SPECIAL EDITION: Change Your Password — Right Now
SPECIAL EDITION: Change Your Password — Right Now
November 30, 2018
by Randall J. Boyle, PhD, associate professor of Management Information Systems, and Willard Eccles Fellow, WSU
In light of today's massive, 500 million account data breach announced by Marriott, you should take note, and take action, now.
Words matter. And some words matter more than others. Some of the most important words you’ll use in your life will be the ones you use to guard your money, data, and privacy. Choosing a set of strong passwords to protect yourself is important. Probably more important than you may realize.
Before you learn how to choose a strong password you need to know WHY it’s important to choose a strong password. If you understand the importance of these words, you’ll put more effort into choosing really strong passwords.
DATA BREACHES
When attackers (hackers) steal data from a company they typically get all the usernames and passwords in the system. This is bad news for the company and their users. Attackers can access user accounts without detection. It’s bad news for you too, if you’re a user. But are you a user?
Consider the sizes of some of some recent data breaches listed below to see how pervasive they are. Remember the population of the U.S. is about 325 million.
- Yahoo! – 3 billion accounts (2016)
- Marriott – 500 million accounts (2018)
- MySpace – 360 million accounts (2016)
- Under Armour – 150 million accounts (2018)
- Equifax – 145 million accounts (2017)
- LinkedIn – 100 million accounts (2016)
And this is just a tiny portion of the companies that have experienced major data breaches. Other victim companies include eBay (145M), JP Morgan Chase (83M), Anthem (80M), Target (110M), Home Depot (56M), TJX (45M), etc. The chances you’ve been caught up in a data breach is high. Very high.
If you want to see which data breaches you’ve been in, you can go to haveibeenpwned.com and search for your email address (username). A search of one of my old email addresses turned up in six separate data breaches including, among others, Adobe (153M accounts in 2013), Dropbox (68M accounts in 2012), and LinkedIn (164M accounts in 2012).
It’s not just me. Most people turn up in multiple data breaches. Large data breaches are a common occurrence nowadays. You need to protect yourself from being harmed from these data breaches. Choosing a strong password can keep hackers out of your account. Just because they stole your password, doesn’t mean they can use it right away. They still need to “crack” it. We’ll show you how to make your password too difficult to crack.
PASSWORD CROSS-POLLINATION
Before we talk about passwords, there’s more bad news. It turns out that most people use the same password at multiple sites. This is called password cross-pollination. This is bad because hackers know people do this. In fact, they’ll take those stolen credentials (usernames and/or passwords) and try to access additional sites! Ouch.
Let’s look at a simple example to show why a large data breach is actually an ENORMOUS data breach. The figure below shows one user (U1) accessing three systems (S1, S2, and S3) within the same organization (O1).
Figure 1 User accessing systems at a single organization
But that user doesn’t stay at work all the time. They go home and access multiple other systems like Facebook, LinkedIn, Amazon, etc. as shown in Figure 2. Some organizations have great security, and others have poor security. Here’s the key point — that user may use his same password at all of the organizations (cross-pollination).
Figure 2 User accessing system at multiple organizations
Suppose an attacker, like the one shown in Figure 3 below, wants to steal data from one of these organizations. They’ll pick the low hanging fruit. They target organizations with weak security and lots of users (O2 in this case).
Figure 3 Attacker steals data from weak organization
Here’s where it gets really bad. The attacker can take the stolen credentials from one organization and try them at multiple other organizations. They can even try to access organizations that have really strong security (O1) with critical systems (S1) as shown in Figure 4 below.
Figure 4 Attacker can use stolen credentials
So, a relatively small data breach at one organization (O2) made five other organizations (O1, O3, O4, O5, and O6) vulnerable. Even organizations that spent a lot of money to protect critical systems are vulnerable because one employee decided to use their company password at sites outside the organization. No matter how bad data breaches look, they’re actually much WORSE.
You need to choose strong passwords AND not use them across different organizations. At a minimum, keep your bank, work, personal, social media, and dumper (give away) credentials separate. Friends don’t let friends cross-pollinate.
CHOOSING A STRONG PASSWORD
So how do you pick a strong password. Let’s start with the basics. Below are four simple rules that will really help you choose a strong password:
- At least 14 characters long
- Change of case (not at beginning)
- Digit (0 through 9, not at beginning or end)
- Other keyboard character (~!@#$%^&*()_+)
So, the password “iLove2eat4#sofChocolate” would be a strong password. It’s long, has a change of case, has a digit in the middle, and includes a special character. Hackers would have a hard time cracking this password. In fact, they may never crack it. If they can’t crack it, they can’t use it. You win!
Notice that it’s not really a “word” but more like a “phrase.” Stop choosing passwords, and start choosing passphrases. Never choose a password that’s just a word right from a dictionary. In a typical password database about 2% of passwords are words taken out of an English dictionary unchanged. These are cracked in milliseconds.
Most users think they can just add a number to the end of the password to make it strong. Nope. The cracking software is designed to try all of these possible password variations. So, the hacker just has to try the word “password” and the cracking software will automatically try password1, password2, password3, password4, etc. until it reaches password9999. It will also try numbers appended to the front of the password (e.g. 1password), and both sides of the password (e.g. 1password1). So, put the number in the middle of your passphrase, not at the end.
Even more interesting is that the password cracking software will “mangle” each possible word in other ways to see if it can get a match for your password. It will try changes in case (Password), reverse the word (drowssap), double the word (passwordpassword), replace letters with numbers (pa55w0rd), etc. There are thousands of possible mangling rules that can be applied to each word, and a typical laptop can try tens of millions of possible passwords per second. About 2% of passwords are mangled dictionary words. Again, these are cracked in milliseconds.
If you think trying a foreign word in your password will help, think again. It won’t really help at all. Hackers have dictionaries from all languages and they can try them in seconds. About 3% of users use non-English words as their passwords, and another 3% use non-English words mangled in some way. Following the four rules listed above are more important than using a non-English word.
Consider that, in general, about 75% of passwords can be cracked in less than 3 days. Choosing a strong password makes it difficult for hackers to crack your password in a reasonable amount of time. They’ll just give up. It’s too much work for them. They’ll move on to lower hanging fruit.
Once you know how to choose strong passwords, make sure you don’t cross-pollinate your passwords across organization types. Your banking passwords shouldn’t have anything in common with your work or social media passwords. Not all companies spend money to protect your information. Hackers know this.
But remembering a lot of passwords is hard. You might want to use password management software (i.e. LastPass or Dashlane), or store your passwords in an encrypted file on your computer. If you’re creating new complex passwords you should write them down and store that list in a safe place. If you don’t, you’ll forget them.
Creating strong passwords will help protect you from the data breaches you hear about in the news. If you get an email from a company saying your information was stolen, change the password at that company immediately. Don’t wait. In fact, it’s probably a good idea to change your passwords right now.
ABOUT THE AUTHOR:
Randall J. Boyle is an Associate Professor of Management Information Systems, and Willard Eccles Fellow, at Weber State University in the Goddard School of Business and Economics. He received his Ph.D. in Management Information Systems from Florida State University in 2003. He also has a master's degree in Public Administration and a B.S. in Finance. His research areas include deception detection in computer-mediated environments, data breaches, secure information systems, the effects of IT on cognitive biases, and the effects of IT on knowledge workers.
He has published in several academic journals such as Decision Support Systems, Journal of Management Information Systems, Journal of Computer Information Systems, and Journal of International Technology and Information Management. He has authored several books including Using MIS 11e, Experiencing MIS 8e, Corporate Computer and Network Security 4e, Applied Information Security 2e, and Applied Networking Labs 2e.
He has received university teaching awards at Weber State University, Longwood University, the University of Utah, and the University of Alabama in Huntsville. He has taught a wide variety of classes including Cyber Security, Advanced Cyber Security, Telecommunications, Networking & Servers, System Analysis and Design, Decision Support Systems, Web Servers, and Introduction to MIS.