Doubting the need to consider password strength is risky business. It’s like asking “Why do I need to show identification to take money out of my bank account?” Once, I even heard someone say “But nobody would want to hack into my site. There’s nothing worth stealing…”
I believe this points out that society today has an attitude of apathy. Take a few moments and think it through. The purpose of a key and lock is to protect whatever is valuable behind that lock. Your password (the key) is what lets you open the lock (login screen) and get at what’s being protected by the lock. If the your password is weak, how much protection does it afford you? IF you still don’t believe me, please, call me right after someone empties your bank accounts and ask that question again.
“The biggest security flaw today, according to Sean Ahrens, who heads Aon’s security practice from Chicago: “We’re in an era of complacency. We only get ratcheted up after something happens.” — Article ‘Complacency lets the bad guys in, workplace security expert says’ by Steve Jordan 11/10/2014
Why does password strength matter?
Because you want hackers to stay out of your website, but they want into your account. The more motivated they are to get in, the more they will do to get in. The number of people doing this is so large that they share techniques and resources so more of them can get it done. Just for the sake of discussion, let’s call them ‘attackers’.
An attacker’s goal may be the online magazine where you have an account as a contributor. They want in so they can deface the magazine or forward some agenda of their own. Another goal may be to prove that they ‘CAN’ get inside something that’s ‘secure’ and earn the respect of other attackers. Still another goal is to use a website to spread malware. I believe the most common reason is to get money from your accounts directly or through you by identity theft.
The root of this problem is they are very motivated. That motivation has driven them to refine the methods and processes they use to get in. Things like dictionary attacks that include every word imaginable and the most likely misspellings of each. There have also been instances where the attackers obtained password lists from large companies. Then analyzed those lists looking for the most commonly used passwords. Alongside that are lists of anything that looks like a year or date and common names of humans and pets.
As the attacker’s methods have become more complicated it has become more complicated to keep them out. Longer passwords, containing nothing found in a dictionary, NOT including the name of a pet or loved one. In other words, stay away from the easily guessable password.
I can’t remember complicated passwords. What do I do?
Get yourself some software called a password manager sometimes called a password vault. There are several good ones available. It’s not so important which one you use. But some practices are important to your success.
- Never re-use a password on another account. Each account should have it’s own password, unique from all of your other accounts.
- Use a password generator to make STRONG passwords.
- Since you don’t have to remember any of the generated passwords, include characters like !@#.$%^&* and make them 12-18 characters long.
- The master password (which lets you use the password manager) is the only password you have to remember. Make it STRONG and memorize it.
- Always backup your password manager to a jump drive or memory stick.
- Last important practice. Never write any password down. Ever.
Stay safe out there! Want some help making your site more secure? Contact us at your convenience.