Why it’s important to set a strong password

Your password is your metaphorical ‘key’ to unlocking you online ‘front door’. You wouldn’t hand your home key to just anyone, would you?

Passwords are the first line of defense against unwanted access to your computer or accounts. The stronger a password, the better protected your computer or accounts will be from hackers or malicious software. A study by BitDefender showed that 75 percent of people use their e-mail password for Facebook, as well. If that's also your TradeMe or PayPal password and it's discovered, say good-bye to some funds, if not friends.

BitDefender warned social media users to be careful when setting up passwords for social networking platforms and email. The researchers managed to verify the leaked email accounts and found that 75 percent of users had one common password for social networking and accessing their email. Additionally, the study revealed that 87 percent of email IDs, user names, and passwords gathered from various sources were still active.

Your go-to rules for setting passwords 

You have probably heard this a number of time before, but there are two important tips when it comes to passwords:

  • DO choose a password that is impossible for others to guess
  • DON’T use the same password for every account or service

While it may seem obvious to use a password that is nigh on impossible for others to guess, it is more than just refraining from using pets’ names or birthdays and anniversaries.

What makes a password strong?

A strong password:

  • Is at least eight characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete word.
  • Is significantly different from previous passwords.
  • Contains characters from each of the following four categories:
    • Uppercase letters e.g. ABCD
    • Lowercase letters e.g. abcd
    • Numbers e.g. 1234
    • Symbols found on the keyboard and spaces e.g. ! @ # $ % ^ $ & { }

When creating a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and symbols. It should be eight characters, preferably many more. A lot more. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.

So how do you make such a password?

  1. Spell a word backwards. (Example: Turn "New York" into "kroywen.")
  2. Use l33t speak: Substitute numbers for certain letters. (Example: Turn "kroywen" into "kr0yw3n.")
  3. Randomly throw in some capital letters. (Example: Turn "kr0yw3n" into "Kr0yw3n.")
  4. Don't forget the special character. (Example: Turn "Kr0yw3n" into "Kr0yw3^.")

You don't have to go for the obvious and use "0" for "o," or "@" for "a," or "3" for "e," either. As long as your replacement makes sense to you, that's all that matters. A "^" for an "n" makes sense to me.

Avoid Common Passwords

If the password can be found in the dictionary, it isn’t a strong enough password. Likewise using numbers or letters as they appear on your keyboard (“1234” or “qwerty”) is a no-no. Even if you decide to go with your pets name, your birthday, anniversary or your car number plate and add a couple of numbers to follow your password, these are all things that hackers try first.

They write programs to check these kinds of passwords first, in fact.

Other terms to avoid: “letmein”, “money”, "god", "love", and if you even think about using the good old “password” as your password, just leave the Internet now.

Varying passwords

Once you have chosen your password, and it looks as though someone stomped on your keyboard, it’s a good idea to vary these across different accounts and systems. Companies like banks are more unlikely to fall victim to a hacker attack, but if you are using the same password for your bank as you do other sites, your bank account will only be as safe as the weakest protection on any of those other sites.

Password encryption

Websites store your password in encrypted form, meaning it has been encoded by a one-way process to an unreadable string of characters.

To authenticate your login, they simply encode your submitted password by the same process and compare the result with your stored, coded password – a process far easier than decoding your original password from the encrypted form. Depending on how stringent the website’s encryption is, the decoding task can vary from “really hard” to “nearly impossible” – but no system is perfect.

If a web server is hacked, the encoded password file can be downloaded. Widely available password-cracking tools exist to help attackers decode stolen password lists. They start with huge databases of commonly-used passwords (“Password123” isn’t as clever as it used to be…) and add:

  • entire dictionaries (from multiple languages)
  • massive lists of proper names (of humans, animals, even sports teams)
  • TV show, song and movie titles
  • and so on…

What’s more, the cracking tools will automatically try combinations and variations – capitals/lowercase, plurals, adding numbers or symbols before and after the words, etc. It can do this because modern computer hardware can test billions of combinations per second against a stolen list of encrypted accounts.

Do NOT keep a written list of your passwords at home or at work. That’s about as smart as writing your PIN on the back of your credit card. It’s not a bad idea to keep a list of sites on which you maintain accounts, so that when it comes time to change passwords, you won’t overlook any. And it’s definitely worth taking a few minutes or so out of each year to go through and update them.

Has your company got a password policy?

It’s a good idea to establish a written password policy for your business. You can find templates for this online and adapt it to suit the needs of your company, communicate the policy to your team and make it part of your induction process for all new staff.

Microsoft has just made it easier to set a strong password

Microsoft is creating a dynamic list of stupid passwords that you're forbidden to use with your online accounts, in an effort to protect people from their own laziness.

Making simple rules which force people to create stronger passwords often only encourages lazy people to come up with a slightly longer dumb password, such as switching from "password" to the supposedly much more secure "password1".

Microsoft's latest solution is to study these lists of stolen passwords and automatically ban the most common, even if technically they pass its requirements in terms of length and complexity.

Pretty soon if you try to use a dumb password with your OneDrive or other Microsoft account you'll politely be told: "Choose a password that's harder for people to guess". Read more on this on Stuff.co.nz.

Protect yourself with more than a password

This infographic goes over the two-factor authentication for added protection. Make sure you take a look.

Resources

Search blog posts