How secure are your passwords? Have you put much thought into them or have you gone for one of the more common choices such as “password” or “123456″? Have you considered what would happen if one or more of your passwords was compromised and the impact it might have on your personal and professional life? Having someone guess just one of your passwords can lead to countless problems that can cost you money and take a huge amount of time to put right. If you run a small business and store customer data, being negligent with your passwords could even lead to a breach of the data protection act and a resultant fine.
The best course of action is to ensure your passwords are as strong as possible in the first place, so here’s our guide to making life harder for anyone trying to gain unauthorised access to your accounts.
Creating a strong password
Avoid words found in dictionaries - hackers use automated programmes that enter dictionary words as passwords until they find the right one so even if you use a relatively uncommon word, you are at risk.
Avoid using names or numbers that are personally significant to you - not only is much of this information publicly available via social networking sites, it can also be revealed via social engineering.
Make your password as long as possible - the longer a password is, the harder it is for an automated programme to crack it.
Use numbers, uppercase letters and special characters such as ! - again this makes it harder for automated programmes to crack your password. Fl0w3r would be a stronger password than flower. However, some hackers use programmes that search both for dictionary words and variants using common letter/number substitutions, so this on its own is not enough.
The ideal password should use more than eight characters, include uppercase letters, numbers and special characters, not include any personal information and not be limited to just one dictionary word in any language.
In practice that means the ideal password can be very hard to remember and the more accounts you have, the bigger the problem gets.
Remembering your passwords
Bruce Schneier, security technologist, recommends taking a memorable sentence and then transforming it into a password. So for example “this little piggy went to market” becomes “tlpWENT2m”. It meets the criteria outlined above and is easier to remember than a totally random string of characters. Just pick a sentence that is meaningful to you, abbreviate it and replace some letters with numbers. You can also generate multiple passwords in this manner for example, you could use a song with each line forming the basis for a password.
An alternative method is to use four common but unconnected words – this cartoon explains how it works.
If you really struggle to remember passwords you can use a service such as My1login and Last Pass, which allow you to securely store the login details for a number of sites. This means you can make your passwords as complicated as you like as you only have to remember the one that gets you access to the service you’re using. Obviously this master password needs to be as strong as possible.
As a last resort, you can write your password(s) down on a piece of paper and keep the note somewhere safe. Although this may seem counterintuitive, it’s actually safer than storing passwords in a document on your computer or using weak passwords. Just make sure you keep it somewhere only you have access to and that you don’t write down usernames in the same place as passwords.
Clearly the objective should be to keep your passwords out of the hands of the wrong people and that means not sharing it with anyone, even if you trust them explicitly.
Other things to consider
There are applications and plug-ins you can use to protect against brute force attacks. They work by limiting the number of times an incorrect password can be entered. Although you can’t use these to protect a password on a third-party site, they will help keep you safe if you run your own site.
Your email password is crucial – if someone gains access to your email account the chances are they will be able to reset the passwords for other services you use. That means they only have to compromise one password before they can take control of other accounts. It doesn’t matter how strong your other passwords are if your email password is weak.
You should use a different password for every site and service you log into. Doing so means that if a hacker gets the details for one of your accounts, they cannot then log into other services you use.
The danger of using the same log in details across multiple sites was highlighted when hackers used data that had previously been stolen to access 2,239 accounts on Tesco.com. The cybercriminals did not need to hack the supermarket website directly, the company was not at fault and the situation could have been avoided had the victims used different passwords for each online account.
Two-factor authentication adds another layer of protection and you should use it where it is available.
Finally, it’s vitally important to ensure you keep your computer operating system and anti-virus software up to date to ensure your passwords aren’t compromised through the installation of malware or a key logger.