In this blog post, i will explain to you the order of magnitude of identity theft which is humongous, why secure passwords are important and what makes a secure password. I furthermore explain how to adopt multi factor authentication to protect your accounts and I try to motivate you to use a password manager and to clean up your digital mess.
Why are secure passwords so important
Identity theft
Identity theft is at the rise since years. There are billions of stolen identities publicly available and a huge portion of them with user name and password in clear text.
How big is the problem? Huge! But we do not know the full truth. We just find some indications listed here. If you are more interested in identity theft, read my blog post.
- The provider Constella is reporting, that 42 billion exposed records of consumers and employees were detected circulating in dark markets in 2021.
- The US provider haveibeenpwned currently has close to 13 billion individual breached accounts in its database and the German Identity leak checker from Hasso Plattner Institute has close to 14 billion breached accounts in its database.
- Knowing that 4 billion persons are online, this means that in average every person was affected nearly 4-10 times by identity theft so far.
Why is this a problem?
Password reuse
This is a huge problem because of password reuse. The bad guys know that most people reuse their passwords and knowing one or more passwords of a perticular person, they use a method called “credentials stuffing” to guess passwords from other accounts of this person.
I talked to so many people and in the end nearly everybody admits to reuse passwords in one or the other way.
I have the biggest arguments with people what reuse means. The most critical ones are people telling me that they have “a system”. When diving a bit deeper it turns out that “the system” is nothing else than a reused root password or something derived from the website name plus some “random” addition. This is also reuse!
And don’t you think that the bad guys are smart enough to guess your “system” in case they know one or two of your breached accounts?
The only way to secure your acounts is to create secure passwords and adopt additional measures if possible.
What makes a secure password
A secure password is long, random and unique.
Why long: long passwords protect you against brute force attacks. An average computer takes 17 minutes to crack a password with 4 digits, 1 day to crack a password with 6 digits, 116 days to crack a password with 8 digits, 3000 years to crack a password with 12 digits etc. As you can see, the longer a password is to harder it will be to guess it.
-> My personal recommendation is to use passwords of at least 20 digits to be well protected against brute force attacks.
Why random: forget your “system”. Using a system means that the hacker can guess your pattern when knowing one or two of your passwords in clear text. Do not use any personal data within your passwords. They should be truly random.
-> My recommendation is to use a password generator to create truly random passwords.
Why unique: I think I already clarified this above. Password reuse makes you vulnerable for “credentials stuffing”.
-> My recommendation is to create a unique password for each of your accounts and not share or reuse any of your passwords across accounts.
Additional measures
Unfortunately, it is not sufficient to create secure passwords for all your accounts to be well protected. Still it can happen that an individual account of you is breached and stolen. There are so many ways how this can happen, either by accident or by criminals.
The credentials can be stolen directly from you or from your provider.
“Phishing” is one of the most critical methods to steal credentials directly from you where a criminal pretends to be your provider and asks you to enter your credentials or financial information into a fake site.
There are many ways how data can be breached from your provider. Quite often just “accidents” happen exposing sensitive data to the public. In other cases hackers detect unprotected servers or hack into not well enough protected infrastructure and steal the data.
In any of the cases, your data might be stolen and it might take very long for you to find out – if at all.
The only and best way to protect yourself against this is to adopt additional measures like multi factor authentication.
There are different ways to activate multi factor authentication. The unsafest way (but still better than nothing) is to send an SMS with a two factor code. Much better is to use a code generator which you setup once in your online account together with an authenticator app. Nowadays, services often send an email to confirm as a second factor. There you need to ensure that your email account is properly protected which you anyways should do! The safest way is to use physical electronic keys such as e.g. the yukibey.
-> My recommendation is to activate multi factor authentication where possible ideally via an authenticator app or a physical key.
Password manager
Looking at all these measures, you might ask yourself how to manage all this.
-> My recommendation is to use a password manager, enter all your passwords and start cleaning up your digital mess step by step.
If you are very security aware, then I would recommend using KeePass which is a free, open source password manager used by many companies as well because it is local and considered very secure. The comfort and usability is not so great however and I personally prefer a cloud based password manager available on multiple platforms.
I am personally using the Avira Password manager as previously I was working with Avira and responsible for the development of the product. The product has everything to do good password management. It has a password generator, the inbuilt security status checks your password strength, reuse and whether your account or your password is known as breached (using the service from haveibeenpwned). Furthermore the mobile app has an authenticator built in.
Of course there are also many other good cloud based password managers like e.g. 1password, dashlane, lastpass or NordPass.