This summer has ended with a few database breaches that have leaked more than a hundred million passwords onto the internet. And, as usual, it feels like there’s nothing we can do about it — except check to see if you’ve been pwned.
F-Secure Labs lead researcher Jarno Niemelä explains ‘Ah, but there is something you can do to prepare for the next breach’
‘The trick is to use really long random string for a password,” he tells us. “The password length should be at least 20 characters, but preferably 32.”
Criminals who are attempt to crack the password databases use various forms of attacks based on words found in the dictionary. This method usually works quite well because so many users pick terrible passwords.Humans in general are really bad password generators,” Jarno says. “No matter how unique you think that your password is, it’s components are still likely to be in some dictionary, and powerful cracking cluster will come up with exactly right combination.”
But there are a few catches for this tip — and two of them depend on the security practices of the service you’re using.
First, the site or app has to accept long passwords, and then the developers behind the software have use any kind of “hashing” for the passwords they store.
Hashing employs an algorithm to hide passwords so they’re not stored in clear text. It’s a relatively basic practice that you can figure most reputable companies will employ.
“So as you as a customer cannot affect what kind of password storage the service providers are using,” he says. “But can still frustrate all but the most advanced attackers efforts by using long enough random passwords.”
So now you may be thinking, “Great! I have uncrackable passwords. They’re also impossible to memorize.”
Jarno recommends “some form of password storage” — like F-Secure KEY, which you can use on one device for free. Many password lockers like KEY will help you generate extra long passwords, too.
“Also it might be a good idea to use an unique user name per service, and maybe unique email for critical services,” Jarno says. “The unique user name will give you added privacy as you cannot be tracked easily across services.”
He gives this advice to his own kids to use as they play online games. Jarno also teaches his kids to limit their digital footprint by regularly changing their username or any alias for any game that makes their identities visible.
“Better teach them the basics of good OpSec — operational security — when they are young.”