How can you ACTUALLY be more safe online?
Now that you know how to crack a password, what can you actually do to prevent those types of attacks? What can you do to mitigate the damage done from those types of attacks? We went through some of this in the Conclusion section, but we will go into more detail here.
Complex passwords are harder to crack.
The first and most direct way to prevent password hash-cracking attacks is by using complex passwords. Using a password like "123456" will be cracked essentially instantly. Hopefully you've seen through this guide that many passwords can be cracked in a similar time. By increasing the complexity of your password, you make it much more likely an attacker will fail to crack your password. In terms of what we showed in this guide, increasing the complexity of your password makes it more likely your password will not show up on a common passwords text file used to crack password hashes. Some attacks are a bit more complex and either have larger password text files or sequentially go through every password combination up to some sort of length. This latter type of attack is longer, but is more likely to crack your password's hash. Increasing your password length, however, which is part of increasing password security, will make it exponentially more likely that that type of sequential attack will fail. Or, if the attack doesn't fail, it may simply take years to complete.
Longer passwords are stronger passwords.
Okay, so increasing password complexity is good, but what does that actually mean? Well, we've already mentioned one type of increase in complexity: Increase in password length. Again, increasing password length makes it more likely your password will not be included on a common passwords list and more likely that your password will not be cracked in a sequential type of attack. These advantages are the same across all types of actions that increase password security.
Another main way of increasing password security is varying the types of characters used in your password. In addition to the password "123456" being horribly short, it uses only one type of character: Numbers. A more complex password would include not only numbers, but alpha characters and special characters as well. Alpha characters are just letters, and special characters are characters like exclamation point ("!"), the "at" symbol ("@"), and tilde ("~").
Warning: Some websites do not allow certain special characters. This is unfortunate as it limits your ability to create complex passwords, but there are usually many special characters left over to play with.
Often when people are forced by a website to include special characters, they will simply add an exclamation point at the end of their password. While this does increase the complexity of your password somewhat, it is still fairly common.
Special characters, while combatting the sequential attacks, are even better for combatting the password list attacks. The password lists are often long lists of common passwords, so including special characters, which are not as commonly used, makes your password less common. At least that is the case if the special characters are used correctly.
So how can you overcome this. Simple! Just vary up how you use your special characters. Maybe throw one in in the middle of your password where no one would expect it. Maybe replace a letter by a number for no apparent reason whatsoever. It may make your password harder for you to remember, but it makes the password harder to crack, too. (There are also many applications out there that securely store your passwords. We unfortunately will not go into those in this guide, but feel free to research them on your own!) This is one reason the passwords suggested by your computer, at least on Mac, are unintelligible messes: They're complex!
2-Factor-Authentication adds an additional link that hackers must compromise.
2-Factor-Authentication (2FA) is a class of methods to add a second factor, often requiring physical interaction, in order to log in. These can range from texting your phone an additional code, to plugging in a physical often USB key that has a special cryptographic identifier onboard. In the previous cases, the hacker would need to compromise your phone/cell-carrier, or physically steal your key in order to login as well. This makes it orders of magnitude harder to compromise your account. Of course, this all only works if you sign-up or enroll in such services. It is highly recommended that you have 2FA enrolled on all your important identity and banking-related accounts.
Some people will try and trick you into giving them your password.
Social engineering may sound fancy, but all it really means is a con. Someone tries to convince you to give them/somehow reveal your password so that they can use it for nefarious purposes. One popular way that hackers often try doing this is by pretending to be from some service on which you have an account. They may email you or call you saying that they need your username and password to fix something wrong with your account. Do not trust this. They are trying to steal your password. It is always best to check this "issues" first on your own. If they truly exist, then you can contact the appropriate people to fix the issue. Otherwise, the issue is fake, and someone just tried to steal your password.
Even if you trust the person, simply having your password out there is a risk
Related to the social engineering point, sharing your password is also bad. Sometimes this may be necessary, especially for any kind of family account arrangement, so try and limit it as much as possible. Even if you are giving your password to someone whom you trust, giving someone your password creates another access point for hackers to find your password. Maybe that person whom you trust writes your password down somewhere insecure. It's not malicious, but it creates another opportunity for your password to be stolen.
Public WiFi is available to anyone, including hackers. This makes the networks dangerous.
As we've talked about, there are many WiFi networks out there. You can open up your laptop right now and probably find at least 10-20 networks in range. Some are better than others. "Free" WiFi or "public" WiFi, like the WiFi you would connect to at a Starbucks or an airport, are not great from a security perspective. They often have no password associated with them, so anyone can join. This is fantastic from a practical/service perspective in that anyone who happens to be at the venue can surf the web. This also means, however, that any hacker can join the network and go about malicious activities.
As with sharing your password, sometimes connecting to public WiFi is unavoidable. Sometimes your device may connect automatically! If you must use public WiFi, try your hardest to not transmit sensitive data over the network. This means avoid logging in to any service, which often includes submitting your password and username/email for that service, submitting your credit card information, your address, etc.
Keeping your passwords dynamic keeps hackers on their toes.
Even if you follow all of the above steps, it is still possible for you to get hacked. An attacker could still somehow find the hash of one of your passwords and begin to crack that hash. Is there anything else we can do?
The answer is, "Yes." Remember that more complex passwords take much longer to crack, sometimes on the order of months to years if the passwords are good enough. Given enough time, however, a hacker will still crack that password. But what if the hacker could never get in the door because the lock kept changing? That is what you do to hackers when you change your passwords every so often. (This could be every few months to every year. It's up to you, but changing your passwords on some frequency is better than not changing them at all.)
Does this take more effort? Yes, it does, especially when you do it correctly, which entails never repeating passwords. (If you repeat a password, it's possible a hacker cracked it the first time around, had the lock changed on them, and was simply waiting for & hoping the lock would be changed back. Congrats! If you repeat a password, you've just granted that hacker their wish.)
In the end, however, it is worth the effort. Getting hacked is no joke, and although it is a pain to deal with, it is possible to mitigate the damage. Go to the next section for more on that!