Four Flawed Password Strategies
We have previously talked briefly about complex, unique passwords, but today we’ll be diving into the topic of good passwords in more depth.
4. Extremely Flawed Strategy: Repetition
This one is fairly commonly known: if my password is Scr4rmbler1! on every single website and system that I access, and exactly one of those systems gets hacked in a way that allows the attacker to view everyone’s password, then that attacker can retry my password and email address or username on many other resources, immediately, with no effort at all.
3. Extremely Flawed Strategy: Extreme Simplicity
If your passwords are different on every website, but on every website they’re a single dictionary word, like Acutely or Undying, they’re not very hard for a computer to guess, if that system is vulnerable to brute-force attacks. If they’re less complicated than a single word, like 0000 or 1234, that’s even worse.
2. Flawed Strategy: Iteration
If my password is Scr4rmbler1!EAOrigin on EA’s Origin service, and it is hacked in a way that allows the attacker to view everyone’s password, it does not take a brilliant mind to try out my email address or username and passwords like Scr4rmbler1!CapitalOne or Scr4rmbler1!Gmail on those websites.
These replacements do require a tiny bit of human thought to perform, though, so they’re a slight improvement over the first two options.
1. Flawed Strategy: Use Your Imagination
When a human being is asked to think of “some random words and numbers you’ll remember later,” that person almost invariably chooses words based on their life experiences and the people, values, groups, and objects that are dearest to them.
Some examples of passwords that would be hard for a computer to guess, but easy for someone to guess based on knowing me personally, include ones based on books or shows that I have referenced on social media, locations I frequently spend a lot of time in, the names and birthdates of pets and loved ones, and sports teams I follow.
Many, many people choose passwords derived from one of the above. If your attacker is not a stranger on the Internet who just broke one of the websites you visit, but someone who knows you personally and is attempting to make trouble for you individually, this strategy is very bad.
Next time, we’ll talk about the best password strategies in 2022: random sequences, diceware passwords, and one that might surprise you. If you’re interested in getting help with credential management or other IT tasks, reach out to us at Deep Core Data today.