In today’s world of connected everything and all online, it seems every website wants you to register and create a password.
You probably have a long list of passwords you’ve used to register with websites and organisations such as your bank, email account, retail websites etc.
But are they secure?
These sites often use your email address as a username so my first tip is to take advantage of a free tool from the makers of the Firefox web browser called Firefox monitor –
Enter your email address into the website, and it will show you a list of any known security breaches where your email address, and any other details were accessed by hackers.
Be warned, if you have been active only for a few years you might be surprised at some of the companies who have been hacked and given up your details!
Unfortunately, “hacks” happen more often than you might have thought, so perhaps now is a good time to look at the passwords you use.
Here are the 3 essential tips for creating secure passwords you can remember.
1) Use a different password for every site you register.
Using unique passwords is the number one tip as if a hacker gets your password and email from a hack on an insecure website, they will attempt to use those details on hundreds of the most popular sites to try and gain access to more information about you.
If you have different passwords (even by just one or two characters), hackers will find it much harder to get into your other accounts.
2) If possible, try to use long passwords.
Even if a hacker does not have your actual password, they can try guessing your password.
They don’t care about any real words you have used as trying common words (like “password”) can be foiled by adding a number or capital letter.
So they try every combination of the lower and uppercase letters of the alphabet, numbers and symbols.
Using automation software, they can attempt to guess 1000’s of letter and number combinations per second. This means that even an 11 digit password would be found within a maximum of 3 days and often much quicker.
A password with 25 letters, just letters, would take 500 years to identify.
3) Don’t worry too much about mixing numbers, upper and lowercase letters and even special characters as they are really hard for us humans to remember.
Instead, use multiple random words, NEVER use one word.
In the past, the advice was to replace letters with symbols or numbers like “pa55w0rd”.
That used to work well when hackers tried dictionary attacks (trying to guess your password by working through every word in the English language) but with more powerful computers and software, that is a relatively easy password to hack and unfortunately hard for us humans to remember.
Even adding a number and special character to a word is just as useless (password!1 won’t help) as they now focus on brute force attacks (trying every combination of possible letter, numbers and symbols).
But, combining two words is not only easier for us to remember but much more difficult to break (see tip 2 above) so “passwordtriangle” is much better.
So what does a good password look like?
Although theoretically, a combination of a long password WITH random characters would be best, the reality is that remembering such a password would be difficult and often lead to frustration typing in a long list of mixed letters number and odd characters.
So in the interests of striking a balance between security and ease of use –
- Make the password at least 12 characters long
- By using at least two RANDOM words (don’t pick “the” or “at” and don’t use a phrase)
That’s it. Don’t make it more complex than it needs to be or you might fall back into the easy, insecure habits.
Here is an example to explain:
Put 4 words together without spaces (the words can be anything you are likely to remember or totally random):
costablanketlaptopcube
And if that is difficult to read or remember, add a number between each word:
costa1blanket1laptop1cube
Or capitalise the words:
CoastBlanketLaptopCube
This might seem like it would be easier for a hacker to identify but remember it is not a person typing in repeated attempts. It is software that does not understand the context, it is just trying every combination of letters, numbers etc. one after another and because you have multiple words, a dictionary attack (guessing the word in a password) doesn’t work either.
And finally, if you are wondering how you are going to remember 10, 20, 50 passwords, there very secure apps that will store them for you.
My favourite is 1password, but there are others if you do a Google search for password manager.
Final note –
Unfortunately, even though this advice is backed by security experts, developers and IT professionals the world over, it hasn’t filtered down into common practice for a lot of websites.
If you are forced to create a password and either limited by length (some websites still only accept up to 8 characters) then go with a mixture of uppercase, lowercase, numbers and letters totally unique to that website
Or if you are required to add capitals, numbers and special characters, do as you are instructed but still make the password more than 12 characters.
And lastly, obviously, I cannot be held responsible if any of your accounts are hacked even after following my advice. Any system can be hacked, eventually.