Stay safe! How to choose a good password

This is a conversation I’ve had again and again with clients. It might not be the sexiest topic, but I want you all to be safe. I’m going to tell you why you need a good password and how to find one. I’ll tell you who is after your information, how they’re going to get it, and how you can make it safer. I’ll also tell you why you need a password app.

It’s easy to think that a good password doesn’t matter.

“Why would anyone hack into my Fitbit stats?” Cracking passwords belongs in spy movies, or when the brave, smart heroine is trying to stop the computer counting down to destruction. Being able to log in to my stuff easily is more important than having a particularly good password. Right?

A good password keeps us safe in a bunch of ways that we don’t even think about. Sure, passwords protect our access to our Netflix account, but they also lock away information like credit card numbers, home addresses, names, birthdates and contact numbers for loved ones. And our email password is one of the most important.

Who is the big bad wolf?

I think this is why we drop the ball with our passwords. We don’t quite believe that the hackers in the movies are after little old us. And we don’t quite believe that anyone close to us would harm us. Who wants your password?

• People in your life: This is a hard one to accept, I know. It could be as simple as a teenager wanting to switch off parental lock or a partner who has forgotten the Amazon Prime password. Maybe it’s a neighbour using your wifi to download movies. It could be a house sitter or guest with a bad snooping habit. If the worst happens, it could be a malicious ex, or a stalker.
• Thieves targeting individuals: This could be a burglar. Given the value of email accounts, grabbing that notebook next to the laptop they’re stealing is an easy win. And of course, if you have your phone or computer set to log in automatically, a lot of damage could be done very quickly.
• This could be someone online. I once had someone log into my Amazon seller account, quickly change the banking details, sell a phone, get paid for the phone, and change everything back again. The person who bought the phone was angry when it didn’t arrive and wanted a refund from me! That was the first I’d heard of it. I still don’t understand why I didn’t get notification emails of the sale or anything, but they knew what they were doing.
• Hackers targeting websites: These are the ones that make the news. The hackers can make money just from selling off the lists of passwords. Believe it or not, email accounts sell for more than passwords! Understandably, companies aren’t too keen to ‘fess up when they’ve had a breach.

How do they get your passwords?

• From the back of that envelope or your address book (next to your computer, right?)
• Phishing through fake sites or emails
• Social engineering: using information gleaned from social media and other sources to guess or reset your password.
• Viruses, trojan horses and malware
• From the computer or phone they stole, that logs you in automatically to all those sites
• By hacking a site that you’ve logged into
• Brute force attacks: these use computers to try thousands of passwords a second. (Hint: maths is your friend here, more later!)

How to stay safe:

• Choose a good password to begin with (read more below)
• Use a different password for every site
• Don’t write it down
• Use a system or an app (or both) to make it memorable. More about apps below.
• Keep it a secret (and if you do share it for necessary help, change it afterward)
• Don’t let your phone fill them in for you (unless you’re using a password app, more below)
• Use a password app to encrypt them and lock them up
• Use the password app to randomise them
• Change them often

Bad passwords

• Password – this is still one of the top passwords, along with 123456…
• Any single word in the dictionary
• Your user name/real name/middle name/nickname/pet’s name/spouse’s name/children’s names. You know what? Just don’t use anyone’s name! (Checking name lists is part of a hacker’s toolbox).
• You know those rules they set, about using a number or a capital letter? Taking the simple route of adding a number before or after the word, or simply capitalising it and you might as well not bother.

Plot twist: For a long time, passwords with number letter substitutions were a good idea, eg. something like Fac3b00k. The hackers are smart though and they’ve caught up with this tactic. This was my number one approach before researching this piece, so I’m changing things up. The thing is, we’ve made passwords both harder for humans to remember and easier for computers to guess. Oh.

Good passwords

No sniggering now, but length is important here. According to the Carbon Black article (top link in sources), a password made of 8 lowercase letters would take under 4 minutes for a computer to crack.

There’s good news – adding just 4 more lowercase letters means 3 years to crack, but only if it’s random! That annoying rule about including a capital letter, a number and a special character? It’s totally worth it. For a random 8 character password, it increases that 4 minute crack time to 70 days. The 12 character password, if it’s truly random and includes those three variations, can take over 15,000,000 years!

And yes, you do need a different one for everything. You can’t control how well a company stores your passwords, and if your Youtube password gets discovered, you can bet it will be tried on Amazon, Ebay, Paypal etc., very quickly.

Keep getting locked out? Try these tricks

Keep getting locked out of that one website?  Come up with a system that uses some of these tricks.

• One single word is out, but a random combination of words can be powerful. A common example is correcthorsebatterystaple. If you can come up with a sequence of words that you can remember, this is a strong formula for a good password.
• The common number substitutions are out, but unpredictable punctuation can be a powerful disruptor of a dictionary word (still not “password” though, never, in any form). So “elegant” is out, and so are “3l3gant” and “Elegant!” – but ele%Gant is getting there, ele%gant-Ele$phant is better.
• Think text speak: come up with a phrase you can remember (even if it’s a song title that the hacker lists may contain, but better if it’s personal) and then squish it up into txt spk. So “Go big or stay home” might become “gBgRstyhm” or “g-Bg-r-Sty-hm.”

You can combine some of these for even stronger passwords.

How a password app helps

If you still keep getting locked out, a password app is the answer. You’re still going to come up with a good password to lock the app – sorry!. I use 1Password (not an affiliate), but there are several good alternatives, like Last Pass, KeePass or DashLane. Generally, they don’t even have access to your passwords, so even if they get hacked, you won’t.

Password apps have three main benefits. They generate truly random, secure passwords for you. Then they remember them for you in a secure piece of software (only as good as your master password). Mine is on my phone, tablet and computer, so even if I’m using a different computer, I always have them with me.

Now, a final word of warning!

Don’t go changing everything at once, or you will get in a complete muddle. Take some time to come up with your system. Read up about apps. And choose one to start with and practise your skills.

(This is an extended version of an article that first appeared in my Creative Business Support Newsletter, April 2017)

Sources:

Don’t be cracked: the math behind good passwords
Why a criminal might want to hack into your email
6 Reasons Why Hackers Want to Hack Your Website
Common Tactics Used by Hackers to Steal Your Passwords
Keep your data safe by following the Password Commandments
Old but still good advice from a university
9 Things You Absolutely Must Do to Keep Your Online Identity Secure