Passwords 101 - How to construct a strong password?
Passwords... The bane of our online existence.
We use them for everything; from email to Facebook, from personal websites to work accounts... and they're all in danger if someone gets their hands on them.
Let's protect against that and ask ourselves a few questions. What makes a good/bad password? And how do you construct one that's strong enough to protect yourself against hackers? Let's take a "lock" down :)
Use strong passwords everywhere!
If you're reading this article, you probably already know that hackers are getting smarter every day and that they use many sophisticated techniques to gain access to your data. It's not just brute-forcing anymore. That simply takes too long.
Nowadays, they also use AI programs and other methods to predict what your passcode is. That's why a strong password is more important than ever! General recommendations are that a strong password should contain at least one capital letter and lowercase letter, a number (0-9), and a symbol (!#$%&'+,-./:?@[]^_{|}~).
Use a unique password for each account
The best way to make sure your passwords are safe is to use a unique password for each account.
Websites are hacked daily, so you should never reuse passwords for any accounts, especially your bank accounts or email addresses. The problem with this is that remembering many different passwords may not be easy!
I know, I know... It might be easier just to use the same password for everything because then you only have one thing to remember. It would mean if someone hacked into your email account and stole your password there, which could very likely happen, then they'd have access to all of your other accounts as well.
A good way to avoid this is to use a password manager. A password manager allows you to create a single master password that unlocks all of your other passwords. When you go to log into an account, it will prompt you for the master password and then show or autofill the correct password for you.
Use a password manager
A password manager is a program that stores your passwords in one place. It's like an online vault where you can keep all of your passwords—and lock them up behind a strong, unique master password so nobody else gets in.
The best way to use a password manager is to store passwords, 2FA codes, and Backup codes in the vault, and then whenever you need to log into something, let the program autofill the stored version into the login interface. As long as nobody has access to your password vault or its backups (i.e., any copies made on other devices), then no one can be able to access those accounts without knowing what they're looking for!
Password managers come with built-in security features like two-factor authentication and sophisticated encryption features which prevent unauthorized users from accessing their contents. Additionally, you can secure your master password with independent 2FA, making it even more secure.
We love password managers for their security, convenience, and ease of use, and the best one we've found is 1Password. It's a subscription service that costs $2.99/month —but it's worth every penny! It comes loaded with many features, such as an integrated browser extension and mobile apps (with 2FA autofill). Check them out here: https://1password.com
Use MFA (Multi-Factor Authentication)
One of the easiest ways to protect yourself from password breaches is to use multi-factor authentication. This method requires more than one of the following three authentication factors:
Something you know (like a password)
Something you have (like a token)
Something you are (like your fingerprint)
Time-based One-Time Passwords (TOTPs), which are often created through an app like Google Authenticator, are the most common form of two-factor authentication.
If a site offers 2FA, it's best to use it! If you have an account with Apple, Google or Twitter, use their 2FA apps. They are free and easy to set up. If not or if you are not familiar with MFA, read more about it in our previous blog post (https://blog.noxity.io/what-is-multi-factor-authentication-mfa/).
How to come up with a strong password?
There are many methods, but we will explore the four most secure & easy to remember ones.
Use a password generator. This is by far the easiest method that you should use if you don't want to worry about how secure your passwords are. Most password managers have this feature built-in, making them even more convenient.
There's no need to get fancy (but it won't hurt) with your passwords as long as they consist of symbols, upper/lowercase letters, and numbers... Length matters! The longer your password is, the harder it will be for someone else to guess correctly when trying to get into your account using brute-force attacks.
To increase the length of your passwords without making them too hard to remember, increase their character density by having some longer words mixed in there with shorter ones like "Iamnotsecure" or "Justanotherpassword".
Another trick is adding punctuation marks (full stops for example) between words just so there aren't any spaces at all; this way an attacker might think there was a space between two different words when it's just punctuation marks.
How to improve your password?
Here are some suggestions to help you improve your passwords:
Avoid common mistakes. A common mistake is using a password that is close to the name of an object or place, for example, using "Mom" or your name + surname as your password. This type of password will be easy to guess and hack by someone who knows you well (e.g., a family member).
Add numbers and symbols to make it stronger. If possible, add numbers and symbols into the mix in addition to letters like “1” instead of “i” or “3” instead of “E”. It makes things harder for hackers because they have to guess multiple variations of your password rather than just one single variation which can be hacked with dictionary attacks.
Change passwords every 4-6 months at least! You might think changing your passwords regularly would be annoying but it's good practice because it helps prevent people from hacking into your accounts using stolen login credentials (which happens often enough!).
What to avoid when generating a password?
Avoid using personal information. Examples include your name, birthday, address, and phone number. You may think it's safe to use your name as the password for a website or service you don't use often since it would be hard for someone else to guess, but if they hacked into your email account they could easily find out what your address and phone number too - after all, these are just pieces of data stored on servers which can be hacked!
Avoid using words from the dictionary. A dictionary contains a lot of words that are not only easily guessed by an attacker but also easy to type when typing in your password. Also, avoid using famous quotes or song lyrics when constructing passwords because these can also be easily guessed by an attacker who knows how much time we spend online looking up things like this.
Try searching for "Well, maybe we got lost in translation, Maybe I asked for too much" on Google; one of the first results is a lyric from Taylor Swift's song "All Too Well").
Don't create short or simple passwords. These make it easier for intruders trying to hack into accounts because there are fewer possible combinations for them to try before finding one that works!
Additional security steps you can take to make your accounts even more secure
Additionally, as discussed, you can improve the security of your account by enabling multifactor authentication. This is an additional layer of security that requires a unique code to be entered before accessing your account. You may use this two-step verification system via:
Email verification codes sent to you
Text messages (SMS) received on your mobile device
Mobile app login prompts
Tokenized authenticator
It is recommended that you choose tokenized authentication (that is, where a random 6-digit code is generated every 30 seconds) for this process as it's more secure than SMS. For SMS a hacker would have to compromise your phone number/SIM card while for the tokenized authentication they would need to bypass your phone biometric or/and password security.
Another way to increase the overall security level is by adding an extra layer of protection. You can do that by using a VPN (Virtual Private Network).
A VPN creates a secure connection between two devices and encrypts all data transmitted over it, making it nearly impossible for anyone else not possessing credentials or physical access to read messages exchanged between them—even if they're intercepted by an attacker trying out various combinations until finally guessing correctly what was said previously!
Additionally, if you decide to run a personal VPN on Noxity infrastructure, you can restrict your accounts to allow access only from certain IP addresses. With a Noxity VPS, you will receive a dedicated IP address, meaning only you while connected through that VPN will be able to access your servers.
This is by far the most secure way!
Common password attacks and how to protect against them.
There are several different types of attacks that can be used against your password. Let's take a look at each one.
Dictionary attacks: These attacks rely on a collection of passwords that are commonly used by users, such as common words or phrases from the English language. To speed up the process of attacking your account, hackers often use programs that generate random variations of these words and phrases until they find one that works. As such, it's important to choose a password that isn't found in any dictionary!
Brute force attacks: These attacks work by simply trying every possible combination until they discover what you've chosen as a password (for example "1234"). Brute force attacks are usually more difficult for hackers to pull off because the time required for these types of brute force attempts is limited by how quickly computers can perform them (computers aren't very good at coming up with new combinations). However, if there's no limit on how long someone can spend trying various combinations then eventually their efforts will pay off! For this reason, it’s important not only to pick strong passwords but also to make sure they're long enough so they don’t fall victim too easily when facing off against brute force attempts.
Hackers also use a program/method called a “rainbow table” to crack passwords. These tables are essentially lists of every possible combination of letters and numbers that can be used for a password. When hackers use this method, they have a list of all possible passwords that can be used for a particular account, and then they simply try each one until they find the right one. This is how hackers were able to crack many accounts on Facebook in 2013 when they discovered that many people were using the same password across multiple websites.
How does Noxity handle passwords?
Noxity, the Infrastructure-as-a-Service (IaaS) provider, takes security very seriously—so we always make sure to stay on top of our game. We offer 2-Factor Authentication for both client and control panel accounts.
Internally we handle this problem in several ways. First, the staff uses a trusted password manager with a generator. Second, Noxity uses VPN to protect staff infrastructure. Third, the staff uses MFA on every login. And finally, for added protection against brute force attacks, we enforce minimum password strength of 105/120. Additionally, our engineers proactively monitor the network around the clock for suspicious activity.
Conclusion
I hope that this post has helped you see why it’s important to take your passwords seriously and how to construct a strong one. There are many things you can do to keep your information secure, but I think the most important thing is knowing how best to protect yourself from threats.