Common Classroom: The Common Sense Education Blog
Stay Connected to Common Sense Media for Educators
How Safe is Your Password?
We all know how important it is to have secure passwords---or do we? According to experts, we all could use a lesson in hacking when it comes to passwords. Teens are particularly cavalier with their passwords. As a 2012 news story reported, upwards of 30 percent of teens share their passwords, often as a sign of trust between boyfriend and girlfriends. Given the tenure of teen romance, that practice can only go bad fast.
But before we assume it’s only teens who are putting themselves at risk, think about the pin numbers and passcodes you use. Do you often pick a specific important date or a familiar sequence of numbers that’s easiest to remember? Is there a default password you refer back to each time you need to choose a new one? While this shortcut might make life easier, it also makes it easier for online hackers.
A post on the Data Genetics blog in 2012 found that, astoundingly, the most common four-digit passcode combination is “1234,” with the second most common being “1111.” Another frequent choice found was “2580” – the four digits that make up the middle row of a telephone keypad. Passcodes this simplistic can be hacked and unlocked in a matter of seconds, yet many continue to rely on such combinations. Looks like it’s time to get a bit more creative.
In 2012, CNN’s Stacy Cowley reported that the most common way for hackers to find your passcode isn’t through fancy software, but by simply guessing. You may have heard the joke about the person thinking they are witty by choosing the word “password” for their password. According to Cowley, this isn’t just a joke. Surprisingly, “Password1” is the most common password used on business systems. The combination of its uppercase letter, numeral, and total of nine characters meets the complexity requirement on many systems, including Microsoft’s own Active Directory identity management software.
Complexity, however, isn’t exactly the key to the safest password. Encrypted passwords that use leetspeak substitutions, like the number “0” for the letter “o” or the number “4” for a capital letter “A,” may seem airtight but are actually quite common. As this humorous xkcd comic points out, these types of passwords are often the hardest to remember, yet take the smallest amount of time to crack. Somewhat surprisingly, the most failsafe passwords are those that combine several simple words that are easy to remember, yet in an uncommon combination. The site even provides a password generator to help you think of such word sequences.
The idea that multiword passwords are the best option is shared by many who work with online protection systems, including security expert Thomas Baekdal. He says that simple sounding passwords such as “this is fun” are actually more secure than nonsensical-sounding passwords like “$d@*H0%.”
Lifehacker.com writer Adam Dachis reported that, according to Baekdal, one of the most common ways to crack passwords is through brute-force attacks, which use repetition to overpower the computer’s security system. These attacks use special software that enters varying combinations of English characters, in some cases making as many as 50 attempts a minute. Most common passwords can be cracked in less than a few hours, while more complex passwords might take a few months or a year to decode. However, the best and most secure passwords, as Baekdal puts it, should last a lifetime. Dachis explains Baekdal’s reasoning:
Baekdal states that a gibberish password, like J4fS<2, will take about 219 years to crack using a brute-force attack (the fastest method). That's secure for life, but it's not terribly easy to remember. On the other hand, a phrase like "this is fun" would take about 2,537 years to crack using a brute-force attack. It's not only more secure, but also easier to remember.
While multiword passwords appear to be the most secure option, Microsoft’s Safety and Security Center has provided four other elements to consider when creating a foolproof password:
Length – Strong passwords are at least eight characters long.
Complexity – Integrate punctuation, symbols, numbers, and other less common characters into your password. Keep in mind, however, that password-hacking software automatically checks for common letter-to-symbol substitutions, like using an ampersand instead of the actual word. Also remember that memorability is an important factor.
Variation – It’s best to change your passwords often to ensure security.
Variety – Don’t use the same password for everything. Cybercriminals often rely on less-secure websites to crack passwords. They will then try the same password in other, more secure, places like online personal banking sites.
Conveniently, there’s an online resource that allows users to enter potential passwords to test their safety. The site explains not only how easily it could be cracked, but also how frequently the password has been used, as well as other security information. For example, it speculates that the word “digital” could be cracked instantly and is in the top 500 most used passwords, whereas “education,” while less common, could still be cracked in approximately 22 minutes. Interestingly enough, the phrase “secure password” would take a desktop PC 49 million years to crack.
Common Sense Media has a number of specialized lessons to teach students (and teachers!) about online security, privacy, and, more specifically, choosing secure passwords. Our lesson “Privacy Rules” is designed for Grades 4-5, and teaches students how to identify sites that protect their information. A related lesson, “Powerful Passwords,” outlines the specifics of choosing secure passwords that will keep online information highly protected. For Grades 6-8, there’s a slightly advanced variation, “Strong Passwords,” which delves into exactly how stronger passwords help to protect private information. All of the lessons include handouts for students as well as a detailed lesson plan for educators, and are available for free online.