Hundreds of millions of account credentials for LinkedIn recently showed up for sale on a dark web forum, four years after hackers grabbed them.
And on Wednesday, the service was emailing users to tell them their account may have been affected and it had invalidated a number of passwords. It also said you should change your password immediately.
Fortunately, there’s an easy way to come up with a complex password that you won’t end up forgetting five minutes later.
“One of the easiest ways to give yourself a strong password would be using a full sentence,” said Kurt Muhl of RedTeam Security.
Based in St. Paul, Minn, the cybersecurity firm of ethical “white hat” hackers helps companies find security flaws before the bad guys do.
The full-sentence technique works like this: Think of an everyday phrase that you can remember, like “My #1 favourite thing in the world is my family,” or as Muhl gives as an example, “I bought my house for $1.”
Then you take that sentence and convert it to a password by grabbing the first letter of each word. “I bought my house for $1” then becomes Ibmhf$1.
“That’s going to give your uppercase, lowercase, a number, and special characters in there,” Muhl said. “It’s something that’s easy to remember. All you gotta do is remember that sentence.”
It seems simple, yet many people still resort to weak passwords, which hackers can easily guess using free software tools like John the Ripper. A password that has a word found in a dictionary with a number thrown on the end is something that a tool like “John” could break in about an hour, Muhl explained.
Passwords like “123456” or “password” — consistently found on worst password lists — would only take seconds to crack.
“That is the first thing that we try to go after,” Muhl said.
As Muhl explained, John works off dictionary lists — massive text files you can find on any number of hacker forums — that contain words, phrases, numbers, and other password possibilities. It basically keeps trying combinations of words and numbers until it gets it right, which wouldn’t take long if the password is particularly weak.
But Muhl’s technique makes a dictionary attack fairly impossible, since it’s not a word at all. The password becomes even stronger if you have more characters, since the added length ups the number of possibilities.
“The longer your passwords could possibly be,” Muhl said. “The more guesses it’s gonna take for me to get it right.”