I know, we’re all absolutely sick of hearing about and dealing with passwords, but they’re unfortunately crucial to keeping our online lives secure, and therefore very important to get right.
I’ll make this article as brief and ‘skimmable’ as possible as I know our collective patience on this topic is spreading thin.
How to make a strong password
The longer the password, the better. At the same time you don’t want it to be hard to remember though, so the best solution to this is to use a passphrase instead. You can even include spaces. Try to also include upper/lower/number/special character as well if you can.
For example, something like: drinkingTeaatthecottage100%
(if it reminds you of something positive, all the better, as you’ll be typing it a lot..)
The more characters you use, the better. If a website has a character limit, maybe take the first few letters of the phrase instead:
dTatc100%
You can also just use a password manager to generate and remember your passwords for you. We’ll look at that in the last section.
Why do passwords have to be so annoying, I mean, complicated?
The short answer is to protect from bad-guys aka threat actors aka hackers (refer to figure below):
If they have a target account they want to break into, they throw a bunch of known passwords at it until one works.
If they’re unlucky and your password is unique enough that it’s not on the list they’re using, they have to resort to trying every possible combination.
The longer and more unique your password is, the more resistant it is to this type of attack, to the point where it could be impossible to crack even within many lifetimes.
Short, non-complex passwords, on the other hand, take seconds to hack.
Note that you don’t need to be targeted individually for this to happen. Hackers can do this en-masse as well to a massive list of users.
All this to say, don’t think ‘no one would ever target me so I don’t have to worry about it!’ because instead, they just target everyone!
What things put my password at risk?
Phishers – people trying to trick you into providing your password through convincing login pages linked from convincing emails
Keyloggers – software that tracks every key pressed and sends it to the hackers' computer. This would of course capture passwords and everything else you type. This can come from malware or can even be run from a usb stick secretly plugged into the back of a lab computer
Shoulder surfing – people looking over your shoulder when you’re typing your password or unlocking your phone
Breached websites – if a website gets broken in to by hackers, they pull all the usernames and passwords for use/sale later
Commonly used words – if you have common words in your password, it will be found out quicker by the hackers toolset, so avoid common sayings, names, lyrics, etc..
Guessable passwords – don’t use a password of your dogs name and birthdate, or anything about you that could be guessed
Sticky notes - definitely don’t write your password down anywhere
How can I better protect my passwords then?
Don’t fall for tricks. Get up to speed on phisher's tactics by reading this article.
Create unique passwords AND keep them unique to each service. ie don’t use the same password on all your accounts. You wouldn’t want a LinkedIn hack affecting your Trent account, but it would if you used the same password on both sites.
Use Multi-Factor Authentication on all of your accounts. Once setup, a password is not enough to access you account, you’d also need access to the MFA app on your phone. So even if a hacker had your password, it’s not enough to access your account.
We have instructions on how to do this for your Trent account , but also turn it on for Facebook, your bank, etc..
Always use an authenticator app where you can, the other, less secure option, is to just get a text of a code to your phone. It’s trivial for text messages to be intercepted if you were ever targeted so the app is always the better choice.
Use a password manager. There will be more info in next section, but the idea being, you only have to remember one super long/strong password, to get into your vault of all your other usernames/passwords.
Be aware of surroundings when unlocking your phone or entering passwords. It’s very easy for someone to just watch your fingers given the proper line of sight. Don’t be embarrassed to cover the pin-pad at banks or cash registers. It’s not being paranoid, it’s being smart.
Don’t ever share your password with someone else. If for some strange reason you have to (I’m thinking of some computer repair shops that ask for you to fill out a form and include your login username and password so they can fix your computer) just change your password to something temporary to give to the techs, then when you get it back, change it back to one you like.
Password managers
Password managers keep your various usernames and passwords in a vault that can sync to your computer’s browser or your phone.
They can also generate very complex passwords, that you don’t even technically need to know or remember, it will handle the storage and will auto-fill the password fields as well when you visit the site in question.
Of course, it sounds scary to have all your passwords in one place, but if it lets you maintain unique and more complicated passwords for each of your accounts, the good may be considered to outweigh the very low chance of anything bad ever happening.
The Canadian Cyber Security Centre recommends, when choosing a password manager, to check for these features:
- support two‑factor authentication
- prompt you to change old passwords
- flag weak or reused passwords
- notify you about compromised websites
- integrate with your phone, computer, tablet, and other devices
And recommends that you:
- Install updates regularly for password managers
- Use the password manager to generate passwords for you
- Avoid using the same password for multiple sites
- Do not store passwords for sensitive accounts (e.g. banking, email)
- Do not share your master password
- Have a plan to recover your passwords when your computer fails and you lose access to your password manager
How can I tell if my accounts have ever been breached?
Visit Haveibeenpwned.com and enter your email address you're curious about. It will go through its massive lists and see if your email/password has been breached at any point, and from what site or breach it came from.
There is also a password tester on that page where you can test to see if your password exists on any hackers’ lists anywhere. If that raises any red flags for you, there is a writeup on the complicated security behind the password tester. As well, the site is maintained by a prominent security researcher and Microsoft MVP. Ultimately it’s up to you if you want to try the password portion or not.
TL;DR
Passwords need to be unique and strong to be of any use.
Use MFA wherever it’s available.
Don’t get tricked by phishers.
Consider using a password manager to maintain complicated passwords for all of your accounts.
Check to see if you already have breaches credentials from haveibeenpwned.com.
Back to Cybersecurity Blog home.
Stavros Tzagadouris - Level 1 Information Security Officer - Trent University