Password security is a huge issue. Research shows that 40% of internet users suffer a “security incident” every year. But despite this, we’re often our own worst enemies when it comes to protecting ourselves online – the same research showed that 47% of people haven’t changed their password in 5 years, while 21% of people are using a password that’s 10 years old.

To make matters even worse, many people aren’t exactly creative when it comes to thinking up their passwords. The top five most popular passwords currently in use are 123456, password, 12345678, qwerty and 12345.

In some ways it’s understandable – people want their password to be easy to remember, but unfortunately that tends to mean a password that is easy to guess or crack.

So what can you do to make sure your customers are using strong, secure passwords? We’ll highlight the three key areas where customers need educating in order to convince them to ditch that weak password. How you communicate this to people is up to you, though a combination of blog posts and emails works well.

Educate them about the risks

Many people don’t understand just how important it is to have a strong password, so it’s part of your job to educate them.

Highlight the killer stats that demonstrate the likelihood of a simple password being compromised and the impact this could have on their business and they’ll be keen to learn more about the importance of password security.

Educate them about how hackers will attempt to comprise their passwords

Explaining the various ways hackers work will provide your customers with the knowledge they need to create stronger passwords.

Explain the following topics to your customers:

Brute force attacks – The idea here is to simply guess the password by inputting all possible combinations until the correct one is found. This works well for short, simple passwords such as 123456 or asdfgh.

Dictionary attacks – Rather than inputting all possible combinations, a dictionary attack makes its guesses from a set list of words. This list usually contains the most common passwords, such as 123456 and qwerty, as well as words found in the dictionary.

Hybrid attacks – As the name suggests, this combines the two types of hack we’ve already looked at. Essentially, a hybrid attack will take a dictionary attack and meld it with a brute force attack. This will allow someone to hack a password that consists of a common word followed by a string of numbers and letters such as horse5678.

Combinator attacks – This attack combines words from two (or more) different word lists to come up with its password guesses, so it would be able to crack passwords like strongpassword.

Mask attacks – Mask attacks are similar to brute force attacks, but have rules applied to reduce the number of attempts made during the attack. This reduces the amount of time spent guessing passwords. For example, if the hacker knows the password they’re trying to guess is between 4 and 9 characters and doesn’t contain any numbers, capital letters or symbols they can create a mask attack with these criteria and hugely reduce the amount of time it takes to discover the password.

You can learn more about these kinds of attacks, and the seemingly strong passwords that can be cracked with them in this article.

Educate them about what makes a good password

By now your customers should have a basic understanding of hackers’ aims and methods, so now you can teach them how to create a strong password that will help keep hackers at bay. Here are the key attributes for a strong password:

It avoids common passwords

Common passwords can be guess in seconds and aren’t secure.

It is long

As a general rule, the longer a password is, the stronger it is. A password with 15 characters is much harder to crack than one with fewer characters.

It uses numbers and symbols

Adding numbers, symbols and capital letters to a password makes it harder to crack with a brute force attack as it increases the number of guesses that have to be made to find the correct password.

It avoids common words

Although using two or more common words can create a long password that’s difficult to hack using brute force methods, they are still susceptible to combinator attacks.

It avoids personal information

If your password can be easily guessed by someone who knows enough personal information about you, then it isn’t secure. Avoid using your name, birth date or any other information that can be discovered through social engineering.

It isn’t used in more than one location

If you’re using the same password for multiple sites, then hackers will only need to crack one password to compromise your entire online presence.

It probably looks something like this

3%JPN50jRH41H4LxO@qloKEL6TfxX7

Of course, that’s going to be almost impossible to remember. So what can we do about this?

One option is to take a memorable sentence and then turn it into a string of characters. For example, the sentence “I like to watch people play football on a Saturday afternoon” would become iltwppfoasa.

We can then make that password even more complex by adding capital letters, numbers and other characters. By doing that we get I1twp!pf0asa.

The next option is to use a password manager such as LastPass, which means you only have to remember one master password. The password manager will then allow you to generate complex passwords like the example above and will store them securely until they are needed.

Finally, it’s always possible to compromise strength for the sake of memorability. But it’s vital that your customers understand the risks if they choose this option. For example, a password such as B0okWatchSpeakerSu!tcase may not be strong enough to foil the most determined of hackers, although it should stand up well to basic attacks and is easier to remember than a random text string.

Summing up

In reality, there is no such thing as an uncrackable password. But it’s still important for you to encourage customers to create as strong as password as possible so their accounts and websites stay secure. A cracked password can kill off a business.