Hackers are jumping on the artificial intelligence (AI) bandwagon and upping their game. Get this: AI service PassGAN cracked 51% of common passwords in less than a minute. ➡️ Bottom line: What can you do about it?
Easy things to do:
Longer is better. An eight-character password comprising only uppercase and lowercase letters takes 22 minutes to crack. A 12-character password that includes symbols, too? 34,000 years.
Use fake words, extra characters and oddball phrases.
Never reuse a password, even if it’s been out of circulation for a while.
Triple check you’re on the real site before you enter your password.
If a site lets you get away with “password” or “123456,” step away. All my passwords are protected by amnesia.
And these six rules:
Here are six rules to follow:
There’s rule No. 1 for you: Don’t just update a letter, character or number at the end of your current password and call it good.
Get free, smart tech news to your inbox
Privacy, security, the latest trends and the info you need to stay safe online.
There are databases with millions of stolen passwords, and yours might be there. Adding an exclamation point or question mark at the end of your current password doesn’t do much to stop threat actors from figuring it out.
Site problems - Your favorite websites have flaws that threat actors can exploit.
Researchers at Princeton University put together the following criteria for best password requirements regarding security and usability. It considers a website secure only if it satisfies the following criteria:
Allowed five or fewer of the 40 most common leaked passwords and easiest-to-guess passwords (such as “12345678”, “rockyou”) researchers tried.
Required passwords be no shorter than eight characters or employed a password strength meter to gauge a password’s resilience against threat actors who attempt to guess it.
Did not impose any character-class requirements such as “at least one digit and one special character.”
That brings us to rule No. 2: You know password1 is a stupid password, but avoid these lesser-known but very commonly used passwords: qwerty123, myspace, badboy, playboy, hellokitty, police, money, loverboy, boomer, sexy.
RELATED: 3 tricks to see if your passwords are being sold on the Dark Web
And here’s rule No. 3: Skip the random number or punctuation mark at the end of your password, and instead work it into the password itself. You can replace an O (the letter) with a zero, for example, like this: k0mand0_scholar. Or sub in a character for a letter it resembles, like this: f@nt@syFormer.
Get this: The researchers examined the password policies of 120 of the most popular English-language websites in the world and found that only 15 websites followed the above practices. In addition:
75% of the examined websites did not stop users from using the most common passwords like “abc123456” and “P@$$w0rd.”
45% require specific characters, which potentially frustrate users and are not worth the small benefit in security.
19% of the websites used in the study had password strength meters, a valuable security tool for users. And even among those, the meters pushed users to use certain characters rather than focusing on overall stronger passwords.
Sites like Amazon, TikTok, Netflix, Etsy and the Wall Street Journal failed to block leaked and/or easily guessed passwords. Amazon actually allowed the most commonly used password on the web, “123456,” to be used.
Rule No. 4: One simple switch, like adding a character, will not save a weak password. Yes, P@$$w0rd is easy to guess. Instead of one or two words, try a longer “passphrase” that you can remember and then add your finishing touches. Perhaps you choose “my two cats are smart,” which becomes “my2c@tsrSmart.”
RELATED: Best free Windows and Mac security downloads for your computer
What you can do about it
By now you realize you can’t rely on sites to protect you. Even Amazon will allow shockingly bad passwords. That means it’s up to you.
Rule No. 5: Don’t rely on a website’s strength meter to keep you safe. As researchers proved, even the big ones have lax or lacking rules that hackers know about.
The truth is, remembering complicated passwords for each and every account is virtually impossible. Luckily, there are tools to help you stay safe.
Password managers are good for almost anyone out there. You need to remember just one super strong password — called the master password — to unlock your vault of logins.
Two-factor authentication is a must for every account you can. Even if you did get lazy with your password, this additional security measure makes it nearly impossible for hackers to break into accounts without the security code sent to your phone or an authentication app. Here’s more information on 2FA.
Rule No. 6: This rule isn’t new but it’s worth saying one more time: Never use the same password for multiple accounts, Through a technique known as credential stuffing, hackers use stolen passwords on different services, hoping to find duplicates.