Bluefin Chief Innovation Officer Ruston Miles, developer of Bluefin’s PCI-validated P2PE solution, guest blogs today on one of the most basic – but integral – parts of cyber security: passwords. We are staunch advocates of PCI P2PE, EMV and Tokenization for payments but when it comes down to it, passwords can be one of the biggest roadblocks that stand between a hacker and your sensitive information.
Think about it: passwords protect your bank statements, your emails, your social profiles, and any other sites on which you have accounts. Someone who discovers your password can uncover private details about you – and has the power to be you online. It’s a scary thought.
Given their importance, one would think creating a strong password would seem like a no-brainer. Think again.
Passwords are often a weak link in cyber security. Why? Because, creating a strong, hard-to-remember password can be inconvenient for online users. So we tend to fall back on easy, basic passcodes that can be hacked in the blink of an eye. Just look at Starbucks, whose customers suffered hacked bank accounts all because of weak passwords on their apps. Hackers didn’t even need to have credit card numbers in order to steal hundreds of dollars.
If that doesn’t hit it home, perhaps this will: when Ars gave three crackers a list of more than 16,000 hashed passcodes, their top attacker cracked 90% of the list. The least successful cracker? He cracked 62% of the list after only devoting an hour to it.
Businesses are also suffering. Those with BYO-device policies and cloud functionality have become increasingly susceptible to breaches due to employees whose accounts are protected only with weak passwords.
It’s time to stop relying on basic passwords and hoping for the best. In fact, creating strong passwords is easier than you think. As security expert Bruce Schneier says, “The best way to explain how to choose a good password is to explain how they’re broken.”
How Password Cracking Works
The world of password cracking is complex, and yet hackers can easily break huge lists of passcodes in a matter of hours. As explained by Schneier, attackers generally use an offline attack method in which they try to decrypt an encrypted file of passwords by using various guessing methods. Crackers can run through combinations as quickly as their computer can process them.
Crackers use a hybrid of brute-force attacks, which use combinations of symbols, numbers and letters within certain rules to guess passwords and dictionary attacks, which use common words (or a complied list of words the hacker has refined over the years), to crack the codes. Attackers will also feed any personal information they have about you into the system, which makes passwords that include private information (like birthdays, anniversary dates, and even social security numbers) susceptible to attack.
As you can see, with smart hacking methods and a powerful computer that can generate guesses for days, users with weak passwords are incredibly susceptible to cyber attacks. So, how do you stay safe?
Password Dos & Don’ts:
- Create long passwords with 12+ characters
- Use symbols, numbers, and various capitalizations
- Store your passwords in a safe location, like Password Safe
- Utilize an online password checker to confirm your password is secure
- Take the two-step verification process if available.
- Include personal information such as your name, address, social security number, or birthday
- Use simple keyboard combinations like QWERTY
- Incorporate simple dictionary words & combinations
- Utilize basic substitutions (i.e. $ for s)
- Reuse the same password for multiple sites
Now that you have the Dos and Don’ts down, try one of these methods to create a secure password:
Schneier Method: Turn a sentence into a passcode
- Choose a sentence that is personal to you: Fruity Pebbles are my favorite breakfast food.
- Abbreviate the sentence in a unique way: FBrmyf@vbfF
- Be sure to vary capitalization and use symbols and/or numbers to make your password more complex
Passphrase: Use unique, random words to create a password
- Pick random words, and turn them in to a phrase: starfish moonrise kite home agony demise
- Due to the advanced hacking capabilities, make sure you choose at least 6 words to include in your passphrase
- Be wary of using common dictionary words, as these are easily cracked
Password Manager: Create one unique and complex password
- Using one of the methods above, create a unique, complex password that you can remember: @9,mbTab@mH or trombonehorsehambonetroubadourmercystalls
- Set this password as the code to your password manager
- Store other random, alphanumeric passwords in your password manager and use these for other sites: 7k[:/Bkgf-?vT and GKLBM&8[%]tuV
At the end of the day, creating a strong password is up to you. It’s essential for your personal and business security and for the security of others. In a world where only the most comprehensive cyber security measures offer full protection, we need to hold up our end of the bargain by creating strong passwords to keep our information safe.
If you have further questions about password creation and protection, or wish to learn about Bluefin’s holistic approach to security which includes PCI-validated P2PE, EMV and Tokenization, contact us today.
Ruston is a frequent speaker on the topic of payment security and is an expert in PCI-validated P2PE. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council (SSC).