How many times have you a watched a film in which a frantic hero manages to guess a villain’s computer password after just a handful of attempts, and thought “as if”? But it turns out cracking online codes might be that easy: one study found that 50% of people affected by data breaches in 2016 used one of 25 common passwords online.
Last year’s most popular passwords include “qwerty” and “111111”, according to password manager Keeper, which also found as many as 17% of all users have “123456” as the only thing that stands between a hacker and their data. With the word “password” itself among the top 10 most common passwords, many people are certainly not making it any harder for the criminals who committed almost 6m fraud and cyber crimes in England and Wales in 2015.
When it comes to helping to protect yourself against cybercrime, one piece of advice is simple: get a good password. However, that is slightly more complicated than it sounds. The relatively easy task of changing your passwords will go a long way to improving your digital safety, but getting it right is crucial. So what constitutes a good password?
The first rule of creating one that is suitably secure is not to be obvious. While it might be tempting to use something that’s easy to remember, like scrambling the letters of your name, or your primary school, it is not. With many of us sharing so much of our lives online, the internet is a feeding ground for criminals looking for personal data. How many times have you tweeted your pet’s name or uploaded a picture which reveals where you live or which football club you support? The possibilities for criminals afforded by social media are seemingly endless.
We tend to choose single words when we choose passwords: that’s what the phrase “password” suggests we should do, after all. But when considering what code to use, experts recommend that it’s better to think of a “passphrase” instead – they are harder to crack. A relatively simple collection of words, “WhatDidYouDoThatFor?”, for example, is infinitely harder for a machine to decode than one apparently less common word, such as “rhododendron”, says security expert Thomas Baekdal. “Security companies and IT people constantly tell us we should use complex and difficult passwords … In fact, usable passwords are often far better than complex ones,” Baekdal explains in an in-depth online guide to building the perfect online fortress.
The reason for this is the method most hackers use to break codes, which involves using a computer program to scan through words and variations of words that appear in dictionaries, at a rate of millions if not billions of words per second. While some still believe gibberish codes, like those created by random-password generators, are best as they are immune to this type of code-cracking technology, these codes have a very basic problem: they are virtually impossible for people to remember. And the moment you write a password down, of course, you leave yourself exposed.
One of the most effective ways criminals have of finding out someone’s password is by asking them. That could be via a phishing method – commonly an unsolicited phone call or email pretending to be your bank or another organisation needing confirmation of your password. No bank or reputable organisation will ever ask you to give them your password, and the advice is unanimous: if you get a call or message asking for it, hang up and inform your bank, as well as the organisation that claimed to have made contact.
Once you have your “single strong password”, the message from the head of the National Cyber Security Centre, Ciaran Martin, is to leave it be. Overturning longstanding government advice to change your passwords regularly – advice he said amounted to asking people to “memorise a new 600-digit number every month”, a task even his best agents would struggle to do – Martin concludes: “The more often users are forced to change passwords, the greater the overall vulnerability to attack.”
