Password security advice: best tips for generating strong passwords20 April 2022
In today’s online space, generating, managing, and remembering hundreds of passwords for accounts and websites is getting out of hand. Password generators, password managers and security advice are abundant and loud on the internet, so we thought we would do you a favour; TSC have put together the best security tips for generating and managing strong passwords to protect your data from hackers.
Best practice for password security is always evolving and shifting to better respond to new attack vectors and schemes. To that end, keep an eye on The Insider for regular updates and helpful tips pertaining to not just password security but also cybersecurity and awareness. You can register as a subscriber to The Insider newsletter here, so, you will never miss a beat!
In today’s Insider, we will be exploring how hackers break passwords, the current best practices for password security, as well as the latest advice for password creation and management.
Methods hackers use to get your passwords
- Dictionary-based hacks: This is an automated program that systematically combines and runs through dictionary words from commonly to least-commonly used. This hack mimics obvious passwords and will break accounts with low password strength (For example: “Pass1546” or “Liverpool786”)
- Social scraping: Hackers know that the accounts with the weakest password are often ones that use names, birthdays, and personal information to form the password itself (For example: “Rover011063”). Hackers can browse and scrape your social media to pull information that you may have willingly shared online but unwittingly used to form your passwords.
- Brute force attacks: This is when an automated program runs through every possible character combination to find your password. These attacks are usually highly successful against short passwords. Imagine your password is a variation of “Password” (which is extremely bad by the way!), a brute force attack would cycle through all the possible formations, such as “p455w0rd”, “p@sswOr6” etc, until they find the right one.
- Phishing: Here, a hacker will pretend to be a credible and trusted individual or organisation to get sensitive information from you. Phishing schemes use fraudulent websites, emails and even calls to trick you into a breach.
Top 10 tips for strong password security
- Never use personal information: We get it; it is easier to remember your passwords if you tie it to something or someone that you will never forget or misremember. However, this is the biggest no-no in password security. Anything that is known about you or discoverable is a no-go. This means no family names, pet names, personal locations or even interests and hobbies. This has not stopped users, however, as a MicroBizMag survey revealed that 4.1% of their respondents use the name of a pet in their passwords. You would be surprised just how much of your data and personal information hackers can find freely online. You do not want to make it easy for them!
- Unique passwords: In the past, advice suggested using a singular base password and then adding unique characters/numbers to it for separate accounts. Not only is this a bad idea but also a point of vulnerability. If a competent cyber attacker can figure out your base password, it will not take them long to infiltrate all your accounts. You MUST use a different and unique password for each site you sign up to.
- Disable browser storage: Browsers such as Chrome, Safari and Explorer will offer to store your passwords for you to speed up online form processes. Whilst this is tempting, please do not store passwords in your browser. Hackers can use malware to sneak into your browser data and steal passwords. In fact, as recently as December 2021, new malware called RedLine was seen to be wreaking havoc on data stored in browsers.
- Passphrase vs Password: Research shows that single or simple passwords can be very easily cracked. Cyber hackers use a program called rainbow tables to regularly target accounts using the most commonly used passwords, in both their hashed and encrypted versions. The current best practice is to do away with passwords as we traditionally know them and opt for passphrases. Staying away from personal words and interests, formulate a passphrase with random entries. Examples of strong passphrases include: “carpetchinarocket153”, “keyfacemagenta76”, “fashionlorryfly923” etc.
- How to use special characters: Often you will find websites or online portals asking you to use special characters (numbers, capitals, and symbols) to strengthen your passwords. Make sure you do this but in the right way. Do not use special characters to replace letters in your base password/passphrase. This is a trick that hackers are aware of and look out for. For example, do not turn the passphrase “carpetchinarocket153” into “C4RPE7CH1N4R0CKE7153”. Hacking software is now smart enough to simply substitute letters in a known base passphrase for special letters until they hit the jackpot. So, when you are using special characters, use them between words in your passphrase. For example, “carpetchinarocket153”, should be “carpet%$china/?rocket**345!”.
- Stay away from keyboard paths: There is a habit amongst some online users to use keyboard paths as passwords as they are easy to remember. This is one of the worst practices for password security. Never use sequential keyboard paths such as “QWERTY” or “123456” to form passwords, lest you want a hacker to break into your account. According to NordPass, over 2.5 million people use “123456” as their password.
- Size Matters: When asked to create a password, you will often be given a minimum character count. As a good rule of thumb, try to generate a password that is at least twice as long as the recommended character count. The longer the password you choose, the harder it is to crack. For example, a 12-character password takes 62 trillion times longer to crack than a six-character password. This is, again, another reason to use a passphrase rather than a password.
- Two-factor authentication: 2FA is necessary for protecting your accounts from nefarious cyber-attacks. You will find that a lot of social networks and websites now include 2FA as a standard aspect of their password security. However, other sites have it as a selectable option in your account’s security settings, so make sure you find and enable it. With 2FA, if someone tries to log in to your account from a different IP address or device than normal, you will be sent a one-time code to your mobile device via SMS to authenticate the login. If a hacker manages to crack your password, they should be halted by the 2FA obstacle as they will not have access to your one-time pass code sent to your mobile device.
- Believe in the password manager: You have so many plates spinning, why do you need to add password management to your overloaded brain activity? Using a password manager not only lets you generate passwords in an instant but also recognises which passwords are associated with which account. There are a whole host of password managers out there that create encrypted vaults for your passwords, such as LastPass, Dashlane, NordPass etc.
- Update and change your passwords: In the past, it was recommended to regularly update and change your passwords. Whilst this advice still holds true, you should not be changing them all the time. Research from The National Cyber Security Centre (NCSC) states that when users update their passwords regularly, their new entries become derivative and easily guessable. If you have a strong password that has stood the test of time, stick with it. But if you are seeing suspicious activity or unrecognised logins, make sure you are swift to update and change your password. According to a Google survey, only 45% of users change their password after a breach!
The best password generators/managers today
As mentioned above, the selection of password generators/managers today is particularly good. We have put together a shortlist below for you with some pros for each offering also:
- LastPass: 100% free password generator available for desktop and mobile. Generates passwords up to 50 characters long and imports new passwords directly into one of the best managers on the market.
- Dashlane: Desktop and mobile compatible with password generation up to 40 characters long. Password management features are not as smooth and simple as LastPass but still exceptionally good.
- NordPass: Create passwords up to 60 characters long with the base version of the NordPass Password Manager coming in free.
- KeePass: Free and open-source, KeePass is a little harder to set up than the aforementioned options, but it is quick and can follow specific password generation rules across all websites.
How to check if your password has been compromised?
In cybersecurity, you will often see news stories and press releases notifying the public of data breaches and hacks. It can be difficult to ascertain whether your account/email has been compromised in these breaches because we sign up for so many things online.
This public service website, www.haveibeenpwned.com takes your email address and notifies whether data associated with an account linked to your email has been compromised. This site has logged over 11 billion compromised accounts to date. This is a safe and respected site, and you should use it regularly to see if you have been breached and which passwords need updating.
How to check the strength of your password?
There are a few online tools available to you to check the strength of your password. However, HowSecureIsMyPassword is a tried and trusted tool for a quick-double check on any passwords/passphrases.
In Conclusion: make your passwords hacker-resistant
Did you know that 23.2 million victim accounts worldwide used “123456” as a password (NCSC)?
Think of your online password like the lock on your front door. When you are not at home, this is the only thing keeping burglars out of your home. When you are not logged in, your password is the only thing keeping hackers from your data. The stronger the password, the stronger the lock on your account.
The advice and tips we have gone through today should go a long way to creating strong and powerful passwords. Password security should not be an afterthought for anyone. Data breaches and cyber-attacks happen every single day … you will never know if the next attack will target your data so make sure you have the best defence possible!