2.1 How to pick a proper password
This section is part of the amber and green pathways.
Using your pet’s name, your street’s name or a random word can be easy to remember, but can also be easy to guess.
Even if the website uses hash functions, if the passwords are single dictionary words, the attacker can generate lots of possible passwords, hash them and see whether any of them match a stored one. Attackers always start with dictionary words and variations thereof, as most passwords are normal words.
So your accounts will be more secure using long passwords made up of a collection of numbers, letters and symbols that don’t resemble a dictionary word. One way of coming up with such passwords is first to choose a memorable phrase and convert it in the way described in the video above.
Strong passwords – long strings of characters that don’t appear in any dictionary, or at least five separate non-related words that are not easily guessable – are vital. The other thing to remember is to use a different password for every account.
The majority of cases in which someone’s password has been compromised have occurred when an attacker has cracked someone’s password on a low-value, low-security site, and that user used the same password for another, higher-value site. The attacker either knows or guesses the target’s username on the higher-value site and then tries the cracked password on it.
For more advice about how to choose strong passwords read the Good password checklist. It might be useful to print off and keep this.
Good password checklist
- Don’t use simple, short, easy to guess passwords such as names of friends, family and pets. Don’t use words from the dictionary or commonly used passwords such as 12345 or QWERTY.
- Don’t use substitute characters such as pa22w0rd
- Don’t use the same password on more than one website
- Do use long passwords that are a random mix of upper case, lower case, numbers and other characters, such as giYT%$54vcD3W
- For memorable passwords do use a string of at least five unrelated disctionary words such as bamboo glasses book engine red
- Don’t share passwords with other people. If they need access to data they should be given their own login.
- Don’t leave passwords lying around in notebooks, or on sticky notes close to your computer, or in files on your computer where they can easily be read.
- Before you enter a password into a website, make sure it is using a secure connection beginning with https:// (it might also show a small padlock close to the address) this means the site is using a secure link that cannot be intercepted by attackers.
- When you register with some online services they will send you a password so that you can log in. Many sites force you to change the password when you first log in, if they don’t, change it when you first visit the site.
- Change the default password on devices such as your internet router. This is programmed at the factory and some companies have a single password for all their devices. An attacker only needs to know the make of your router to gain access.
- If you have trouble remembering passwords try a password manager program that not only stores passwords, but can generate new, highly complex passwords for you.
- Two-factor authentication gives you additional protection as it requires two pieces of information (such as a password and a random number sent by SMS) to provide access to your data. If a company offers two-factor authentication, you should use it.
In the next section you’ll get to test the strength of your passwords.