current and past addresses

  • your spouse, kids and pets names

  • and much more 

That will help them generate another set of passwords as well as answer security questions.

Online services get hacked

Online_services_get_hacked.jpeg

Did you know that websites get hacked on a daily basis?

Among the top 10, let's cite:

  • Yahoo with more than 1 billion records

  • eBay with 145 million records

  • Sony PlayStation Network with 77 million records

When site administrators have lousy security practices, the hackers can easily reverse engineer the actual passwords used.

Those data breaches not only give hackers the list of most commonly used passwords, but it also helps them learn the most common character substitutions (like replacing an O with a zero).

Since there is always a risk that a site containing your credential can get hacked, the worst you can do is re-use the same password multiple times.

Even when you use different passwords, if those are constructed via the same or a similar scheme, then a determined attacker could reverse-engineer the passwords you used for other accounts.

Supercomputers can try out billions of passwords (every second)

Brute-forcing.png

Brute-forcing is a technique by which all the possible combinations of letters, digits and special characters are tested by a supercomputer.

Nowadays, modern hardware using powerful graphical processing unit (GPU) chips can crank out billions of guesses every second. 

In practice, this means that a 10-letter single case password can be cracked in a day.

The only protection against such attack is to have a password that is unique, sufficiently long and complex.

Summary

To summarize, the main reasons why online account get hacked are the following:

  • passwords are either too short or too simple

  • the same or very similar passwords are reused across multiple accounts

  • the answers to security questions can be found easily from publicly available information

But Damien, you don't understand! 
It's too complicated to remember so many different and complex passwords.
In addition, you're suggesting that we should write fake answers to security questions.
How on earth do you expect us to do that?

Well, thank you for asking.

The thing is, we, Humans, are not good at:

  • coming up with unique and strong passwords

  • remembering many unique and strong passwords

This is why we need to find ways to outsource those two tasks.

In the next post, I’ll explain different techniques to generate unique and strong passwords.


And you, how concerned are you by the safety of your online accounts?

Please let me know in the comments below!

<--Add a dash before the > on this line to activate the language selector with flags->