You’ve heard it time and time
again in recent days. On every new site
that you try to register for, or any time that you have to change your
credentials for your bank or reward program website, you see the ever-frustrating
notification: password strength – weak.
That’s just the way things are these days. With more and more hackers signing up to wear
the black hat, even more everyday people are becoming the subject of digital
theft and attack.
We all know the feeling
though: no matter how hard you try sometimes, you just can’t make that jump
from ‘weak’ to ‘strong’ when it comes to your password. Fear not, however, because that’s what Lorrie
Faith Cranor hopes to address in her most resent addition to the March,
Carnegie Mellon University Ted Talk: What’s wrong with your pa$$w0rd?
Don’t feel like watching the
entire 17-minute video? No worries,
that’s what we’re here for. Today we’re
going to focus on the basic policies mentioned in the video.
The research started off
slow, but right off the bat, Cranor figured out two common reactions that
people have when it comes to new, more strict password policies: People are
often frustrated by the stringent requirements, and over 80 percent of people
reuse their passwords for other login credentials. As a HackerAttacker, you should know that
reusing your passwords for multiple sites severely
increases your risk of falling victim to attack. In Cranor’s words, “[Reusing your password]
is actually much more dangerous than writing your password down…if you have to,
write your passwords down but don’t reuse
them.” Maybe you could check out a single sign-on solution
for yourself or your business. Either
way, using the same password for everything makes it that much simpler for a
hacker to steal your data.
Basic8
Comprehensive8
Comprehensive 8 takes the 8
character limit and boosts it with multiple factors of differentiation: add a
symbol, add uppercase and lowercase letters, and make sure it passes a
dictionary check. This policy proved to
be stronger than ever, and serves as the basis for most password policies in
effect today. It makes sense, right? The addition of a symbol or special
character to your password is a surefire way to rocket it into the ranks of the
best of them!
Not Really.
As it turns out, people are
wildly predictable. Do you ever notice
that there are much more John’s and Mathew’s in your office building than there
are Algernon’s or Reuben’s? The same
mentality works for what symbols are used in passwords. As a rule, people tend towards more common,
recognizable symbols (@;#;!; etc.) because those are the symbols they see every
day. When it comes to strengthening your
password, however, those are the easiest symbols for a hacker to guess when
attempting to access your accounts!
Sure, Comprehensive8 policies
are a great starting place, but for most users, the strict guidelines are more
cumbersome than helpful. For another
alternative, Cranor suggests a variation of the old-school basic8 policy.
Basic16
Basic16 password policies
typically only require a character limit of 16.
According to Cranor, the strength of these passwords is often nearly as
strong as a Comprehesive 8 password when it is structured correctly. This requires the user to make more
thoughtful and creative passwords to compensate for the lack of symbols and
variation. Unfortunately, this solution
isn’t perfect either.
Next time, we’ll take a look
at how the hackers usually crack your password, and some more ways for you to
strengthen it in order to stop them.
Like the video, think there is something we missed? Let us know in the
comments!
Don’t forget: For more on
Cranor’s TedTalk, and to find out what else you can do to keep your data safe:
Catch us in our next article: TedTalks: Password Strength – Part II
No comments:
Post a Comment