Convenience has always been one of the greatest enemies of security. Our online activities are constantly increasing and with them the number of accounts we create at various online services. It is very tempting to use a single, easy to remember password for all those accounts.
Using the same password for everything is of course convenient, but can be disastrous for your online safety. If for example, one of the websites that you have an account with is hacked and the hackers steal your credentials, they will have access to your email, social accounts and online banking account as well.
If you also happen to be the owner of a website or an e-Shop, then the stakes are even higher. As a website owner, you are not only responsible for your own information, but you are also responsible for the information of the hundreds or thousands of your users. You owe it to the people who trust you with their personal data to maintain good security standards on your own website.
The general guidelines for a secure password are as follows:
- It must be more than 12 characters and contain uppercase and lowercase letters, numbers and symbols
- Never use it for more than one account
- You should change it once a year
- Do not use a common English word
- Do not include in it any personal information like a name, nickname, pet name or date of birth
One other important thing to be aware of is how hackers crack passwords. A hacker will not sit in front of his screen and try to guess your password; this is something your girlfriend might do. What usually happens is that when a website is hacked the hacker grabs the entire database with all of the users’ credentials.
If the website saves passwords in plain text, which would be a horrendous disregard of their users’ safety, then the hackers will have your password. If you use the same password everywhere, then they will probably have full access to your entire online world, with whatever that entails.
If on the other hand the website hashes passwords before saving them to their database, then the hackers will have to try to brute force your hashed password instead. They can use very expensive computers with powerful graphic cards that allow them to try millions or even billions of combinations per second.
They can also use dictionary attacks and try the most common words / passwords first in order to speed up the process. If your password is something like "passw0rd" then it will break in a couple of seconds.
How to create a hard to guess password
The whole idea behind a password is to be hard for a hacker to crack, but easy for you to remember. This is the reason why security experts introduced the concept of the passphrase. A passphrase can consist of at least six randomly chosen words, which is a lot easier to remember than a huge number of unrelated characters.
The chosen passphrase must not be a popular phrase like for example "An apple a day keeps the doctor away". These already exist in the dictionaries hackers use to break passwords and they will crack them easily.
Instead, you should choose six or more unrelated words like artery, lemon, dogma, sugar, frost and sofa. It is highly recommended to use the dice method suggested at this website to get your random words.
The words above would give us the passphrase arterylemondogmasugarfrostsofa which is 30 characters long. With little effort, you can memorize these words, something that would be impossible to do with 30 random characters.
To increase the security of your passphrase, you can make up your own scheme to make it even more complex. For example, you can make every other word capitalized, like arteryLEMONdogmaSUGARfrostSOFA or swap some letters with symbols and numbers like @rteryLEM0Nd0gm@$UG@Rfr0$t$0F@.
Use a password manager to manage your passwords
It is not only inconvenient, but also impossible to use the above technique for every account you own. You could do it for two or three critical accounts like online banking and your main email account, but no more.
The use of a password manager nowadays is almost mandatory. A password manager is an application that securely stores all of your passwords. Of course, the password manager itself requires a master password in order to access it.
You should create the master password using the method described above. The password manager will then be responsible to generate and "remember" all the other passwords. This allows you to create really long, complex and unique passwords for all of your accounts.
There are many good options out there both paid and free. I personally use and recommend KeePass. It is free, open-source and in my opinion, the most secure. It might not have all the bells and whistles out of the box that other commercial applications have, but there are many good and free plugins, that you could use to extend its functionality.
Finally, it is very important that you secure your computer and any other devices. You must install a good antivirus solution and keep your system up to date. No matter how complex your password, if a hacker or a key-logger makes it into your computer, then they are most likely to get it anyway.