Hackers are the craftiest of fish. They nibble at your account day by day, trying 2 wrong password attempts and stopping before the 3rd attempt locks your account. Then, they wait a day for you, the user, to log into your account and reset the password tries before they try to log in again. Think about how often you log into your most important accounts. Do you log in every day? Month? Less frequently than that? The more frequently you log in, the more chances you may be allowing hackers to guess. Sooner or later, depending on how common your password is, your account may be hacked.
And how do I score here? Well, the joke’s on the hackers. This blogger stays signed into accounts for months until I’ve forgotten my password and reset it to a new one. Hackers can’t test more than two passwords before locking my account up, even if they wait weeks for my next login. If you want more than just dumba** methods that work sometimes (if you’re lucky), read on. Read about 6 tried-and-true methods to prevent password hacking below.
Restrict the number of wrong password attempts
An authentication system sets the number of wrong password attempts users can make. Deciding which number to set often takes great difficulty. Too many attempts and hackers will be breaking in all over the place. Too few attempts and angry users who made one typo—just one typo!—will be revolting at the CTO’s door. However, it can be fun every so often to trip up hackers by changing those 3 strikes down to 2. It’ll be fun as long as your users have a certain capability...
Self-Service Password Reset
Self service password reset allows the user to reset their own password on their own. This protocol may vary from application to application and may not come with all software packages. If you would like to learn more, download this tech brief on Centralized Self-Service Password Reset. I have done tons of password resets with my accounts and they usually depend on a few things to authenticate the user: security questions, an email address associated with the account, and/or remembering previous passwords.
Self-Service Account Unlock
Self service account unlock allows the user to enter a credential of some kind that unlocks their locked account. They are given 3 strikes before they’re locked out, and they have to unlock their account. These tend to be based on security questions. If an end user keeps getting random account lockouts, this may be a sign that hackers are guessing passwords without caring if the end user notices. If this happens to you, contact your Administrator immediately to prevent password hacking.
Choose usernames not mappable to your name
Usernames often have your initials, or a reference to your first and last name in them. This makes it ridiculously easy for hackers to guess your username, so they only have a password to guess now. Where would they get your name? Why, social media of course!
Be wary on social media
Use a nickname instead of your full name on social media accounts to prevent password hacking. This may throw hackers off completely, especially if your nickname starts with a different letter than your first name. Be careful about posting contact info on your profile, too. If your email is visible to contacts only, the hacker just has to create a fake account and add you to view your username.
Codes of numbers are your friends
If you get to decide your username on any important account, you may prefer to have a word in it. But even though this seems counter-intuitive, did you know long codes of numbers can be your allies against hackers? Take out a die, roll it six times, and write down the answers. A sequence of just six numbers has a 1 in 46,656 chance of being rolled again, but up to 16 characters may be allowed in a username. The hacker’s not going to have a fun time coming up with that username and this will help you prevent password hacking!
All in all, the ability to prevent password hacking can be achieved through collaborative efforts between CTOs and end users. Tune in next time for more authentication security tips!