Passwords - When will we learn?

Image showing losts of poor passwords

You would think after all this time we would have learnt but at the end of the day as a rule we can all be pretty lazy.


Do you recognise any of these:


123456, password, 12345678, qwerty, 12345, 123456789, football, 1234, 1234567, baseball.


If you do and you are using it as a password, then stop reading this right NOW and go and change it.
The list above are the top 10 passwords of 2015 and this list has been pretty constant for the past 5 or so years.


 But change it to what?


The problem with passwords...


... is that they are so difficult to remember, and that is deliberate. No password is unbreakable but some are much better than others, as can be seen above.


A strong password should be difficult for an attacker to guess, or more likely a computer to generate.


Top Tips


Avoid dictionary words.
Most hackers use a technique known as a dictionary attack which basically attempts to find your password by using all of the most common dictionary words. This is a form of "Brute force" attack - where every combination of letters, numbers and symbols are tried.


The longer the better.
for example, the word "badpass" would take an average desktop computer a minute to guess. However, it would take the average botnet much less than a second. Adding 3 extra characters to "Badpasswd2" increases those times to 1 years and 37 seconds. "Badpasswd2000long" would take that same botnet 1 million years to crack. Quite a few systems restrict your maximum password length to 10 characters (same as badpasswd2), as you can see, with unlimited attempts, this severely compromises your security. Most websites have limits on the number of password attempts you are allowed to make before youo are either locked out or there is some sort of limiting.
try this online checker https://secured.online-domain-tools.com/user.sign-up.step1/


Never reuse a password.
Linkedin leaked 6.5million login details, Yahoo leaked 450,000 login details. If you were caught by one of these hacks or any of the many others (it is estimated by some that there are 272 million gmail, hotmail and yahoo account details being traded by hackers) and use use that same password for your email or worse internet banking, then you are leaving yourself exposed.


Never allow your browser to save a password.
Turn the setting off. Here is a link to a Kaspersky Lab which describes how to do it in the most common browsers.


Use 2 factor or multi factor authentication where ever possible.
This is not actualy a tip to create a better password as it is something that should be used in conjunction with a strong password. Two-factor authentication (also known as 2FA) is a method of confirming your identity by using a combination of two different components. Two-factor authentication is a type of multi-factor authentication. An example might be that when you login into a website, banking for example, you need to know your password, but also you need to enter a code generated by a hardware dongle.
To check to see if your website favorite website supports 2fa, and most of the big ones will,  goto this site https://twofactorauth.org/


Finally, consider using a Password Manager. Password managers are the subject of a separate blog post, but suffice it to say that they are certainly much better than having a weak password that you can remember. I would say that password managers that can be run from a USB stick are my recommendation.