ESSENTIALS: Perfect passwords

 Cloud computing security concept

Earlier this year daily deals site Living Social suffered one of the worst security breaches of our times, with 50 million encrypted passwords stolen. It’s the kind of number that makes people sit up and take notice, but they aren’t the only victims of a crime like this. Linked In, Evernote, eHarmony, Yahoo, Sonytwice – all big names that have fallen foul of this kind of attack on a massive scale, so you’d better make sure you’re running a secure password system wherever you sign up on the web

Nothing in this world is completely safe, but you can improve your odds against Internet hackers by using an incredibly safe, complex password. This means using lower and upper case letters, numbers, symbols and spaces. Your password should be as long as possible; certainly no shorter than eight characters but ideally in excess of 14. One fairly common mistake is to use information that is freely available on the social web, like the name of your pet or your date of birth – hackers are onto this and if your Facebook or Twitter profile gives away any personal information these will be the first words they will try when attempting to break in. The other thing to avoid is words that appear in the dictionary or famous quotations as this is another thing hacking software can be set up to cycle through.

You can check your secure password creation skills on howsecureismypassword.net, which will tell you how many years it would take a hacker to dicsover it using brute force tactics – in other words systematically cycling through combinations of letters and numbers before hitting on the correct arrangement. Once you’re sure you know how to construct a safe password go and think of a new one to use on your account that you haven’t just given away to a random website, just in case.

One benefit of so many passwords hacked and leaked onto the web is that password researchers have never had such a boon in raw data to work with. Rather worryingly they have found the a lot of us are still using ridiculously unsafe password examples, like ‘12345’ and, ahem, ‘password’. A site like passwordsgenerator.net  can help if you’re struggling to come up with something original.

Another common security mistake is to use the same password across all of your logins. Doing so means that if one account is hacked, all your accounts are vulnerable, so set a different secure password everywhere you go. This can give you another problem though – how on earth do you remember all these random passwords? The answer is to use a password manager and there are several good options available, like  LastPass, KeePass, 1Password and My1login. Using one of these services you will only have to remember one master password and the login manager will remember the rest.

Most of us store important and sensitive information on a desktop computer at home or at work, with the risk that if someone breaks in and steals it your personal files and documents could be compromised. You can protect those files and documents with a password too, adding another layer of security to your information. It also goes without saying that a regularly updated anti-virus solution will protect your computer against getting infected with a virus that would steal your passwords through logging your keystrokes. As an extra safeguard you can install an anti-key-logger like Key Scrambler that I reviewed a few weeks ago.

Personally I don’t do banking or other sensitive online activities on my smartphone as you never know who might be looking over your shoulder when you’re logging in. If you do, always check to see if anyone is watching and cover your screen with your hand when entering any passwords. You’d also be wise to log off any sensitive sites when you’ve finished interacting with them on your handset, just in case you lose it.

A lot of major websites also now offer 2-step authentication, which requires you to input a unique code that has been texted to your phone before you can log onto a site from a new location or browser. This means that anyone who manages to hack or discover your password will also have to have possession of your mobile phone before they can access your account. If you choose to opt in it will help keep your accounts safe, though if you move around a lot, swapping the devices you connect from, you might find it gets quite irritating after a while. It is definitely worth persevering though if security is important to you.

For more news, reviews and useful tips sign up for our NEWSLETTER and order your copy of Working the Cloud here.

12 Comments

  1. Tunde says:

    Thanks, Kate.

  2. Sunil Date says:

    Password manager means again one pwd to be cracked. How foes it become safe.

    • Kate Russell says:

      Nothing is bullet proof, but to keep all your other (perhaps dozens of) logins safe you need a different, complex password for each. Unless you have savant levels of recall (or write them on a post it note) this is not possible to manage without the help of a password manager… for which you can make one complex password you can hopefully remember. For this password you could think of a phrase you won’t forget – like ‘my cat likes to lick the marmite knife when I have 2 slices of toast at the weekend’ – then use the first letter of every word in a mix of upper & lowercase letters and numbers, and throw in a couple of symbols for good luck. This could make a password like ‘=McL2LtmKWiH250TaTw~’

      While not a guarantee against being hacked, this scenario is far more secure than using the same, non-complex password across all your logins…

  3. You would think in this day and age of touch screen technology that it wouldn’t be too hard for a fingerprint to be used as a password. Just think, no more having to remember any passwords whatsoever!

    • Kate Russell says:

      Indeed.. I now have fingerprint ID on my iPhone 5S. There are objections to the tech, in that it is something you cannot change so your login would be the same on every site, forever.. and you leave fingerprints everywhere you go. The technology to clone them is not commonplace today, but imagine what might be possible in a decade from now?

  4. Steven says:

    CloudFuze is the highly secured password manager that offers single sign on to access all your cloud storage accounts via desktop and mobile.

    CloudFuze offers high security measures while offering advance account and file management features.

    http://www.cloudfuze.com

  5. David Morgan says:

    One secure way I was told by a developer was to have a ‘parent’ password e.g.
    KR8ssel and then for each app modify e.g. KR8ssel_Twitter; KR8ssel_ABCBank

    this makes it easy to remember, long enough to be hard to hack.

  6. Matthew says:

    The password debate will run on and on, and several reports suggest that many supposedly good solutions are not, with crackers getting ever larger lists of words, phrases and substation rules to cover many common letter to number swaps.

    The main with extension scheme mentioned above, was tagged as being vulnerable to multiple compromise, if one is broken, it gives clues to others.

    Of course, I would challenge anyone to break my Wifi passkey – it’s 63 characters random upper/lower/numeric – and I thought … great, I’ll just cut and paste from a text file … then mum got an ebook!
    I do not recommend typing 63 characters of random gibberish on a touchscreen keyboard where it takes 2 extra keypresses to shift between UC/LC or alpha and numeric.

    I think 63 random lowercase would be sufficient – dictionary proof and still way beyond practical bruteforce attack.

    I’d say as a basic principle, a password that is easy to remember, will not be strong, and if you record the password on any medium, then the security of the password is the security of the medium – and though “on a postit note” is bad in many respects, a virus/malware cannot compromise a piece of paper.

  7. John Mauzy says:

    Are there some symbols that should/cannot be used?

  8. General Keli says:

    hi great idea with the password checker thing. But I don’t trust it because I have a feeling it is being stored in a database. This can be used by individuals somewhere some time to get into my accounts. I just want to be sure of how secure it is.

Leave a Comment


− five = 2