Passwords are a sensitive topic around IT personnel. It’s one of the most important pieces of information for any user, because they give us access to our accounts, files, and devices. Having said that, passwords are in most cases very easy to guess. Hey, “123456”: you’re not fooling anyone. In fact, on a recent study performed by Passlo, “123456” was the most used password by the FTSE 100 of the London Stock Exchange in the UK.

And to no surprise, “password” was in second place. Why? Because we’re lazy, and we don’t know better. There is no “password crash course” on our school system, and most of our password knowledge has been learned by following certain rules and guidelines provided by our own devices and services. And of course, most of us don’t even care about the consequences. Why do I have to care about my email password if I don’t have a bank account and I stash my money below the mattress?

A savvy hacker can get into your email account, and based on his research on your emails, get to know your address, social security number, and even the names of your friends and family. Having all that information is critical: an attack of social engineering may leave you without money even if you don’t believe in banking.

So, let’s delve into the consequences of having bad passwords, what is a bad password exactly, and how to defend ourselves against any attacker: man or machine.

Why a secure password is a good idea

Computer devices and systems are fundamentally built with digital doors to access or use them, and passwords are usually the keys to those doors. Of course, nowadays we use a huge amount of computer devices, from PCs, phones, and home appliances, to machines and servers in the workplace. Most of those machines are connected to the internet and to each other, sometimes in ways that are hard to explain in layman’s terms.

Passwords are important because they secure these doors that protect key aspects of our lives. Our bank accounts have passwords: if a hacker gets them, our money is in danger, or our credit cards can be used in fraudulent ways. Our email has a password: a malicious actor can break havoc as we said earlier, searching for useful information that can be used to commit fraud, to attack another person using social engineering, or even by using your social security number to open accounts in your name.

Our computers, especially when we have admin accounts, aren’t safe either. An admin or root access to a machine can be used for a huge amount of malicious purposes. A hacker may install whatever he wants on your device, such as malware, and encrypt your files to hold them hostage on a ransomware attack. A hacker can also install a keylogger: an app that records everything you type in, including your ‘other’ passwords and private conversations. As you may have deduced by now, a single key –the ‘unimportant’ password of your computer or mobile phone– may be able to handle the entire keychain to a hacker.

The cherry on top of the security mistake sundae is using the same password for everything –akin to having 25 copies of the same key to open every door in your house.

Bad passwords

According to most security researchers, there are two ways to know with certainty when a password is bad: when it’s easy for a computer (or a human) to guess it, and when it’s hard for a person to remember.

Brute force and dictionary attacks

There are a lot of ways for someone to obtain your passwords, such as phishing or social engineering. However, when a hacker doesn’t have much control –or doesn’t know that much about you– he will use tools to decode your password, commonly known as crackers. This is software specially designed to break-in using a method called “brute force”: try as many combinations of numbers and letters as possible until you get a match.

Cracking a password is made easier by one of the first mistakes of any computer user: using a common word in your password. Almost every professional cracking tools make use of a wordlist or a list of default passwords. This method is called a “dictionary attack”, and it’s very easy to get positive results with it. Remember how common “123456” was? The same can be said about “password1”, “qwerty”, “secret”, “nothing” and “admin”. A lot of combinations of letters and numbers can also be found in this Wikipedia article that collects data from several data breaches.

Common algorithms to encode your password are also dangerous, such as spelling your password backward, using leetspeak or internet slang, and even interleaving words (e.g. “swtaarrs”). Most dictionary attacks have some of these techniques in mind when trying to break into your accounts.

Public and private information

Let’s face it: everyone has had a password with our home address, our birthdate, or the name of a relative. We can’t stress enough how unsafe these passwords are. A person with some knowledge of you may be able to guess your passwords without even trying or using any of the software described above. 

Social media can be dangerous too. Sites like Facebook hold and make public information that can be useful for a hacker to appraise data you may have used in your passwords. For example, if I was born in 1990, there is a chance that any 4-digit PIN number that I have could be “1990”, or “0831”, for my month and day of birth.

We should also emphasize that password hygiene calls for secrecy. Don’t disclose your passwords to friends and family. When you’re typing your password, don’t let anyone watch it or record it. If you think your password is compromised, change it immediately.

Hard passwords

The other side of the spectrum is a password like this: “zX7dhbo02Tns1iYpaW8”. A beautiful, uncrackable password, but so hard to remember that is unusable.

Another rule of thumb of security professionals: if your password is so hard to remember that you have to write it on a piece of paper, a post-it note, or a notebook, it’s absolutely worthless. A written password is very easy for someone to steal and misuse. The same goes for passwords saved or stored in other devices. The most common case is that person who stores sensible passwords for their banking or computer on their mobile device, even as photographs. If someone steals your phone, that person suddenly has the keys to the entire castle.

The only case where a password should be that hard to remember is when you use software like a password manager. You could have very hard passwords for all your accounts, and not having the need to remember them. Otherwise, just stick to our advice on having great passwords.

How to have great passwords (and how to keep them secure)

There are a considerable amount of techniques to slow down a password cracking process. In theory, the longer and nonsensical your password is, the better. But as we said earlier, a hard password can be hard to remember, therefore useless. Use one or several of these techniques to become a master of passwords.

Use a combination of letters, numbers, and symbols

The most common way to add complexity to a password is by replacing some of the characters with numbers. There is a usual replacement of vowels: the letter “a” is replaced with a 4, “e” with a 3, “i” with a 1, and “o” with a 0. Another recurrent replacement is the letter “S” with the “$” symbol. 

This is a very basic technique and your password won’t be very difficult to decipher if you’re consistent, so the trick is to randomize it. Try to use words that have two of the same letter, and only replace it for a number or a symbol on the first one.

Of course, you don’t always have to replace letters, and instead, you can add numbers and symbols to letters as you see fit. Just don’t make your password impossible to remember in the process.

Try an algorithm or invent your own

You can devise a process to modify a word, a phrase, or a sequence of numbers to craft a very strong password. The trick is to remember the algorithm, so you can retrace the steps and always remember it. That way, the attacker needs to know the specific algorithm or combination you created to crack it. 

We advise you not to use the same algorithm for all your passwords, though. Here are some examples:

Interlacing numbers and letters. For example, my pet’s name and her birthdate: “0m8o0c5h1i9”. Just steer away of the obvious ones, like “1q2w3e4r”, number 13 on the list of the most common passwords of 2019.

First letters of a sentence. A good and very pneumonic way to create a password. For example: “The pizza place called Joes is in # 623 Main Street! Good pizza” can be translated to “TppcJii#6MS!Gp”, which is gibberish for a machine but makes a lot of sense when you know the sentence. You only need to remember the original phrase –and your own spelling, grammar and punctuation rules– and you’re good to go.

A secret language or argot. This is a technique that could have its own paragraph but, to be fair, almost all secret languages are algorithmic in nature. For example, in Latin America we have a secret language called jerigonza, where you duplicate every vowel in a syllable adding the letter “p” (e.g. “Vamos” is “Vapamopos”, “Caballo” is “Capabapallopo”, and so on). Using a secret language is useful to avoid getting cracked by dictionary attacks, because your password becomes nonsense to a machine. Here’s a useful list of worldwide secret languages.

Use pop culture that can’t be traced back to you

Most of our passwords tend to be things we like to remember, like important dates or movies and musicians we enjoy, which are easy to guess. What if we go the other way around?

Let’s say for example, you’re a girl who likes soccer and stoner rock, and hate pop music and chick flicks. Anyone who’s trying to guess your password using social engineering –i.e. by studying your behavior in social media– would default to your personal taste in music and films, with attempts like “liverpool”, or “kyuss01”, and you can fool them just by using passwords like “MeanGirls” or “ILoveLadyGaga”.

Of course, this technique is still vulnerable to a dictionary attack, because you’re using plain, recognizable words. We encourage you to combine this approach with other recipes, like a strong algorithm.

Use a password manager

One safe alternative is to use software that does all the heavy load of remembering passwords that are hard to decipher while creating new ones if needed. Most password managers are very safe and need very little configuration on your devices, and can generate strong, uncrackable passwords for your accounts.

Takeouts

Cybercriminals are always looking for creative and complex ways to get inside our devices, but amidst that complexity and creativity lies a familiar road: passwords. No matter how secure a device is or how many countermeasures it has, if a hacker gets the keys, it’s game over.

We encourage everyone to protect their devices by being smarter. If you think your password is complex, think again. Change all your passwords periodically, be inconsistent, don’t repeat them between accounts and devices, and always think of new ways to improve your password strategy. After all, your security is at risk.

First, it was Google, then Facebook, and now Twitter. Even if big tech companies aren’t necessarily the norm, the big three have decided to jump on the remote work bandwagon even after the pandemic. And it’s not by luck: thousands of people are going to stay at home instead of going back to the offices.

With the arrival of a virus that confined us to our personal spaces, the world began to change. To adapt. Companies around the globe transitioned from work to home, and their employees, after several months of meetings by Zoom and couch-made decisions, will voluntarily change the gaze of their bosses for the attention of their children or pets. It’s an undeniable change, which has been dubbed “the new normal”.

However, this change will not come without resistance. This goes beyond saying: the world of work is nothing more than a great tradition that we have been repeating as a society, between ethnic groups and territories, in very similar ways. Putting on a suit, sitting in a cubicle from 9 to 5, Monday through Friday, having lunch for an hour and carpooling are codes, and there are many people out there –in many cases, in positions of power– who want to dump the new normal into the garbage can as soon as possible.

The ancient history of office work

Our offices as workspaces are a rite that we have followed without much question. The surprising thing is: this rite is not really that old. Offices are the answer to the modernization of employment in the middle of the 20th century, after almost three centuries of constant change and refinement of industrial work. In the 1940s and 50s, modern printing machines and typewriters were fuel for the exodus: the labor force in factories, fields, and mines migrated to noisy bullpens. Women and minorities joined this change, now free from the chains of tradition and ready to join these new spaces.

Over time, the office became a different, safe space. Also, this same space and its distribution became a control tool. For Foucault, the school and the Army were disciplines of the body; the office presence was the logical form of work of this disciplinary society. Time controls, dress codes, hierarchy flourished; all of them embedded with new responsibilities. It would be the birth of a new tradition.

Of course, the workspace is different from home, and that difference has its advantages. The separation between work and home establishes a difference between what’s public and private. It also draws a clear line between what happens in the work environment –productivity– versus the family and recreational space of the house. The office environment is also a social space, and therefore secure in terms of peer interaction, sociability, and human contact.

In the same way, it can be monitored and controlled in ways that would be unthinkable if that space did not exist. The rules and the different office services are usually different from what we can find at home. Free coffee, casual Friday, office hours, Intranet? All born under the wing of these new spaces.

However, this normality has ended up producing a good number of disadvantages that we cannot deny. The office became a place of alienation: to belong to this safe and different space is to lose your own identity. Long hours of work and less time at home, made us think that our real lives were not so valuable. We began to miss our families and friends. Free time became a longing. The rhythm of work began to exhaust us, to extinguish us. Stress was on the rise, the commute to work became tedious and the return was the only moment of peace.

The answer to that –thanks to our hyperconnected reality– was remote work: an option to make employment and home compatible. Unfortunately, that option was never the rule, but the exception.

Remote work with no obligation

If we bring together a dozen managers of large companies and ask them about remote work, they will most likely spurt out a list of reasons why not to implement it.

For the management world, working from home has measurable downsides: a decrease in productivity, the difficulty of micro-managing employee time, and the technical feat of keeping an employee working at home with office resources. It’s often argued that working from home is insecure for the company in terms of cybersecurity –an argument that we have made in the past– and that it reduces the value of spaces that the company already uses, such as its offices.

However, and outside of the most tangible reasons, the problem with remote work is a problem of tradition. The uncomfortable truth behind the refusal to send employees home: the system seems unprofessional.

The truth is that remote work began to be a possibility because the world took its paradigm to the extreme. The wide possibility of being connected thanks to powerful internet connections was the fuel to transfer productivity to homes, and long working hours and office speed were the catalysts for a chemical reaction that found strong resistance on those believers in the traditional work model.

A social change

This moment in history is linked to a generational change, key in many social processes. The baby boomers, accustomed to the standard office model –and for the most part with guaranteed lives, families, children– are on the verge of retirement. Meanwhile, hordes of digital natives and millennials populate entry-level jobs, valuing free time and personal growth far more than gross productivity.

This contrast has tipped the scales towards remote work for years, where various studies pointed to this job transformation, by the hand of millennials, as a sort of “salvation” for the rest of the workers. Back then, those born at the end of the 20th century were considered “lazy and entitled”.

However, the arguments for or against this change had to be frozen solid with the arrival of the pandemic. Quarantine violently changed the way we work and made us remember our own usefulness, even from home. This forced change threw us into a decisive social moment, where the balance can turn towards remote work and away from the bureaucratic culture of the offices.

This force is part of a multitude of changes that are already taking place in business. The possibility of contagion from COVID–19 will continue to be quite high, so the offices will seek to minimize the number of employees in common spaces and meeting rooms. At the same time, companies are scrapping their office spaces and renegotiating contracts, which has sunk the office real state business. The icing on the cake is the probable migration: hundreds of thousands of people with remote job possibilities will migrate from spaces with astronomical prices –a rental in Silicon Valley is not exactly cheap– to places with a better quality of life.

This new era of remote work will not be easy for workers either. As soon as businesses assume that their workforce will stay home forever, a new era of control will begin. Many employees who stay at home will have to use monitoring software to control their productivity –software that has been already developed– and keep that “feeling” of performance safe.

The good news is that tech companies that drive innovation are going in a good direction. A few days ago, Twitter and Square, led by Jack Dorsey, announced that their employees will be able to continue working from home as soon as the quarantine is finished. This decision is expected to end up pushing –or at least serving as an example– for many other digital businesses.

Takeaways

It will take a long time for the social conflict between tradition and remote work to elicit a real change. A lot of companies in the United States do not plan to open their offices until the last quarter of this year, with severe security measures. We also do not know if more companies will definitely get on the remote work phenomenon, or consider this quarantine as an outlier.

The truth is that even predictions give remote work an advantage. In 1964, science fiction writer Arthur C. Clarke predicted a series of technological advancements that would be the rule fifty years later, such as the internet, 3D printing and robotic surgery. The only prediction he seemed to miss was that workers would not commute to work daily and travel only for pleasure.

It seems that a pandemic was necessary for the prediction to be fully accurate.