How are passwords compromised?
There are various types of tools and techniques hackers use to attempt to obtain your password. Being aware of each of them and understanding how they work can help you determine a strong password.
Dictionary attacks: These types of attacks will try every word in every dictionary with different numbers and characters before and after the word itself. A variation on this attack is to try every possible and common phrase in the English language.
Brute force: These attacks try every possible combination of numbers, letters, and special characters. The longer a password is, the longer this type of attack can take before it is successful.
Password lists: Numerous organizations have had their databases compromised over the years and massive lists of passwords are available on the internet. Some types of attacks will try to use the passwords in these lists as there are many common trends and many reused passwords.
Phishing: Malicious emails and websites that pose as legitimate services (like your bank or cable provider) may ask you to type in your username and password and then steal them. No legitimate service will ask you to send your username and password – they will only ask that you visit their official website and log in.
Keystroke loggers: There are some types of malware and hardware (like specially designed flash drives, for example) that can record the keys being pressed on your keyboard and send them to the attacker's server via the internet.
Sniffing: This type of attack monitors network traffic looking for usernames, passwords, and other sensitive information. Sniffing is especially effective on open and/or public WiFi networks and on sites that are not using HTTPS.
What is a strong password?
The use of internet-connected devices is a delicate balancing act between convenience and security. For example, a short and simple password is convenient but insecure, whereas a long and more complex password is secure but inconvenient.
A strong password can be measured primarily by length, randomness, and uniqueness. You should stay away from easy-to-guess passwords such as your name, common dictionary words, or any common word combinations such as ''JohnSmith''.
Two examples of how to create strong passwords:
- A long string of random characters like tP2cuZHNwbgp^qENSmB2UX^V.
The ideal to aim for is 16-24 random characters using every character type including special characters, numerals, upper and lowercase letters.
- Four unrelated words of good length strung together like 'toasterjupitercumulusmonitor'.
Note: Some websites restrict password length and which kinds of characters can be included. If these restrictions limit the strength of the password, just try to make it as strong as possible within the confines of the website restrictions.
Strong passwords can be difficult to remember, especially when best practices advise using a different password for every website/service we use. This problem can be solved by using a password manager. Passwords you have created can be stored in the password manager's encrypted database and accessed by using one master password. That way there's only one password to remember – the master password. Some password managers can even automatically log you into the website you are visiting.
There are many different password managers out there that the average person can choose from. Some examples of these would be LastPass, BitWarden, and Dashlane.
Note 1: Most browsers can remember login information, but the browsers' built-in password managers are usually less secure than using a dedicated password manager.
Note 2: Password managers are third-party software not supported by Fidelity and may charge a fee for use. Use at your own discretion.