Everything You Know About Passwords Is Wrong
Cyber-criminals are changing the way the crack passwords. Our tips will keep yours strong.
Rex Features – Much of the old advice about creating ‘strong’ passwords is wrong
Don’t use Justin Bieber lyrics
Pop culture references are not a good idea.
When cybercriminals settle down to crack a list of passwords, one tactic is what’s known as a “dictionary attack”. This is software which guesses every single word in the English language, one by one. Names of hit films, bands and celebrities will be in there and will be guessed early. Names such as “Superman” are surprisingly common as passwords. As are swearwords, lyrics, album names, band member names, likewise. Avoid all of these.
Don’t use your dog’s name
One in six PC users in Britain use either a pet’s name or a partner’s name as their password, according to research by Google Apps. When criminals use PCs to “guess” passwords, the software will first try out obvious words related to your life such as your hometown or your partner’s name. Hackers can often find this information freely online, either on social networks, blogs, as part of LinkedIn profiles, or job descriptions.
Two-factor systems often rely on phonesDon’t rely on your password alone
Technology companies hate passwords as much as you do sites trialling (and offfering) extra ways to keep accounts safe. ‘Two-factor authentication’ makes accounts much safer.
This process sends you a one-time code via text message or an app. Without the code, you can’t get in. This means it’s far harder to hack accounts. You have to opt-in to use this service but the option is usually found under Account or Security, or a quick search on the site you are using will find you a how-to.
Long passwords are not “safe”
For years, IT people advised that longer passwords (for instance, using a phrase, not a word) was safer. This is no longer the case. Popular password-guessing program Hashcat can guess passwords up to 55 characters long. These systems are so clever that a password-cracking program recently guessed the phrase from horror novelist H.P. Lovecraft’s ‘Call of Cthulhu’, ““Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1”. Not only did the password contain numbers, it was in a made-up language.
Don’t have an obvious recovery question
It is very tempting to use the same recovery question each time (such as the classic “mother’s maiden name”). The programs used by cybercriminals may be able to harvest information such as your home town – especially if you post such information on Facebook. This gives hackers a ‘back door’ to your password. Many sites allow you to make up your own question. Do it. Make it hard, but one you’ll remember.
Don’t use quotes, use maths
Many security experts advise using a favourite quote as a password, but newer cracking programs can guess these easily, especially if they are from a current film. Using maths equations can be memorable and secure. Something like “1hundred+2=Threethousand” is just about easy enough for a normal person to remember and the mix of numbers, special characters and words is hard to crack.
Do add numbers, just not on the end
Your IT department may force you to change your password every month or so but don’t be tempted to vary the same one, such as by adding a number on the end. In hacker slang, these easy-to-crack passwords are known as “Joe” passwords. The same goes for sites where they force you to add capital letters and numbers until your password is “strong”. Don’t stick them on the end. Intersperse special characters and numbers throughout and your passwords will be tough nuts to crack.
It can be OK to reuse passwords
Almost all of us reuse passwords – in fact, some users confess to using one password EVERYWHERE (although that is a bad idea). More sensible is to reuse a password on “disposable” sites, but save the “good” passwords for important sites like banking sites, shopping sites, Facebook etc. If you’re logging in to look at a site once, use a throwaway email address and use a disposable password. If the site is hacked, it doesn’t matter – just make sure it doesn’t have other details such as your credit card.
[Police Reveal The Worst Smartphone Mistakes We Make]
Don’t reuse your email password, EVER
Your email password is the worst one to lose. Criminals can often find crucial details in your Outbox or Inbox – such as account numbers, addresses, or even scans of passports. They also use the email account to reset passwords for other sites such as Amazon and PayPal. Email accounts are a goldmine for thieves. Make sure that password is strong, and not used anywhere else.
Use several methods at once
The first passwords that will be guessed by any cracking program are the obvious ones – a report this week said “Password1” still got you into one in three accounts, and others such as “123456” are similarly easy prey. What you need is a phrase that defies a computer’s logic: mix up sentences, acronyms, (such as, “jjfiaggg” – “Jumpin Jack Flash, it’s a gas, gas, gas”) and real words, and you’ll have a password that criminals will find VERY hard to crack.