Secure Passwords
Almost every aspect of our online lives is password protected at some level. Everything from personal details and family photos to corporate secrets and banking access sit behind some form of password. This is why it is important to make sure that your passwords are secure, unique and difficult to crack.
We have also written a handy guide concerning the broader topic of staying safe and secure online in general, which is available here.
This guide is written for use by end users and up – feel free to copy, paste and distribute the pieces you need to your users.
First of all make sure your password is long enough. The recommended length is at least 12 characters long. Hackers use code cracking software to make it past password defences, so a password of only 4 or 5 characters is quite simple for them to crack. For instance, a password of 4 standard characters in length has approximately 1.6 million different combinations. This may sound like a lot, but if you have a piece of software trying a new combination every second, that password will be cracked in less than 500 hours.
Always try to avoid using just a normal word, password for instance, or secret is another common one. Chancers and hackers can and will try to get into your accounts purely just by using the commonest passwords that people pick. Also avoid using words that are easily linked to you – if you are an avid gamer for instance, having callofduty as your password is something very easily guessed, or using your children’s names. If you are generating a password for company use, don’t use the company name or anything easily linked to the company. People trying to crack into your accounts may be people you know or people who have done some research on you already, so anything that is easily associated with you should be avoided. A good general rule is to just try and avoid single complete words or names altogether.
Upper and lower case characters is a simple but effective way to make your password harder to crack. Adding random upper case letters into the middle of your password is essential. Try to avoid just putting a capital letter at the beginning.
Adding numbers to your password is also essential, but that in itself does not automatically make the password safe, so follow the rules from above and avoid Password1 or Secret1 – again very common and very easily cracked by someone with malicious intent. If you must use a word or phrase, swap some of the letters out for numbers. For instance you could change ilikefudge to il1k3Fudg3.
It is also recommended to add character symbols from the keyboard also. Using the above example, it might make this easier if you substitute a letter or two for an easily recognisable symbol, so ilikefudge could become il!keF$dge.
Even better is to use a password manager (like LastPass or Chrome) which can generate secure passwords for you, and then also store them securely for you.
Make sure to change your password often. Your password might have already been cracked and someone is rifling through your particulars, but you are unaware. It is good practice to change your password at least every few months, but ideally every few weeks. Make sure that the new password is different from previous ones. Determined crackers can easily get past a new password if you just add a single character to the end of it.
So if you follow all of the above tips, you should end up with a secure password. However, you might end up with string of characters that is impossible to remember, which is also not a situation you want to be in. In order to have secure AND memorable password, pick a phrase that you are likely to remember, then apply all of the above rules to it.
rooneyhattrick can become r0on3YH@ttR!ck
ilikefudge can become iL!k3f$dGE
poppadumfever can become p0PP@dumfEv3r
If you don’t trust your memory completely and you think writing it down is a must, then make sure you don’t label it as a password and keep it locked away.
Using a password manager, such as Chrome or LastPass, or 1Pass can help also.
Good Practices
You should change your password regularly.
You should also change your password whenever you suspect that somebody knows it, or even that they may guess it, perhaps they stood behind you while you typed it in.
Don’t re-use an old password.
Never store your password on your computer except in an encrypted form. Note that the password cache that comes with Windows (.pwl files) is NOT secure, so whenever windows prompts you to “Save password”, don’t.
Don’t tell anyone your password, not even your system administrator
Never send your password via email or other unsecured channel
Be very careful when entering your password with somebody else in the same room.
Use 2FA or MFA. This is 2-factor authentication, or multi-factor authentication, this involves having another method to identify you rather than JUST a passwords. Some systems require this by default, you may have noticed some platforms send a text message or require a fingerprint as well as a password. Enable this where you can for your accounts.
General Tips
Don’t just add a single digit or symbol before or after a word. e.g. “apple1″
Don’t double up a single word. e.g. “appleapple”
Don’t simply reverse a word. e.g. “elppa”
Don’t just remove the vowels. e.g. “ppl”
Key sequences that can easily be repeated. e.g. “qwerty”,”asdf” etc.
Don’t use passwords based on personal information, including partial words like part of your name or part of your birth date.
Don’t use passwords based on things located near you. Passwords such as “computer”, “monitor”, “keyboard”, “telephone”, “printer”, etc. are useless.
Further Reading
For further guidance on passwords, please see this helpful government guide here.
There is also a rather humourous skit about passwords from comedian Don Friesen here.