Secrets to a better password and fewer hacks: Go long, use variety, and sometimes lie

Key Points
  • With online hacks surging, experts say the process of using passwords is 'deeply flawed.'
  • IBM recommends a list of things users can do to prevent a breach, including adding layers of security — or even lying about certain security questions.
Cracking your password
Cracking your password

Last week, Twitter asked users to reset their password as a precaution, after they found a bug in how they stored passwords.

The social platform is far from alone. In March, MyFitnessPal, a diet and fitness app owned by Under Armor, revealed that data from 150 million user accounts had been compromised, which may include scrambled passwords.

For years, cybersecurity experts have warned about needing to move away from passwords, which many people reuse across accounts, leaving them vulnerable to hackers.

"The average person has probably more than 100 accounts online that they've got to maintain a password with," said Caleb Barlow, an IBM Security vice president. said Caleb Barlow, an IBM Security vice president.

"What ultimately happens is everybody comes up with some sort of schema and they end up reusing these passwords site after site after site," he said. "The challenge with that is once one site is breached and that password becomes available, it doesn't take much for the bad guys to pivot to the next site, and try the same user ID and password."

The average person uses between eight and 12 passwords, according to Charles Henderson, a global managing partner with IBM Security's X-Force Red, a team which companies pay to test their security.

"We knew passwords were a bad idea 20 years ago. Yet, here we are today," Henderson said.

Henderson's team at IBM built a special machine called Cracken that can crack passwords up to 14 characters in under 5 minutes. The technology is similar to what cyber criminals use.

The inside of Cracken, a machine IBM Security built to crack passwords.
Source: IBM Security

"It uses an array of video cards that are very good at this specific type of math and goes through every possible permutation. It can do millions of them in a second. Over the course of that 5 minute period, it can try every single up to 14-digit password that you can muster," Henderson said.

CNBC tested the machine at IBM Security's offices in Cambridge, Massachusetts, starting with what cybersecurity pros say is the most common password, password 1.

Cracken cracked it in just over 2 minutes. Next CNBC tried the more complex CNBCisatIBM$$, and Cracken actually took less time. Because both passwords were 14 characters or less, they were easy to crack.

"Complexity isn't the driving force here…There is a reason that we've limited you to 14 characters here, because as you go beyond 14 characters, it becomes more and more difficult for us to crack a password," Henderson said.

Another issue with passwords is that people follow similar patterns.

"Users will generally take the lowest bar. So if you require that a user use a nine-character password with one unique character, and you put that as the minimum bar, the overwhelming majority of the users are going to use a nine-character password with one unique character," said Henderson.

In addition, multiple people tend to pick the same password. Sports fans tend to use sport teams, parents tend to use their kids' names, while pet owners choose their pet's name.

'Deeply flawed system'

Charles Henderson (right) and his team at IBM Security are paid by companies to try and hack in.

So why are we still using passwords? They are easy to use and there is no perfect solution, according to Henderson.

"Until we get to that realization that we're never going to find the perfect form of authentication, but that we have to take multiple forms and use them in tandem, we're never going to move past where we are now, which is a deeply flawed system," he said.

Here are the best ways to keep your accounts secure:

Go long

Henderson told CNBC the hardest password to crack is a long one. Instead of thinking of a collection of letters and numbers, he suggested going with a sentence. While no password is unable to be cracked, longer passwords deter cyber-criminals, because they take much longer.

Also, do not be deterred by password box lengths. While some websites and apps are designed with only small boxes for passwords, many will actually take more characters than what appears.

Consider using a password manager

If you have trouble remembering passwords, you may want to use a password manager, software that generates random passwords for multiple websites and stores them for you. The user only needs to remember one password to log into the software.

Use multifactor authentication

Given the issue with passwords, it's best to add additional layers of security. Many websites — especially banks — will let you add login security such as sending a code to your cellphone, or biometrics like your fingerprint or facial recognition. Even if a cyber-criminal cracks your password, it is still difficult to get into your account.

Use a variety of passwords

While it is hard to remember passwords for every account, there are some accounts that should have a unique password.

"Don't use the same password on, let's say, your bank account that you used on everything else. Also, don't use the same password that you might use on your email account, because that's the primary way you reset your password," Barlow said.

Sometimes it's okay to lie

If you forget your password, you will often need to answer personal questions to reset it. Given that many Americans' data may have been compromised in breaches, or might have been shared on social media, these answers may not be difficult for a cyber-criminal to guess.

"You know all those password reset questions you get, like, "What was the name of your best friend in high school? What street did you grow up?" Lie," Barlow recommended.

"There's no reason to tell the truth to those questions. [Use] something that you can remember, but something that it can't be easily figured out from social media."