Small and Midsized Businesses (SMBs) can benefit from having strong passwords to help protect from hackers and keep valuable information safe.

How Hackers Guess Your Passwords

The most common type of password attack is called a dictionary attack. This is an attack at finding a passphrase by trying hundreds and sometimes millions of possibilities similar to words from a dictionary to find the correct password. This attack works because people use words and phrases in their passwords. An easy way to defeat this attack is to not use words or arrangements of words in your password. A dictionary attack will be ineffective if you don’t use words.

Another most common passphrase attack is a brute force attack. Another way hackers find passwords is by systematically searching for passwords until the correct password is found, hence the name brute force. This attack takes a computational overhead, so it’s more time-consuming than a dictionary attack. However, brute force attacks are widely used.

I want to put into perspective the power of a modern computer’s computational ability to crack passwords.

Let’s say we have a password which is eight characters long. The characters can be uppercase letters (26, assuming the English alphabet), lowercase letters (26 more), and 10 numbers (0 – 9). That is a total of 62 different combinations for each character, but where it gets interesting is how many different combination words you can create. You find out the number is around 225,000,000,000,000, 225 trillion possible non-repeating combinations. While this may seem like an enormous amount of combinations, a hacker in somewhere else around the world can easily crack an eight character password in a few hours. This is assuming a computer can guess 10 billion passwords per second, which is very possible.

Just increase the possible amount of combinations, so the time it takes a hacker to crack the password is grudgingly long. The safe range is 12+ characters. Why? Now let’s go back to having 62 combinations per character. We have a combination of different characters that are 62 to the 12th power which is a whopping 3 sextillion or a 3 with 21 zeros after it. With this new password with just 4 more digits, we increased the time of password crackability from a few hours to a few centuries to crack. How’s that for a secure password?

The Truly Secure Passwords Are Complex, Random, And Lengthy

Passwords need to be complex, random, and lengthy at 12 or more character strings. Like I said before, be sure not to use words commonly found in the dictionary. Lastly, including special characters greatly increases the number of possible combinations. Imagine guessing each position increase from 62 to 95 for each position. If I knew this, I wouldn’t even dream about hacking the password!

The next checklist is for those who want to take their business password security to the next level. I went ahead to make a checklist of how to add even more security to your business.

Before I provide you with a checklist, I would like to debunk the need to change passwords consistently. There is research to support this claim. There is a falsely construed idea that there is a need to change passwords every so often, which is entirely false. If your password is already safe there is no need to change it. Changing an already secure password, which consists of non-dictionary words, 12 or more uppercase & lowercase, digits, and special characters, provides enough security. The Federal Trade Commision (FTC) chief Lorrie Cranor explained why there is no need to change passwords during PasswordsCon in 2016.

“The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor explained. “They take their old passwords, they change it in some small way, and they come up with a new password.”

Tips For Managing Passwords:

  1. Deploy multiple factors of authentication
  2. Avoid automatic login features
  3. Use different passwords for each site and account

Authentication merely is proving that you are who you say you are.

Single-step verification is when you just use a password. Two-step verification is where you need to authenticate yourself with another device and use a password. Multi-factor authentication (the holy grail of authentication) is when you need two or more authentication factors apart from a password.

I discussed single-step verification, but now I would like to introduce its leaner older brother, two-step verification. For example, when you use Gmail (Google E-mail) it asks you for a phone number to link to your account. Whenever Google recognizes you signing in from an unfamiliar computer or location, they use your phone number to verify that you are who you say you are.

Since large companies such as Google and Apple using two-step verification, it’s an indicator that you should probably be using it too.

Lastly, multiple factor verification is when you use two or more factors to authenticate yourself. This is what all business should try to obtain, but it is not always realistic.

By checking the “remember me” or “log me in automatically” you are allowing your password to be captured by even the novice hacker.

Next, I would like to shed some light on the dangers of clicking the automatic login features on websites from a hackers/programmers perspective.

I do not want to scare anyone, but I want to show how easy it is to find out what a password is when you “save” or “remember” passwords. I hope that you test it for yourself.

I will use a Gmail login to prove my point. You first input a valid email address in the form of [email protected]. Then you type in your valid password. You soon realize you cannot see the letters or typed characters, but I’m going to show you how you can find out the password of any saved password. You first highlight the entire password with your mouse or ( [Command + a for Macs] or [Ctrl + a for Windows]) then right-click the highlighted password and a drop-down menu should appear, drop down until you see “inspect element” click it. If you are not a programmer, don’t be alarmed at home much code will pop up, I will guide you through what to do next. Highlighted will be an input field tag with attributes such as type, class, name, etc. We want to target the “type” attribute which will appear as “type = password” all we have to do is remove a letter out of “password” and it will reveal the saved password. This works because when “type=password” the input field is protecting your password with dot symbols, but when the type is not recognizable as a password, it will no longer hide it and show you the password.

I hope this gives your firsthand proof of the importance of having a strong password and protecting your businesses passwords management.

If you use the same secure password for multiple accounts, it actually makes your password less secure and increases the chances of it being found out.

Using the same password for all your accounts lessons the security of a strong password, assuming you are using non-dictionary words, 12 or more uppercase & lowercase, digits, and special characters. Don’t take my word for it, instead, let me prove to you why this is true. Imagine you have 10-15 online accounts (which is not reasonable, in today’s day and age) which all share the same strong password. Now, let’s play devil’s advocate and say that your Google e-mail just got compromised. Oh, no! Now the hacker has two things: 1) your email and 2) your email password. Most online accounts use email to register and to reset/change passwords, so now that hacker has access to privileges of changing passwords to all online accounts linked to your email.

At Chop Dawg, I help clients build applications and websites which require important information to be shared over the internet. If client information fell into the wrong hands, it would be detrimental to our trust with our clients, so we take password security seriously and so should you.

I hope that the hidden gems I’ve shared in this article resonate with you, and I have convinced you why you should manage your business passwords more carefully.