These forms of attack mean everyone should use passwords as lengthy as practically possible, using random collections of as many alphabetic, numeric, and symbolic characters as feasible. Even unsophisticated computers today can guess 8-character passwords relatively quickly, so they will not stay secret for long. Most experts recommend at least 12 characters, and more is better.
This also means to be wary of sites which limit the available character set or force the user to use a short or even a fixed-length password. Suppose that the site compels everyone to use a 12-character password. That length is reasonably good, but it also means that hackers do not have to guess any combinations of 1-11 characters, or 13 and more. This means a far faster path to cracking.
Optional Video: Password haystacks are a way to help you remember complex, hard to crack passwords. To learn more, watch Bite-Size CPD – Password Haystacks [8:05 minutes].
Dictionary attacks, which might include passwords harvested from past breaches, point to another thing which one must never do: reuse passwords on multiple sites.
Let’s say a computer user came up with a great password using lots of random characters. Something like “JIEl34(+rEleoo”. They are so proud of it that they commit it to memory and use it on every site, ranging from their online banking account to the forum they visit covering their aquarium hobby.
Now suppose the aquarium forum is hacked, and all the user ID’s and passwords are compromised. Two things will happen. The discovered passwords will be added to online dictionaries, helping future hackers in their guessing attempts. But more immediately, hackers (both the ones who cracked the forum and others who download the list) will visit high-value sites and try the same user id/password combinations. They know that many people reuse passwords, and so the criminals will go to major banks, social media sites and other high-traffic locations. Since the victim was using the same password for their bank, those accounts are now at risk.
Reusing passwords simply cannot be done. It opens a gaping hole in a security profile. While a bank presumably has high security and may not be hacked, there is a far better chance that one of the other sites with a reused password, and which may have lesser security protection, will be compromised.
It is good practice to change passwords periodically, especially if they are protecting high-value assets like bank accounts. The longer the information exists, the higher the potential for it to be recorded or noted. For example, a disgruntled employee at a site may have downloaded the credentials of every visitor to use later. It is far better if the information they stole is obsolete.
Also, if there is a known breach at a site, immediately go and change the credentials there. This must be done carefully, to make sure the hackers do not now control the site so they can harvest new passwords. This might require more investigation to ensure one is dealing with a clean site.
One of the truisms around passwords is that people often write them down on a sticky note, stuck to their monitor or under their keyboard. Although this is not accessible by online hackers, many breaches originate internally, and fellow employees or even cleaning staff might come across this information.
Suffice it to say that any credentials should never be written down unless absolutely necessary, and if so, those notes should be stored in an appropriately secure location.
Optional Video: For further review of these password basics, watch Stupid Password Practices [6:43 minutes].