They are a requirement of modern life on the internet. But what makes for a good password? how can you have a different password for each site? and what is 2FA?
We’ve cobbled together the best tips and tricks for managing your passwords and keeping your accounts safe.
Good Passwords V Bad Passwords
A complex password will help protect your account from some of the common used ‘brute force’ and social scraping techniques that can be used to guess your password.
Your password need not be a single word, and any word that can be found in a dictionary should not be used on it’s own, no matter how long it is or what language it’s in, it’ll be cracked in no time at all. Think of a passphrase, combine several words into a single string and include and additional characters you can, such as numbers and punctuation.
You should avoid common passwords that are easy to guess, these include:
- Your name.
- Song titles.
- Well known lyrics.
- Dictionary words. (from any language)
- Movie titles.
- Pets names.
- Partners, children’s or other family names.
- Place of birth.
- Maiden names.
- Sports teams.
- Holiday destinations.
- Any previously used password with a number appended to the end.
[bg_collapse view=”button-orange” color=”#4a3535″ expand_text=”Show the list” collapse_text=”Hide the list” ]
login, dragon, qazwsx, Mavrick, Master, Drowssap, cookie, merlin, trustno1, 1991, ranger, chelsea, banana, jennifer, 1990, amanda, 1989, hunter, nicole, hello, maverick, blahblah, mercedes, corvette, computer, cheese, COYS, nimda, biteme, 1992, london, soccer, william, querty, liverpool, pussy, admin123, whatever, dallas, hockey, test, zaq1zaq1, 1q2w3e, aaaaaa, killer, bandit, ashley, ferrari, starwars, 1qaz2wsx, andrea, lakers, andrew, 12341234, matthew, robert, 1234, sophie, buster, baseball, passw0rd, shadow, freedom, bailey, 121212, zxcvbnm, qwerty123, password1, donald, aa123456, charlie, 654321, monkey, pepper, joshua, tigger, 55555, jordan, solo, abcdef, letmein, ginger, jessica, 222222, harley, george, summer, thomas, MFU, hannah, daniel, 123123, football, abc123, 666666, welcome, admin, princess, iloveyou, qwerty, sunshine, 1234567, 111111, 12345, 12345678, 123456789, password, 123456, Trump, Manchester[/bg_collapse]
Minimum of 8
- A password with 8 letters would have 53,459,728,531,456 possible combinations.
- A computer optimised to crack passwords can try 100,000,000,000 passwords per second.
- It would take only 8 minutes to crack your 8 random letter password.
- Mix in numbers with the password and you go to 218,340,105,584,896 combinations, taking 36 minutes to crack.
- Mix in common punctuation and you get to 6,095,689,385,410,816 combinations, taking 16 hours to crack.
- Make your password 10 random letters, number and punctuation and you’re looking at 66,483,263,599,150,104,576 combinations taking 7,694 days to crack.
Correct Horse Battery Staple
If you want to create a password that’s complex but easy to remember, try the tip from XKCD above, or something similar such as taking the first two letters from every word in a phrase related to the website, Makes the second letter uppercase, add symbols on the number keys directly above and left of the first letter.
So if the website was selling popcorn, maybe you’d use the phrase “once you pop, you can’t stop” (yes, I know it’s for those moreish crisps, but it’s the first thing I thought of for popcorn!), so first take the first two letters from each word onyopoyocast, make every second letter uppercase oNyOpOyOcAsT. add symbols on the keys above and left of the first letter in each word (so above “o” = 9 = “(“, above “y” = 6 = “^” and so on) (oN^yO)pO^yO£cA”sT. Some of the special characters might not be valid depending on the website or service, so substitute those either with the same number key or the symbol on the key to the right for example.
Check your password strength
Use a reliable web service or app to check the strength of your passwords, don’t believe the strength meters built into websites as often they have quite rudimentary checks that might give a false sense of complexity.
We found the following online tools that gave reliable strength meters. You’ll find the complexity of your password is likely to report differently on each site as again, they use different methods for checking password strength
Never reuse a password
You should always have a unique password for each and every site. It’s a fact of life that websites will get compromised, when they do, the criminals will try to get lists of passwords and if possible, the associated account details.
The stolen passwords (like the ones listed above) are added to lists of passwords used in brute force attacks. If they get your email address too, they will try that combination on other websites. So using the same password on a weakly protected service such as a small businesses online shopping site, as you use on your email login, could mean without much effort a hacker can get access to your emails.
Adding a few numbers to the end of your passwords each time won’t offer much protection either, it takes a fraction of a second for a computer to check multiple combinations.
Have you been pwned?
Not sure what that means? pwned can be translated as owned (probably originated as a misspelling of ‘own’ as ‘pwn’ in the early days of online gaming) In this context, it means has your email address been compromised as a result of a data breach?
There’s an easy way to check, visit Have I Been Pwned and enter your email address, it will check it’s database of email accounts that have been exposed and posted into various nefarious websites and let you know if your email address is in there. If it is you can pretty much guarantee that cyber criminals have got hold of it and are trying to access other sites using your email account.
This doesn’t necessarily mean your email account has been ‘hacked’ yet, but there’s a pretty good chance that they are trying to get into your account.
Don’t remember your passwords
Our top password tip is don’t remember your passwords, well, not all of them anyway. Get a tool that will remember your passwords for you! That way you can make truly complex random passwords of significant length and you are not tempted to reuse the same password more than once.
Cloud based password managers
There are a few notable cloud-based services out there, such as Last Pass, Dashlane and 1Password offering synchronisation of passwords across multiple devices. You can install clients for the services on your laptops, desktops, tablets and mobile phones. When you save your passwords on one device, it is sent to the cloud and instantly available on all your other devices.
Most of these services will offer to create new complex passwords for you, and have plugins for popular browsers such as Chrome, Firefox and Edge meaning you don’t have to copy and paste the passwords over.
Saving passwords in your browser
Most modern browsers will offer to store your passwords for you, but there are a number of possible problems with this, not least is that in lots of cases, the passwords can be recovered from the browser by malware on your device, so we would not recommend using your browser to save passwords.
Manually managed password managers
The ease of online cloud based passwords managers is appealing, but there is a single point of failure. If your master password to access the online account is breached, a hacker would have instant access to all of your usernames and passwords. So an off-line password manager might be more secure.
There are a number of options again, many security suites offer password management, such as SOPHOS and Kaspersky, but this reduces the portability and ease of use across multiple devices, and means if you move away from the security suite in the future, you need to export all your passwords and move them to a new service.
We’ve found the open source KeePass to be a particularly good offline password manager. Your passwords are saved in an encrypted file on your computer, this can be synchronised via various means (including a selection of free plugins available from the KeePass website) to all your other devices. KeePass have compatible apps for most devices and platforms, and plugins for most browsers.
Two-Factor-Authentication works in addition to a password to help secure your logons. If a service offers 2FA as a means of logging on you should enable it. When you login with your user credentials the service will ask you to confirm your account login with a seperate app or device that has been previously linked to your account. So you might get a text message and need to enter the code sent, or make use of an authenticator app to generate a short-time code.
USB Security Keys
The process to log in is simply plugging a small USB key into the computer, entering a pin number and the computer logs on. Once the USB is removed, the user account logs out. Depending on the USB Security Device you use, you can integrate with websites, password managers and other services such as email or online banking, meaning you can log on without having to remember extremely long and complex passwords.
Services such as Rohos, Raptor and Predator can convert standard USB memory sticks into USB security keys, while Yubico will custom manufacture a USB Security device for use. We’ve used Yubikey’s and found them very easy to setup and manage.
If you need to update your password management for your home devices or for your entire organisation, we can help you choose and implement the most practical and cost effective solution while still offering you the level of security you need.
Contact us to get your security managed today.