How secure are your passwords?

Do you use any of these passwords? If the answer is yes, your computer could be hacked almost instantly.

This post is by Felix Jorkowski- Co-founder of Kalix and Head Software Engineer

From time to time, there are stories in the media about hacker attacks on websites or computer networks. You may remember last year, the computer network at a Gold Coast medical centre was hacked and their patient files corrupted. Have you wondered how hackers gain access to systems like this? To put it simply, hackers look for vulnerabilities (or weaknesses in computer systems), they then use these vulnerabilities to compromise the system. These weak spots are often referred to as “security loopholes.” Today I thought, I would discuss a much overlooked security loophole – you.

Weak Passwords

Can you guess, what is most important aspect of security in a cloud based system? No, it isn’t using Anti-virus Software… It’s your choice of password! Yes, the hackers, were able to access the Gold Coast medical centre’s server by hacking their password. I think this cartoon explains it well.

The hackers, of course didn’t literary hit the medical centre’s staff on the head! They either guessed what their log in password was or used password cracking software to hack it.

The table below shows the amount of time it takes for password cracking software to generate every possible combination of letters for a given number of characters (courtesy of lifehacker). Longer passwords take much longer to hack, 5 minute for a 6 character password to 4.5 years for a 10 character word. Likewise, passwords containing a combination of characters (uppercase, lowercase, and symbols) take more time hack compared to lower case only (from 2.23 hours to 2.21 years for a 7 character password).

How I’d Hack Your Weak Passwords

Alternatively, some hackers just guess what a password is. You can have all the layers of encryption possible, but if your password is literally the word ‘Password’, it would take a potential hacker just seconds to access your personal data. You’re probably wondering who would use something so obvious, but take a look at the list of the most popular passwords, do you use any of these? (courtesy of SplahData).

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball
  11. iloveyou
  12.  1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1

Sharing passwords

Another common mistake is reusing the same password on multiple sites. I have to admit, this is something I’ve been guilty of in the past. I changed my practices after the social networking website LinkedIn was hacked last year. The hacker stole nearly 6.5 million users’ passwords. If someone looked at the list and found my email and password together, they would have had easy access to a number of my other accounts.

Unfortunately when sites do not follow best practices, or human error occurs, password leaks can occur. The only way to stop these leaks from spreading, is to have a different password for each service you use. Of course, actually trying to think of unique passwords for each site, making sure they are ‘strong’ passwords and then remembering all of them, is near impossible! Luckily there is a simple solution…

Useful Password Tools

I’ll give you a small insight into what my own personal passwords look like (of course these are not my actual passwords!)

Google – vBMEVdHtFMbPtm5aWpSCPTQRy

LinkedIn – hSTw@CJNyyxH@NB4GtdFn9drd

In total I have about 50 passwords like this, including my banking, email, business related services – the list goes on. Using these passwords makes it almost impossible for anyone to break into any of my accounts, and if one account is compromised then I can rest easy knowing, my other accounts are safe.

These passwords are also impossible to remember, which is why I use a product called lastpass. This is a password manager generates long ‘hack-proof” passwords for all of my log ins and holds them an encrypted format. The passwords can only be “unlocked” by a single ‘master password’. But if you use a ‘weak’ master password you are right back to where you started. The trick is choosing a strong password, that is also easy to remember!

There is a great site where you can create your own strong password out of four random common words: I recommend that you keep generating passwords on this site until you find one you can remember.

Single Sign On + Two factor authorisation

There are sites that do security really well, Google and Microsoft are examples of these. These sites offer a feature called ‘two factor authorisation’. When you want to log in, you have the option of also entering a code that is sent to your mobile device. It adds an extra security step, as any potential hacker would also have to steal your phone to log into your account.

While Kalix does not offer ‘two factor authorisation’, we do offer you the ability to log into our site via these highly secure sites. This method of logging is called ‘single sign on.’  Our Google, Facebook or Microsoft ‘single sign on’, effectively sends you to the selected site to sign in and by doing so this, the site verifies your identity for us. By using this feature you can get all the extra security of using ‘two factor authentication’ plus the added benefit of not needing to remember another password!.

Protecting your clients

Ensuring your client records remain safe and secure is very important. At Kalix, we work hard to make sure we follow best practices in security. However, as users there are steps you must take to close ‘the security loop’.

  • Choose strong passwords: at least 8 characters (the longer the better), with a combination of uppercase and lowercase letters, numbers and symbols.
  • Do not choose commonly used passwords.
  • Do not re-use the same password on multiple sites.
  • Consider using a password manager to generate and store ‘hack-proof” passwords.
  •  Use ‘single sign on’ for Kalix.