How it happens: Blunt truths about password hacking

October 10, 20174 Minute Read

I’ve been tasked to explain how password hacking works and offer advice on how to avoid it in 1,000 words or less. Given that this task is impossible—especially if I stick to a strictly objective narrative tone—I’m going to dispense with the sage-but-objectively-distant passive voice that tech journalists are trained to use. So sit down, grab a cup of coffee, and let’s talk about this topic like adults, shall we?

Surprise: You’ve already been hacked

Most of what you’ll find on the internet about password hacking is vapid clickbait that talks about the scary oogly booglies. Maybe it name-drops a security product or a password manager and dispenses a bunch of advice that sounds great, but is completely useless in the real world. This isn’t that. This also isn’t some blow-by-blow guide on how the terrifying omnihackers of the dark web hack passwords that you can follow in vain to see if your significant other is cheating on you.

Let’s address the rather enormous neon pink elephant in the room: At least one of your passwords has already been hacked. Over the course of the next year, at least one more will be hacked—probably more than one.

I’ve been called by some “an information security expert” (which is a lie, I just do a lot of research, but let’s put that to the side) and I can guarantee you that at least one password to a website I actually care about has been hacked and is right now in the hands of the bad guys. Dozens, perhaps even hundreds of passwords to websites I don’t care about have been hacked too, but since I don’t care about them, I’m not tracking them.

Sane practice

For the average person, learning how to use a password manager like LastPass isn’t hard, but it’s not perfect. One day it’ll be hacked, and all your passwords in it will spill out all over the internet. It’s inevitable, but then again, every other approach to password management either relies on our already overloaded memories, sticky notes, or complex and supposedly “secure” computer programs to track passwords that mere mortals wouldn’t actually use.

A password manager randomly generates passwords and keeps them in an easy-to-use location, making sure you use different passwords for each site you visit. That’s great, but there are lots of passwords you use in everyday life that are chosen to be easy to remember, not easy to use. At the end of the day, LastPass and its ilk don’t really help you much with the fact that your passwords will inevitably be compromised, even if they’re randomly generated.

The purpose of password managers is hopelessly naive. Their real utility is in keeping a list of websites you’ve signed up for, so you can go on a biannual password-changing binge.


Changing passwords semi-regularly is the only real defence we have against the bad guys. That said, changing passwords on every site we sign up for is completely pointless: It takes forever, and (for most websites) we don’t really care if someone gets into our account. Oh, you signed up for your local wildlife sanctuary’s website five years ago so you could find out where to take an injured bird? I’m sure you’d be absolutely devastated if the monthly newsletter stops hitting your inbox.

Make sure you change your bank password regularly, and any other password to a website you actually care about. Not to something easily guessable, but if you’re reading this I’m pretty sure you know the rules about picking good passwords that you can actually remember. If you don’t, make sure you brush up on your password-making skills.

How frequently you change your passwords depends on your level of paranoia, personal laziness, and how important the information behind those passwords is to you. What matters is this: Treat every password like it will be or already is compromised. If you’re creating or changing a password for a site you care about, don’t reuse your passwords from other sites. If it’s a site you don’t care about, then any old password will do. More important than anything is to find habits that work for you. Don’t try on “password diets” like fads knowing they’re something you can’t commit to. Your best defence is habit formation.

Humans are the weakest link in IT security, and always will be. Don’t try to force a robot’s habits on yourself. You know you—so you do you, but with some extra care when it really counts.

Danny Bradbury February 23, 2018 4 Minute Read

Learning from the Canadian government’s network security

The Canadian government is under cyber attack from state-sponsored hackers—and bad network security is to blame. Learn how to defend your network here.

Gary Hilson February 16, 2018 5 Minute Read

Stay strong in the face of IoT with better security

IoT creates a new landscape of potential targets, but just like BYOD, the device avalanche doesn't have to mean one security breach after another.

Graham Templeton February 14, 2018 3 Minute Read

How to sell cybersecurity to the rest of your team

Why is it so difficult to get the C-suite to recognize the importance of investing in cybersecurity education ROI? Here's how to get your boss to listen.