It’s been theorised over the years that passwords will be replaced, but at the moment they’re still the most common way of protecting an account. The problem is that as tech progresses, so does the tech that attackers are using.
How it tends to work now is that these password pinchers essentially use their high-powered tech minions to search through various dictionaries they have of known words to try out different password combinations, hoping to chance on yours. This means that even long phrases that were previously quite secure (like ‘halfb00kduckstereotype1988’) can now be cracked quite quickly. Basically, if it’s a recognisable word – even something like ‘k1araj0hns0n’, or any random combination that you’ve stored online at some point in the past – the system can break it.
So, how do you create the strongest possible password (note, this is against a dictionary attack – there are other kinds but this is a common method!)?
Cyber security expert Bruce Shneier has come up with the ‘Schneier scheme’, which tells you how to create a password the dastardly dictionary checks will miss
He says: “My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Choose your own sentence – something personal.”
Other examples of this method could be:
• WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
• Wow…doestcst = Wow, does that couch smell terrible.
• Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
• uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
He also suggests using “random unmemorable alphanumeric passwords (with symbols, if the site will allow them)” – literally as random as B3h4_[%}kgv), and then a password manager to create and store them. Often the password manager will create the passwords for you and then store them, so you only need to remember the password for the password manager, which is handy.
So, there you have it. Do a bit more research and educate both yourself and your team, see what’s out there, if you have your own site invest in two-factor authentication; but make sure you treat passwords with as much importance as you would Christmas, otherwise it’ll certainly end up being a very festive payload for the bad guys!