Most attackers don't bother with sophisticated methods of stealing passwords. They take combinations that are easy to guess. About 1% of all currently existing passwords can be guessed in four attempts.

How is this possible? Very simple. You try the four most common combinations in the world: password, 123456, 12345678, qwerty. After such a passage, on average, 1% of all “caskets” are opened.

Let's say you are one of those 99% of users whose password is not so simple. Even in this case, it is necessary to take into account the productivity of modern software for hacking.

John the Ripper is a free and publicly available program that can check millions of passwords per second. Some samples of specialized commercial software claim a capacity of 2.8 billion passwords per second.

Initially, hacking programs run through a list of the statistically most common combinations, and then turn to the full dictionary. User password trends may change slightly over time, and these changes are taken into account when updating these lists.

Over time, all sorts of web services and applications decided to forcefully complicate passwords created by users. Requirements have been added according to which the password must have a certain minimum length, contain numbers, uppercase and special characters. Some services take this so seriously that coming up with a password that the system would accept takes a really long and tedious time.

The key problem is that almost any user does not generate a password that is truly resistant to guessing, but only tries to meet the minimum requirements of the system for the composition of the password.

The result is passwords in the style password1, password123, Password, PaSsWoRd, password! and the incredibly unpredictable p@ssword.

Imagine you need to change spiderman's password. Most likely he will look like $pider_Man1. Original? Thousands of people will change it using the same or very similar algorithm.

If the burglar knows these minimum requirements, then the situation only gets worse. It is for this reason that the imposed requirement to make passwords more complex does not always provide better passwords, and often creates a false sense of increased security.

The easier the password is to remember, the more likely it is to end up in the dictionaries of cracking programs. As a result, it turns out that a truly strong password is simply impossible to remember, which means it needs to be somewhere.

According to experts, even in this digital age, people can still rely on a piece of paper with passwords written on it. It is convenient to keep such a sheet hidden from prying eyes place, such as a purse or wallet.

However, a sheet of passwords does not solve the problem. Long passwords are not only difficult to remember, but also difficult to enter. The situation is aggravated by virtual keyboards on mobile devices.

Interacting with dozens of services and sites, many users leave behind a string of identical passwords. They try to use the same password for every site, completely ignoring the risks.

In this case, some sites act as a nanny, forcing you to complicate the combination. As a result, the user simply cannot figure out how he had to modify his standard single password for this site.

The scale of the problem became fully realized in 2009. Then, due to a security hole, a hacker managed to steal the database of logins and passwords for RockYou.com, a company that publishes games on Facebook. The attacker placed the database in open access. In total, it contained 32.5 million records with usernames and passwords for accounts. Leaks have happened before, but the scale of this particular event showed the whole picture.

The most popular password on RockYou.com was 123456, used by almost 291,000 people. Men under 30 more often preferred sexual themes and vulgarity. Older people of both sexes often turned to one or another cultural area when choosing a password. For example, Epsilon793 doesn't seem like such a bad option, except this combination was in Star Trek. The seven-digit 8675309 has been seen many times because it was featured in one of Tommy Tutone's songs.

In fact, creating a strong password is a simple task; all you need to do is create a combination of random characters.

You won't be able to create a perfectly random mathematical combination in your head, but you don't have to. There are special services that generate truly random combinations. For example, random.org can create passwords like this:

• mvAWzbvf;
• 83cpzBgA;
• tn6kDB4T;
• 2T9UPPd4;
• BLJbsf6r.

This is a simple and elegant solution, especially for those who use password storage.

Unfortunately, most users continue to use simple, weak passwords, ignoring even the “ different passwords for each site." For them, convenience is more important than safety.

Situations in which a password may be at risk can be divided into 3 broad categories:

• Random, in which a person you know tries to find out your password, based on information about you known to him. Often, such a burglar just wants to play a joke, find out something about you, or play dirty tricks on you.
• Mass attacks, when absolutely any user of certain services can become a victim. In this case, specialized software is used. The least secure sites are selected for the attack, allowing multiple password variations to be entered in a short period of time.
• Targeted, combining the receipt of suggestive tips (as in the first case) and the use of specialized software (as in a mass attack). Here we are talking about trying to get truly valuable information. Only a sufficiently long random password will help you protect yourself, the selection of which will take time comparable to the duration of your password.

As you can see, absolutely anyone can become a victim. Statements like “they won’t steal my password because no one needs me” are not relevant, because you can get into a similar situation completely by accident, by coincidence, without any apparent reason.

Those who have valuable information, are involved in business, or are in conflict with someone on financial grounds (for example, division of property during a divorce, competition in business) should take password protection even more seriously.

In 2009, Twitter (in the understanding of the entire service) was hacked only because the administrator used the word happiness as a password. A hacker picked it up and posted it on the Digital Gangster website, which led to the hijacking of Obama, Britney Spears, Facebook and Fox News accounts.

Acronyms

As in any other aspect of life, we always have to make a compromise between maximum security and maximum convenience. How to find the golden mean? What password generation strategy will allow you to create strong combinations that you can easily remember?

At the moment, the best combination of reliability and convenience is to convert a phrase or phrase into a password.

A set of words is selected that you always remember, and the password is a combination of the first letters of each word. For example, May the force be with you turns into Mtfbwy.

However, since the most famous ones will be used as initial ones, programs will eventually receive these acronyms in their lists. In fact, an acronym contains only letters, and therefore is objectively less reliable than a random combination of symbols.

The correct choice of phrase will help you get rid of the first problem. Why turn a world-famous expression into an acronym password? You probably remember some sayings that are relevant only among your close circle. Let's say you heard a very memorable phrase from a bartender at a local establishment. Use it.

And it’s still unlikely that the acronym password you generate will be unique. The problem with acronyms is that different phrases can consist of words that start with the same letters and are arranged in the same sequence. Statistically, in various languages, there is an increased frequency of certain letters appearing as word starters. Programs will take these factors into account, and the effectiveness of acronyms in the original version will decrease.

Reverse method

The solution may be the reverse generation method. You create a completely random password in random.org, and then turn its characters into a meaningful, memorable phrase.

Often services and sites give users temporary passwords, which are those perfectly random combinations. You'll want to change them because you won't be able to remember them, but if you look a little closer, it becomes obvious that you don't need to remember the password. For example, let's take another option from random.org - RPM8t4ka.

Although it seems meaningless, our brain is capable of finding certain patterns and correspondences even in such chaos. To begin with, you can notice that the first three letters in it are uppercase, and the next three are lowercase. 8 is twice (in English twice - t) 4. Look a little at this password, and you will definitely find your own associations with the proposed set of letters and numbers.

If you can memorize meaningless strings of words, then use it. Let the password turn into revolutions per minute 8 track 4 katty. Any conversion that your brain is better suited for will do.

A random password is the gold standard in information technology. It is by definition better than any human-created password.

The disadvantage of acronyms is that over time, the spread of such a technique will reduce its effectiveness, and the reverse method will remain just as reliable, even if all people on earth use it for a thousand years.

A random password will not be included in the list of popular combinations, and an attacker using a mass attack method will only find such a password using brute force.

Let's take a simple random password that takes into account upper case and numbers - that's 62 possible characters for each position. If we make the password just 8 digits, we get 62^8 = 218 trillion options.

Even if the number of attempts within a certain time period is unlimited, the most commercial specialized software with a capacity of 2.8 billion passwords per second will spend an average of 22 hours trying to find the right combination. To be sure, we add only 1 additional character to such a password - and it will take many years to crack it.

A random password is not invulnerable, as it can be stolen. There are many options, ranging from reading input from a keyboard to a camera over your shoulder.

A hacker can attack the service itself and obtain data directly from its servers. In this situation, nothing depends on the user.

Single reliable basis

So, we got to the main point. What random password tactics should you use in real life? From the point of view of balance and convenience, the “one strong password philosophy” will work well.

The principle is that you use the same basis - a super-secure password (its variations) on the services and sites that are most important to you.

Anyone can remember one long and complex combination.

Nick Berry, Issues Consultant information security, allows the use of this principle, provided that the password is very well protected.

The presence of malware on the computer from which you enter the password is not allowed. It is not allowed to use the same password for less important and entertainment sites - more than that will suffice for them. simple passwords, since hacking an account here will not entail any fatal consequences.

It is clear that a reliable foundation needs to be modified somehow for each site. As a simple option, you can add one letter at the beginning to end the name of the site or service. If we go back to that random password RPM8t4ka, then for Facebook login it will turn into kRPM8t4ka.

An attacker who sees such a password will not be able to understand how the password to your account is generated. Problems will start if someone gets access to two or more of your passwords generated this way.

Secret Question

Some hijackers ignore passwords altogether. They act on behalf of the account owner and simulate a situation where you forgot your password and want it for a security question. In this scenario, he can change the password at his own request, and the true owner will lose access to his account.

In 2008, someone gained access to the email of Sarah Palin, the governor of Alaska, and at that time also a candidate for US president. The burglar answered the secret question, which sounded like this: “Where did you meet your husband?”

After 4 years, Mitt Romney, who was also a candidate for US President at that time, lost several of his accounts on various services. Someone answered the security question about the name of Mitt Romney's pet.

You've already guessed the point.

You cannot use public and easily guessable data as a secret question and answer.

The question is not even that this information can be carefully extracted from the Internet or from close associates. Answers to questions in the style of “animal name”, “favorite hockey team” and so on are perfectly selected from the corresponding dictionaries of popular options.

As a temporary option, you can use the tactic of an absurd response. Simply put, the answer should have nothing to do with the security question. Mother's Maiden Name? Diphenhydramine. Pet name? 1991.

However, such a technique, if it becomes widespread, will be taken into account in the relevant programs. Absurd answers are often stereotypical, that is, some phrases will appear much more often than others.

In fact, there is nothing wrong with using real answers, you just need to choose the question wisely. If the question is non-standard, and the answer to it is known only to you and cannot be guessed after three attempts, then everything is in order. The benefit of a truthful answer is that you won't forget it over time.

PIN

Personal Identification Number (PIN) is a cheap lock that our . No one bothers to create a more reliable combination of at least these four digits.

Now stop. Right now. Right now, without reading the next paragraph, try to guess the most popular PIN code. Ready?

Nick Berry estimates that 11% of the US population uses the combination 1234 as a PIN code (where it is possible to change it yourself).

Hackers do not pay attention to PIN codes because without the physical presence of the card the code is useless (this can partly justify the short length of the code).

Berry took lists of passwords that appeared after leaks on the network, which were combinations of four numbers. Most likely, the person using the password 1967 chose it for a reason. The second most popular PIN is 1111, with 6% of people preferring this code. In third place is 0000 (2%).

Let's assume that the person who knows this information has someone else's information in their hands. Three attempts before the card is blocked. Simple math allows you to calculate that this person has a 19% chance of guessing the PIN if he enters 1234, 1111 and 0000 in sequence.

This is probably why the vast majority of banks set PIN codes for issued plastic cards themselves.

However, many protect smartphones with a PIN code, and here the following popularity rating applies: 1234, 1111, 0000, 1212, 7777, 1004, 2000, 4444, 2222, 6969, 9999, 3333, 5555, 6666, 1313, 8888, 4321, 2001, 1010.

Often the PIN represents a year (year of birth or historical date).

Many people like to make PINs in the form of repeating pairs of numbers (and pairs where the first and second digits differ by one are especially popular).

Numeric keyboards of mobile devices display combinations like 2580 at the top - to type it, just make a straight pass from top to bottom in the center.

In Korea, the number 1004 is consonant with the word "angel", which makes this combination quite popular there.

Bottom line

1. Go to random.org and create 5-10 candidate passwords.
2. Choose a password that you can turn into a memorable phrase.
3. Use this phrase to remember your password.

Hello, friends! Users who use Firefox as their main browser to surf the Internet have probably noticed that after updating Mozilla to version 52.0.1, there have been some changes regarding the security of this browser.

The essence of the changes is that starting from version 52.0 of Firefox, on sites that run on http://(being an unsecured connection), you will not be able to use the previously saved login and password in the authorization form; instead, a notification with a crossed out padlock and a message that “ This connection is not secure. Logins entered here may be compromised ».

This means that now by default on sites with “ http", auto-filling of authorization forms will not work as the connection to the site is not secure. You may have a question: what sites can be classified as secure? In general, secure web resources include those that are connected via “ https", by the way, autofill will work for them as before.

But, alas, today, not all web resources have switched to “ https“, some people don’t really bother with this yet, others don’t have the opportunity to do this, there are also cases when websites are specially created for the work of employees of a certain enterprise, exclusively on the internal network, which work, as a rule, on “ http://».

So, I’m sure that this innovation is very annoying for many, perhaps some might even be a little scared that their accounts are being hacked. But, fortunately, this message that your username and password may be compromised can be disabled and you can use autofill as before.

Disable the warning about an unsecured connection in Mozilla Firefox

To disable the warning, you need to change several values ​​in the browser configuration.

Great, now on absolutely all Internet resources with an insecure connection (http://), instead of a security notification that “Logins entered here may be compromised,” your previously saved credentials will continue to be shown.

Bringing back autocomplete in Mozilla Firefox

Having gotten rid of the intrusive security notification, you can also optionally enable auto-filling of the authorization form when you go to a web resource.

In principle, all actions are similar, open “about:config” and using the search, find the next parameter and set it to the appropriate value.

Parameter	Meaning
signon.autofillForms.http	true

That's all, after that we refresh the page and everything falls into place.

Well, and finally, if you are really annoyed by the crossed out padlock icon in the address bar, then you can also remove it without any problems by changing the value in the parameter:

Parameter	Meaning
security.insecure_password.ui.enabled	false

Well, in general, we can end here, now when you log in to any Internet resource running on “http” you can use autofill, as well as all the previously saved credentials. And most importantly, you will no longer be bothered by the message about an unsecure connection in Firefox.

Also, do not forget that only you are responsible for the actions you perform, so be extremely careful.

How to disable the "This connection is not secure" warning in Firefox

Firefox will display a lock icon with red strike-through in the address bar, when a login page you’re viewing does not have a secure connection. If you enter a password on such pages, eavesdroppers or attackers could steal it.

You will also see a warning message when you click inside the login box to enter a username or password.

Note: When you start entering your login information, the warning message can obscure the password entry box. To dismiss the warning, either press the Tab key or click on the page background after you type in your username.

What can I do if a login page is insecure?

If the login page is insecure, check if a secure version exists by adding https:// in front of the website address. You can also contact the website administrator and ask them to secure the connection.

The image "https_secure_lock_gree n_icon" does not exist.

About insecure pages

Pages that need to transmit private information, such as credit cards, personal information and passwords, need to have a secure connection to help prevent attackers from stealing your information. ( Tip: A secure connection will have.)

Pages that don’t transmit any private information can have an unencrypted connection (HTTP). But, it is advised not to enter private information, such as passwords. The information you enter can be stolen over this insecure connection.

Note for developers

For developers looking to learn more about this warning, please see this page. The page explains when and why Firefox shows this warning, and will also provide some details on how to fix the issue. For more information, see

Andreas Heissel, TeamViewer specialist

Password security is one of the issues that constantly worries modern people. Confidentiality of private life largely depends on the degree of secrecy of passwords. How can you ensure that you never again have to worry about your personal data being stolen by hackers?

Today, access to almost any private and commercial information or application is password-based and requires registration. Because password security is critical, it is an important part of IT's job to help employees choose their passwords, as many make one mistake after another.

If you're unlucky, a hacked password could help hackers obtain sensitive information, steal money, corrupt data, or block access to your accounts. This can cause serious harm and may take months or even years to recover the information.

Choosing a password is considered a bit of fun, but it is not, and every user should periodically brush up on the rules for creating a strong password.

Stop being predictable

We've all been taught how to create strong password using the same method. Online hints require us to use capital letters, numbers and some punctuation marks in our passwords. Alas, this pattern is also known to hackers.

As a result, we all:

• we start the password with one word we love and make it the basis of our password,
• We capitalize the first letter of this word,
• add a number or Exclamation point at the end of the password, so that the automatic hint does not find fault with the quality of our password,
• and – voila – we get the “perfect” password: “Ninja1!”

Since we are confident in its invulnerability (after all, it meets all the requirements!), we believe that no one in the world will solve it. However, by method or using another technique, our password can be easily calculated.

The only way to avoid this is to not be so predictable.

Never use one word passwords again!

The first step to password security is to stop using one-word passwords. And not because a one-word password is very short, but because such a password is very predictable.

Of course, the advantage of a one-word password is that it is easier to remember than any other. But from a security point of view, simplicity cannot be considered as the main criterion when choosing a solution. Safety must be a top priority.

In reality, according to the Better Business Bureau, the most common passwords are not always words.

Below is a list of the 10 most commonly used passwords in 2014 - believe me, none of them are suitable as a password for your bank account:

1. 123456
2. password
3. 12345
4. 12345678
5. qwerty
6. 123456789
7. Baseball
8. Dragon
9. Football

More complex passwords can be both safer and easier to remember. What will ensure password security? You will find the answer below.

Is it possible to make a password long and memorable at the same time? There are small tricks.

First of all, strong and memorable passwords consist of several words.

How do you think, PieceOfCake will be a strong password?

Unfortunately no. The first rule of a multi-word password is to use several unrelated words that are directly relevant to you.

CoffeeLobsterMarathon(coffee, lobster, marathon) is a good example for such a combination. And the overall impression of saying a combination of these three words is so unpleasant that it will be very easy to remember this password.

MaximFavoriteColorIsGrey(Maxim’s favorite color is gray)– Perhaps knowing your friend Maxim’s favorite color is very rare. This password will be difficult to guess.

The second step in creating a strong password is to replace the letters of the password with—you can guess it—numbers and special characters.

As a result - C0 ff33 L0 b$ t3 rM8 r8 th0 n And D8 v3 sF8 v0 r1 t3 C0 l0 r1 sGr3 y.

Compare them to the original “Ninja1!”

Use unique passwords for each account

I know that there will be objections to this advice that it is impossible to remember passwords for each account. But using the recommendations below, it is not difficult at all.

At the same time, your winnings are huge!

Are there any people you know who use one password for all occasions?

Believe me, there are a lot of such people!

This is a real threat to information security. Just one leak in any system where you registered, and all your accounts automatically become available.

If your name, address Email and your password will be available to attackers due to the hacking of just one service, site or company with which you worked - hackers will certainly try to use these registration data to access other systems.

But if you have different passwords, hackers have no chance. The security benefit is obvious.

But how is it possible to remember every unique password?

The best way to remember your passwords (password manager)

It is impractical to remember every password we create. The exception is those passwords that we use every day. However, in most cases we use accounts occasionally. Our memory can easily fail us and we will need help to recover the password.

Password managers are secure applications that help us store and organize our passwords. The only password you will need to remember is the password for the password manager itself.

Change your passwords regularly

Old passwords need to be changed. Many people view this advice as either a good recommendation or a useless concern. But there are strong arguments that passwords should be changed regularly to improve Internet security.

For example, attacks like brute-force, i.e. Brute force cryptanalysis is used to solve passwords. Here a simple enumeration of all possible combinations of printed characters is carried out. The only limitation for such an attack is the time required to achieve desired result. Although – often this time turns out to be surprisingly short!

In particular, in order to crack our password “Ninja1!”, according to the site How Secure is my Password, it only takes 7 minutes!

By changing passwords, you can minimize the risk that a brute-force attack will be successful. Moreover, this will significantly reduce the risk of a password database leak.

Don't tell anyone your passwords

You don't share your passwords with anyone, right? Especially with strangers? Since most of us are not focused on security issues, we can fall into the trap of attackers more easily than we realize.

If you are worried that your account may be hacked, change your password without delay! On the Haveibeenpwned website you can check whether your account has already been hacked.

Make sure your antivirus is working properly

What is the connection between password secrecy and viruses?

In fact, some types of viruses and malware can track keyboard keystrokes, including when logging into accounts, and transmit this information to attackers. In this case, even the most secure password will not protect you from hacking.

Therefore, having an antivirus on your computer is part of your password security strategy.

Viruses and other malware often exploit holes in operating system and applications that are not fixed by corrective updates. Therefore, the software installed on the computer must also be updated promptly to avoid the risk of hacking.

Activate two-factor identification

Two-factor authentication will serve as another barrier to the security of your passwords. After entering your password, the authorization system will require an additional authentication method to log into your account. In particular, the second factor of verification may be temporary digital code, generated by the authentication application on your mobile device. And Intel believes that even our body can be used for two-factor identification purposes.

Access will be provided if the login (username or email address), password and secret code will be entered correctly. Two-factor authentication is the most win-win way to ensure password security, since access will not be granted unless the information is entered correctly. additional method authentication.

Password security. Summary

If your passwords are in complete safety, you feel liberated from a bunch of problems. Once you take a systematic approach to this issue, the practice of creating a strong password will become part of your habits.

To summarize, password security means:

• Get rid of predictability. Passwords like “Ninja1!” need to forget
• Never use one-word passwords again
• Long and complex passwords are more secure and easier to remember
• A unique password for each account will deter hackers
• Password managers are a useful tool for password security
• Make it a habit to change passwords regularly
• Don't share your passwords
• Work on devices protected by antivirus
• Use two-factor authentication whenever possible

I hope you found our tips useful. We wish you to always be safe!

Warning “This connection is not secure. Logins entered here may be compromised" Firefox browser For some time now it has started to show on all sites whose authorization pages are not protected by the https protocol.

The idea is simple: the user receives a visual reminder that on a site without https, the data that he is about to enter into the form provided, and which he sends to strangers by pressing the Enter button (“ Login«, « To come in«, « Register"etc.) NOT PROTECTED .

Surely, such a warning in some cases will really protect an inexperienced user from some rash actions. A person who has long been accustomed to behaving competently on the Internet may not like the new reminder.

Actually, anyone who knows what https is, and why it is needed, when it is needed, will always just look at the page address and/or the lock icon in the address bar of the browser and see the same thing that he is warned about . If the icon is red, it means that all data sent to the site is not encrypted and, therefore, can be read.

"This connection is not secure"

In addition, the new feature also has a couple of not very interesting features. Firstly, it now disables the standard form autofill feature on unsecured sites.

In other words, the manager Firefox passwords This site no longer works and you will need to log in manually. On new sites, i.e. When registering for the first time, such a measure, of course, will not be superfluous. But on familiar sites, where you go for a long time and every day, you log in manually every time - this is at least inconvenient.

The second problem is not so critical, but still annoying. The fact is that if in the authorization form the standard fields “username” and “password” are located vertically, then the warning text in the top field simply covers the entire lower field.

In theory, you can correct the situation with the Enter button, but this solution is not always suitable for the simple reason that the data already entered immediately tends to go to the address. Therefore, you have to click somewhere on the side for the sign to be removed. Which also gets boring very quickly.

How to disable the "This connection is not secure" notification in Firefox

This is done as follows:

• copy (or write) into the address bar about:config and press Enter;
• then copy in the search bar security.insecure_field_warning.contextual.enabled and also press Enter;
• double click — according to the one that appears in the column “ Setting name» line.

After this, in the column " Meaning" instead of true (by default and means that the function is active) a new value will appear false , which will indicate that the function is disabled and the mentioned warning will no longer be displayed.

However, in order to so that on sites without https, autofilling forms will work again , as before, you need to make one more change to the Firefox settings. For this:

• open the page again about:config ;
• we also find through the search bar signon.autofillForms.http ;
• and exactly the same double click line by line we change the value from the default true to the new one false , that is, we unlock the function of auto-filling forms on pages with http.

Enable both of these functions in the same way: double click and replace false on true.