Reason 1: Computers can guess passwords OVERWHELMINGLY faster than you come up with one
It may be true that your password is un-guessable by other people. But today, hackers are not going to use human brainpower to guess your passwords. They are going to use powerful machines to do that instead. Today’s computers are so powerful that it is feasible for them to guess your password by trying out all possible permutations and combinations. This is called the brute-force method of password cracking. The shorter your password, the quicker the computer can find it out.
Passwords are becoming more and more trivial for computers to crack as they become more and more powerful. As this article reported on May 2013,
… a 25-computer cluster that can cracks passwords by making 350 billion guesses per second… It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords.
That was late 2012. Imagine how much more capable and powerful computers are today!
One way to defeat the brute-force method is to limit the number of tries that can be made to guess the secret. For example, in wartime, if a soldier gets the password wrong, he will be assumed to be the enemy and be shot immediately. Another example: if you enter your Internet banking password wrong more than a specific number of times, the system will lock you out and an alert will probably be sent to the system administrators. But unfortunately for you, hackers usually work by hacking a website and stealing its password database. Once they have the password database on their hands, they have all the time to make any number of guesses they need to crack your passwords.
Another way is to use a really long password that requires far more guesses than what is technologically feasible to crack with the brute-force method. Today, this is around 20 characters or more. In future, as computers become more powerful, this will soon become too short.
Reason 2: Hackers have ALREADY picked your brain on how you come up with passwords
In 2013, an article titled How crackers make minced meat out of passwords gave a chilling insider’s view of the capabilities and resources available to hackers when they crack passwords. Basically, this article reported that hackers already had access to hundreds of millions of real-world passwords. They had analysed them to figure out all the tricks and schemes people used for coming up with passwords. As this article reported,
The other variable was the account holders’ decision to use memorable words. The characteristics that made “momof3g8kids” and “Oscar+emmy2″ easy to remember are precisely the things that allowed them to be cracked. Their basic components—”mom,” “kids,” “oscar,” “emmy,” and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.
In other words, all the substitution, transposition, re-arrangement, pattern and other schemes you can come up with to make your password hard to guess but easy to remember are most probably already known to hackers!
Also, hackers also know about the top 100 passwords that people use. If you use any of these, it is time to change them now.
Reason 3: If you reuse passwords on different websites, hackers can compromise you multiple times
Nowadays, with too many passwords to remember, the temptation is to use the same passwords across all your different online accounts. Unfortunately, this is a very unsafe practice. If one of your online accounts is compromised and your password leaked as a result, then all other online accounts that use the same passwords are in danger of being compromised as well.
So, for example, let’s say you have an online web account where the username of the account is your email address. One day, hackers raided the website and obtained the email address and password.
So, what can the hacker do?
He can try logging into PayPal with the same email address and password. If you happen to use the same password for your PayPal account (and has not activated two-factor authentication), the hacker will compromise that as well. Next, he can try the same with LinkedIn. If your LinkedIn account uses the same password, you will lose your LinkedIn identity as well.
To make matters worse for you, the website that was hacked may not even be aware it is being infiltrated. So, you will have no idea that your LinkedIn and PayPal accounts are compromised. You may accidentally discover that your LinkedIn account is no longer working as usual and dismiss that as a technology glitch. But will you be able to draw the link that your PayPal account has already suffered the same fate? What about your other accounts that use the same password?
So, remember this carefully: do not ever use the same password across different accounts! Each website/account must have its own unique password.
Reason 4: Humans are easily tricked into giving out their passwords
There is a popular saying that goes something like this:
On the Internet, no one knows that you are a monkey.
Remember, a website is just facade. Behind the facade can reside a large, legitimate and trusted organisation or a lone cyber-criminal. Any monkey can quickly and cheaply create an impressive looking facade that looks extremely similar to the ones created by legitimate organisations that you trust. Some cyber-criminals even go to the extent of simulating the functions of legitimate websites (there is a case where cyber-criminals create a fake banking web site that allows you to ‘log in’ and check the ‘balances’ of non-existent bank accounts). This nefarious activity is called phishing.
The most common way for cyber-criminals to trick users into visiting their phishing websites is to send them emails with links to these fake sites. These emails are fakes because they do not come from where they claim to be. It is extremely easy to create an official-looking email that purportedly comes from say, your bank. In fact, it is so easy that hardly any technical knowledge is required. These emails will use fear, uncertainty, doubt, flattery, threats and other trickery to induce you to click on the links. Once your web-browser opens the link, you will see a facade that looks almost exactly like the website of the organisation that the email claims to be. If you are not vigilant at this point, you will submit your secrets (e.g. passwords, credit card numbers) to the fake website.
How will a password manager make me more secure? Which one should I use? How to set it up for maximum security? How to find out if you have been hacked?
Good questions!
Unfortunately, they are too much to cover in this one article.
However, they are all answered in my book, Digital Security & Privacy for Dummies.