How to create strong passwords, and why you should take the time to do so

Welcome to Threat Intel’s #WednesdayWisdom column, a weekly read to help improve your cybersecurity knowledge and keep you informed on important developments.

The security of the information we all keep online has been constantly in the spotlight recently.

Huge data breaches at major websites like LinkedIn, MySpace, and Yahoo have pulled into sharp focus the dangers of reusing passwords across multiple accounts and websites.

Information from the LinkedIn breach, which dated from 2012, also revealed that people are still truly terrible at choosing passwords. An analysis from a security team following news of the hack showed that the top five passwords revealed were laughably easy to guess:

1. 123456

2. Linkedin

3. Password

4. 123456789

5. 12345678

Image via Giphy

It looks like a lot of people were not following best practice password rules when it came to their LinkedIn accounts.

Repeat after me: do not use ‘password’ as a password.

Nobody’s perfect

Shortly after the LinkedIn passwords were dumped online, we found out that not even tech billionaires are infallible. Mark Zuckerberg’s Twitter and Pinterest accounts were hacked, with the alleged hackers behind it, a group called OurMine, saying they found his passwords in the LinkedIn dump. This showed that Zuckerberg, just like the average Joe, is prone to reusing passwords online.

He may be a tech billionaire, but it looks like even Facebook’s Mark Zuckerberg was prone to reusing passwords

The various breaches that have come to light this year have seen almost a billion passwords dumped online, which means reusing your password across multiple accounts is now a worse idea than it ever was.

Recent revelations concerning the Mirai botnet and the use of internet-connected Internet of Things (IoT) devices in DDoS attacks has also shown that users are not exercising enough caution in that area when it comes to security, often failing to change devices’ default passwords. This leaves them open to being compromised and used in attacks like the one on DNS provider Dyn that was observed recently.

So, how can I create a strong password?

1. Do not reuse passwords

After reading the above, the first rule of creating a password should be obvious: do not reuse passwords. Use a strong and unique password for each account you have online.

2. Use a password manager

Of course, the problem with having a unique password for every account, and the reason why so many people reuse passwords, is it’s very difficult to remember a lot of different passwords. This is where a password manager comes in.

Use a password manager to manage all your passwords and then you only have to remember one password — the one you use to access it.

There are many password managers out there — including Norton’s Identity Safe, LastPass, and Dashlane — and the best one for you really depends on your individual needs. There are both free and paid-for services available, so do some research and find out what would suit you best.

Use a password manager, and don’t end up like this kid. Image via Giphy

3. Think strong, long, and unique

General advice for strong passwords dictates that they should be a minimum of 12 characters long, though if they can be even longer then that’s all the better. They should use a combination of upper and lower case letters, numbers, and symbols. A password should not be a dictionary word (e.g. ‘house’, ‘doctor’) or a combination of dictionary words (e.g. ‘blue house’, ‘good doctor’). You should also try to avoid obvious substitutions, such as replacing the letter ‘o’ with the number ‘0’ etc…

Basically, aim to make your password as random and difficult to guess as possible. Avoid the incredibly obvious ones like ‘password’, ‘123456’, and sequential combinations like ‘qwerty’.

If you’re really lacking in inspiration there are password generators that will produce suggestions for you.

4. Don’t use personal information

In an age where all our information is easily searchable online, it isn’t hard to discover things like your date of birth, the street where you grew up, or the name of your first dog, so do not use these things as your password.

5. Fabricate your security questions

As mentioned above, it’s quite easy nowadays to find out pretty much anything you want about someone online — including information such as your mother’s maiden name and the hospital you were born in. All information that is often requested as security questions.

If you want to make your security questions safe, there is one simple answer — lie, and give an answer only you will know.

Or at least make your truthful answer in some way unique so that even if a hacker guesses or finds out the real answer, they still won’t be able to answer the question correctly.

6. To phrase or not to phrase

Passphrases are also an option lauded by some. Passphrases are generally made up of a series of random words, with the argument being that it is easier for people to remember them but still difficult for hackers to crack them.

Again, though, the key to an effective passphrase is randomness: ‘the cat sat in the hat’ won’t cut it, but ‘hat hippopotamus victoria sandwich cloud’ would. If you’re able to add in capital letters or numbers to your passphrase then that is better again. Website xkcd did a nice comic on picking a passphrase some years ago that is often referenced.

Image via xkcd

7. Don’t leave your passwords lying around

This may be blindingly obvious, however, considering we did just establish that a lot of people use ‘password’ as their password, it’s worth saying: do not leave your passwords written down on pieces of paper all over your desk. It would (obviously) be easy for anyone walking by to simply steal your information and access your account.

8. Enable two-factor authentication (2FA)

Enabling 2FA is probably the most effective thing you can do to make yourself less susceptible to hackers.

If you have 2FA enabled then you make a hacker’s life a lot more difficult: they may have your password but without that second factor (normally a code sent to the account owner’s mobile phone) they cannot access your account.

Most major websites now support 2FA, including Google, Apple, Twitter, and Facebook, so if you haven’t set it up for your main accounts, do it now. Many password managers also offer 2FA.

Having a great password can’t guarantee 100 percent safety for your online information. It could still be possible for nasty, password-stealing malware to make its way on to your computer but, by following the above guidelines, you will make life that much harder for hackers and increase the likelihood of keeping your online information and accounts safe.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.