They are a requirement of modern life on the internet. But what makes for a good password? how can you have a different password for each site? and what is 2FA?
Weâve cobbled together the best tips and tricks for managing your passwords and keeping your accounts safe.
Jump to: Good Passwords V Bad Passwords, Worst Password List, Check Password Strength, Reusing Passwords, Pwned Email, Donât Remember Passwords, 2FA, USB Security Keys
Choosing a good password is essential. It needs to be sufficiently complex enough to protect your account, you need to be able to remember it, and it needs NOT to be on the popular passwords list!
A complex password will help protect your account from some of the common used âbrute forceâ and social scraping techniques that can be used to guess your password.
Your password need not be a single word, and any word that can be found in a dictionary should not be used on itâs own, no matter how long it is or what language itâs in, itâll be cracked in no time at all. Think of a passphrase, combine several words into a single string and include and additional characters you can, such as numbers and punctuation.
You should avoid common passwords that are easy to guess, these include:
Check this list of the most commonly used passwords collected from breached accounts in 2017-2018 (not in order)
[bg_collapse view=âbutton-orangeâ color=â#4a3535âł expand_text=âShow the listâ collapse_text=âHide the listâ ]Â
login, dragon, qazwsx, Mavrick, Master, Drowssap, cookie, merlin, trustno1, 1991, ranger, chelsea, banana, jennifer, 1990, amanda, 1989, hunter, nicole, hello, maverick, blahblah, mercedes, corvette, computer, cheese, COYS, nimda, biteme, 1992, london, soccer, william, querty, liverpool, pussy, admin123, whatever, dallas, hockey, test, zaq1zaq1, 1q2w3e, aaaaaa, killer, bandit, ashley, ferrari, starwars, 1qaz2wsx, andrea, lakers, andrew, 12341234, matthew, robert, 1234, sophie, buster, baseball, passw0rd, shadow, freedom, bailey, 121212, zxcvbnm, qwerty123, password1, donald, aa123456, charlie, 654321, monkey, pepper, joshua, tigger, 55555, jordan, solo, abcdef, letmein, ginger, jessica, 222222, harley, george, summer, thomas, MFU, hannah, daniel, 123123, football, abc123, 666666, welcome, admin, princess, iloveyou, qwerty, sunshine, 1234567, 111111, 12345, 12345678, 123456789, password, 123456, Trump, Manchester[/bg_collapse]
If you want to create a password thatâs complex but easy to remember, try the tip from XKCD above, or something similar such as taking the first two letters from every word in a phrase related to the website, Makes the second letter uppercase, add symbols on the number keys directly above and left of the first letter.
So if the website was selling popcorn, maybe youâd use the phrase âonce you pop, you canât stopâ (yes, I know itâs for those moreish crisps, but itâs the first thing I thought of for popcorn!), so first take the first two letters from each word onyopoyocast, make every second letter uppercase oNyOpOyOcAsT. add symbols on the keys above and left of the first letter in each word (so above âoâ = 9 = â(â, above âyâ = 6 = â^â and so on) (oN^yO)pO^yOÂŁcAâsT. Some of the special characters might not be valid depending on the website or service, so substitute those either with the same number key or the symbol on the key to the right for example.
Use a reliable web service or app to check the strength of your passwords, donât believe the strength meters built into websites as often they have quite rudimentary checks that might give a false sense of complexity.
We found the following online tools that gave reliable strength meters. Youâll find the complexity of your password is likely to report differently on each site as again, they use different methods for checking password strength
You should always have a unique password for each and every site. Itâs a fact of life that websites will get compromised, when they do, the criminals will try to get lists of passwords and if possible, the associated account details.
The stolen passwords (like the ones listed above) are added to lists of passwords used in brute force attacks. If they get your email address too, they will try that combination on other websites. So using the same password on a weakly protected service such as a small businesses online shopping site, as you use on your email login, could mean without much effort a hacker can get access to your emails.
Adding a few numbers to the end of your passwords each time wonât offer much protection either, it takes a fraction of a second for a computer to check multiple combinations.
Not sure what that means? pwned can be translated as owned (probably originated as a misspelling of âownâ as âpwnâ in the early days of online gaming) In this context, it means has your email address been compromised as a result of a data breach?
Thereâs an easy way to check, visit Have I Been Pwned and enter your email address, it will check itâs database of email accounts that have been exposed and posted into various nefarious websites and let you know if your email address is in there. If it is you can pretty much guarantee that cyber criminals have got hold of it and are trying to access other sites using your email account.
This doesnât necessarily mean your email account has been âhackedâ yet, but thereâs a pretty good chance that they are trying to get into your account.
Our top password tip is donât remember your passwords, well, not all of them anyway. Get a tool that will remember your passwords for you! That way you can make truly complex random passwords of significant length and you are not tempted to reuse the same password more than once.
There are a few notable cloud-based services out there, such as Last Pass, Dashlane and 1Password offering synchronisation of passwords across multiple devices. You can install clients for the services on your laptops, desktops, tablets and mobile phones. When you save your passwords on one device, it is sent to the cloud and instantly available on all your other devices.
Most of these services will offer to create new complex passwords for you, and have plugins for popular browsers such as Chrome, Firefox and Edge meaning you donât have to copy and paste the passwords over.
Most modern browsers will offer to store your passwords for you, but there are a number of possible problems with this, not least is that in lots of cases, the passwords can be recovered from the browser by malware on your device, so we would not recommend using your browser to save passwords.
The ease of online cloud based passwords managers is appealing, but there is a single point of failure. If your master password to access the online account is breached, a hacker would have instant access to all of your usernames and passwords. So an off-line password manager might be more secure.
There are a number of options again, many security suites offer password management, such as SOPHOS and Kaspersky, but this reduces the portability and ease of use across multiple devices, and means if you move away from the security suite in the future, you need to export all your passwords and move them to a new service.
Weâve found the open source KeePass to be a particularly good offline password manager. Your passwords are saved in an encrypted file on your computer, this can be synchronised via various means (including a selection of free plugins available from the KeePass website) to all your other devices. KeePass have compatible apps for most devices and platforms, and plugins for most browsers.
Two-Factor-Authentication works in addition to a password to help secure your logons. If a service offers 2FA as a means of logging on you should enable it. When you login with your user credentials the service will ask you to confirm your account login with a seperate app or device that has been previously linked to your account. So you might get a text message and need to enter the code sent, or make use of an authenticator app to generate a short-time code.
Making use of USB security keys is commonplace in large businesses where users regularly hotdesk, and itâs starting to make inroads to everyday use.
The process to log in is simply plugging a small USB key into the computer, entering a pin number and the computer logs on. Once the USB is removed, the user account logs out. Depending on the USB Security Device you use, you can integrate with websites, password managers and other services such as email or online banking, meaning you can log on without having to remember extremely long and complex passwords.
Services such as Rohos, Raptor and Predator can convert standard USB memory sticks into USB security keys, while Yubico will custom manufacture a USB Security device for use. Weâve used Yubikeyâs and found them very easy to setup and manage.
If you need to update your password management for your home devices or for your entire organisation, we can help you choose and implement the most practical and cost effective solution while still offering you the level of security you need.
Contact us to get your security managed today.
Leave a Comment