following two trends. One, computers are getting faster through the exponential growth of technology. And two, hackers are getting smarter through common hacking knowledge and software. The combination of these two trends makes it easier for hackers to crack your passwords.
In 2003 the National Institute of Standards and Technology that changed the way we create passwords after publishing the "NIST Special Publication 800-63. Appendix A" by Bill Burr (not the comedian). His advice was to take a word, replace letters with numbers and symbols, and utilize capitalization. For example, a word like "excellent" might look like "3*c3L13^t!" – “e” becomes “3”, “x” becomes "*", the first "L" becomes capitalized and the next becomes a "1" and so forth. This made it difficult to remember passwords. Was it the first "L" or the second “L” that I exchanged for a 1? Ugh!
This is bad advice.
In 2017, the author of that document admitted that he made a mistake in giving that advice. Unfortunately, it's become a common practice for today’s hackers to use entire dictionaries and common substitutions to crack passwords.
For example, let's take our password mentioned above, "excellent". A password-cracking software might run an algorithm with the word, "excellent" to generate and test passwords like these:
(Note: Bad practice. Don't do this.)
Throw in ever increasing speeds of computer processors, and you have programs that crack these passwords very quickly.
In 2011, cartoonist Randall Munroe published an XKCD comic that became quite popular. It flipped Burr's advice on its head with a cartoon that graphically showed that you could hack "Tr0ub4dor&3" (a password that could easily come out of Bill Burr's advice). The cartoon basically shows how a random string of four words is more secure.
This is no longer good advice. According to security expert Bruce Schneier, "The password crackers are on to this trick." Hackers are getting smarter and their hacking programs are getting better.
The best password advice that we've seen is what Schneier calls the Schneier scheme. This technique creates passwords are both secure and easy to remember. In fact, we produced a password security video for strong easy to remember passwords, that shows a method similar to the Schneier scheme. The idea is to take a unique phrase that is personal to you and isolate each of the first letters of that phrase. You end up with a password that is hard to crack for humans and computers yet easy for humans to remember.
We've searched far and wide and put together the single best practice for creating strong easy to remember passwords. Here is the result of 20+ hours of research, debate, and development all wrapped up into one 2 minute video.
Though this is still the best advice we have seen, it's only a matter of time before it too gets exploited because those two trends are never going away. Like I said, hackers are getting better; technology is getting faster.
It might be just another few years when it doesn't matter what password you have, computer algorithms will be able to crack anything. If you search online how many guesses of passwords a computer can make per second, you will get numbers in the billions and even trillions.
According to one of our own engineers, Colin Smith,
"We tend to overestimate the human factor in security because we want to expect the best of ourselves and others, but anyone has the capacity to be socially engineered or phished, anyone can have their clever/complex shared password scheme revealed in a breach, and anyone can be working on an improperly secured computer that is key-logged. These things can be trained for, but never to an infallible degree; because computer (and human) networks work through relationships of trust, one compromised account translates directly into compromising others. All this adds up to the fact that a password cannot be made safe enough on its own, neither through length nor complexity."
So what is the only solution that will beat the trends?
Two-factor authentication is also known as dual-factor authentication. If you have more than two ways of authenticating, it’s known as multi-factor authentication.
Here’s how it works:
First, you log into a website or program. The program prompts you to send a unique, sometimes six-digit code, to your mobile phone, and then you confirm that code in the program itself. It requires you to confirm with two technology sources (the password & your mobile device) before you can log in.
Also, it doesn’t have to be just a password and mobile device. It can work with a number of different combinations to be considered two-factor authentication.
Combinations may look like:
You get the picture.
Password best practices are fading away due to the fact that hackers are getting smarter and technology is getting faster.
