Two cents blog

Pwned: increasing your online security before you’re left red-faced

by BCM Group on 16 December 2016

In recent news, Yahoo announced that “more than one billion user accounts may have been affected in a hacking attack dating back to 2013.”

If you think it’s time to reset or strengthen your passwords, here’s a short guide explaining the details behind what makes a secure password and tips on how to secure your own.


Entropy is the lack of order or predictability. A simple password such as “Horse” would be cracked almost instantly because the entropy is comprised of only letters. You can greatly increase the entropy of a password by including letters and special characters. For example, the password “Hor5e!” would not be cracked instantly, but take about 5 seconds – which is slightly better but not by much.


The password “85s5C!” (6 characters long) would take 5 seconds to crack. “713G5^3” (7 characters) would take 22 seconds. “63444U#3” (8 characters) would take 19 minutes. Compare that to the password “7t8%88!F631204Bo” (16 characters) which would take roughly 1 trillion years.

Even by simply increasing the length of your password by 1 character, you’re essentially increasing the amount of time it takes to crack exponentially. One thing to note; the example passwords I’ve chosen above have a good amount of entropy. A common password such as “Kangaroo”, even though it’s 8 characters long it would be cracked almost instantly compared to our 8-character alternative “63444U#3” taking about 19 minutes.

Password reuse

Password re-use is extremely common as no one likes to remember hundreds of different passwords. If a shared password was attained by an attacker, they would have the master key to every other account sharing that password. Even if you re-use part of a password and slightly modify it for every site, you’re not much better off. For example, if you use the password “Buffalo123” for Facebook, and “Buffalo456” for online banking – all an attacker needs to guess is 3 additional numbers. The most secure approach is to never re-use or share parts of passwords.

Securing your email

Once you’ve lost control of your email account, it’s generally game over. An attacker using the “forgot your password?” feature on any site linked to that email address will generally gain access to that site as well – without needing to know your password. Because the password reset link is sent to your email account, an attacker can simply action it, create a new password and then continue on with their business. Make sure all of your email accounts are protected with strong and unique passwords that aren’t shared with any other services.

Use a password manager

There’s no way we can remember 10-20 passwords that all look like “348J0K1394*6e^C7”. This is where a good password manager comes into play. My personal favorite being LastPass – which not only gives you a novel way of storing your passwords, but can also generate them for you. Most password managers will require you to have a master password to unlock the application. Instead of trying to remember a strong random password for this, perhaps try using a pass-phrase. A pass-phrase is a short sentence that includes letters, numbers, spaces, and special characters. For example, the pass-phrase “The elephant has 5 brothers!” would take a modern computer about 25 undecillion years to crack… that’s a bloody long time.

Multi-factor authentication

You may have heard of something called two-factor or multi-factor authentication (MFA). When enabled, it requires you to verify every login attempt from a device such as your mobile phone. This extra layer ensures that even if an attacker knows your password, they would need physical access to your mobile phone or device to complete a login. If you have the option of using MFA, it’s always advisable to do so.

Tristan Strathearn is a Senior Web Developer at BCM

Add your two cents?

Your comment has been received and will appear shortly. Thank you.

There was an error submitting your comment. Please review the fields and try again.

Back to all posts