Most of us already know that we are supposed to use strong, individual passwords for every account we have. Creating, remembering and using strong passwords for a multitude of sites leads many of us to use just one or two, tried and tested memorable passwords. But this is a significant security risk. In this article, we’ll look at what makes a strong password, why they’re important and offer some tips and guidelines for improving your password security.
What Makes a Strong Password?
The fundamental requirement of a strong password is that it should not be possible for a hacker or clever piece of hacking software to determine what the password is. If you think about overly simple passwords it’s clear how they are easily predicted, such as:
Strong passwords need to be so complex and varied that prediction is not readily possible. The broadly accepted guidelines for creating strong passwords are these:
- At least 8 characters in length (ideally 10+). The more characters, the better.
- Use a mixture of both uppercase and lowercase characters.
- Incorporate mixture of letters and numbers.
- Include at least one special character such as ! @ # ? ].
- Avoid using < or > in your password as both can cause problems in Web browsers.
- Don’t use the same password for more than one account.
If you are already adhering to these guidelines then you’re doing well.
Why Are Strong Passwords Important?
Strong passwords prevent unauthorised access to your private personal accounts. Complex passwords, known only to yourself, are the mainline of defence you have against those who want to access your email, PayPal, eBay or other online accounts. When a hacker identifies a password they will often seek other associated accounts as they know that people don’t create separate passwords for all accounts. They may even publish account details online, enabling others with malicious intent to take the attack much further. This is why it’s essential to use strong, unique passwords for every account you have.
How Weak Passwords are Hacked
Understanding a little about how hackers overcome weak passwords should convince you that strong, unique passwords are essential. Here are just some of the common techniques used by hackers today.
Phishing is a social engineering technique commonly used to get people to disclose personal information, especially account details. Typically, a target will receive an email message containing links to cloned websites or a piece of malicious code. The fraudsters present a fake login form into which the innocent target enters their login information - including their password. Man-in-the-middle attacks are also used to intercept access to genuine log in pages, presenting people with fake login screens from which usernames and passwords are captured.
Password spraying is a simple technique that uses predefined lists of commonly used passwords. Attackers will use lists of usernames, often email addresses, along with these well known, commonly used passwords. A surprising number of people continue to use overly simple, easily predicted, common passwords such as: password1234.
Dictionary attacks are similar to password spraying techniques but instead of using lists of common passwords the attacker uses combinations of dictionary words, grouped together. Attacks like this are not carried out manually. Attackers use automated software tools, loaded with user names and often with IP address proxy switching capabilities, to automatically hammer account login screens with a multitude of password combinations.
Brute force attacks are very similar to dictionary attacks but instead of simply using real words, derived from dictionary lists, the attackers use any combination and number of alphanumeric characters. Brute force attacks require a lot of computing power which attackers may have harnessed by hacking into servers and other computers.
Password management tools can be a great aid when you have a number of accounts for which you need to maintain login access information. While you may be tempted to use your web browser, such as Google Chrome, to store your passwords, this is not a good idea. Keep in mind that anybody who has access to your computer can run Chrome and if they do then they will be able to access any personal accounts for which you have stored passwords in Chrome. If you are not logging out of your computer whenever you step away and haven’t secured it with a strong password then allowing your web browser to store your passwords is a bad idea.
Luckily there are some excellent password management tools available today. Here are just a few of the best free ones.
LastPass is a widely respected, easy to use password manager with unlimited storage. Data is securely stored and it also allows you to store credit card details and delivery addresses. The free version of the app even supports two factor authentication (2fa). A premium paid version is available.
The free version of Nordpass provides strong password suggestions as well as the facility to securely store credit card and banking details. The interface is intuitive and easy to use and the app provides unlimited password storage across multiple devices.
Another excellent password manager that’s worth looking at is Sticky Password. It too can save unlimited passwords but the free version, like others, doesn’t allow synchronisation between devices. Like LastPass, it supports two factor authentication (2fa).
5 Rules for Creating Strong Passwords
We’ve already listed some useful guidelines for strong password creation. Here some basic password creation rules that will help ensure your accounts are never hacked.
- Long passwords are strong passwords. As a general rule, the longer the password the more difficult it is to crack. Some recommend that passwords should be 15 characters or more in length.
- Mix your characters. Using a mixture of alphanumeric, upper and lowercase characters along with a few symbols is highly effective.
- Avoid predictable substitutions. A common technique used by many has been to use what’s called ‘leetspeak’ wherein standard letters are replaced by numerals that look similar. For example, the letter ‘E’ might be replaced by the numeral ‘3’ and ‘s’ might be replaced by a ‘5’ or a ‘$’ symbol. But brute force attack software is well aware of these common substitutions. Genuine, random character placement is far more effective.
- Don’t use common keyword combinations. Passwords such as ‘1qaz2wsx’ may appear to be random, but this is created by following the keys on a standard keyboard from top to bottom and is therefore easily predicted. Similarly ‘qwertyuiop’ is simply the top row of letters on a standard keyboard.
Strong Password Creation Techniques
Having defined what you are not supposed to do here are some ideas that will help you create memorable but strong passwords.
Memorable Sentence Technique
This technique is sometimes called the Bruce Schneier Method. It was first proposed back in 2008 and remains a highly effective password creation tactic.
Take a memorable sentence or two that you will remember and convert it into a password. For example: ‘My favourite car? My old Volkswagen Beetle’ becomes: myfaca?MyolVoBe
And: Hello Sailor! Looking for a fair wind? becomes: HeSa!Lofoafawi?
Bizarre, Uncommon and Foreign Word Technique
This simple technique uses combinations of real but unusual and foreign words, business names, place names and nouns to create an initial phrase from which the password is derived. Here’s an example: AngleChienSpeaker45RPMWanze - which became this password: AnChSp45#RWa?
Creating and maintaining strong, unique passwords for all your accounts is essential but can be challenging. By following a few simple guidelines and making use of some excellent, freely available password management tools your account security will be significantly enhanced and you’re unlikely to suffer from potentially costly attacks.