Notes on
Password Security

The most common techniques that criminals use to gain access to online accounts is through exploiting poor password security. In this article I'll explore the different methods people use to secure their online accounts, and briefly guide you through the strengths and weaknesses of each strategy. Hopefully this will help you to secure your accounts a little better and prevent unauthorised people from gaining access to your accounts and the information contained within them.

Choosing a password

There's a lot of tips out there on how to chose a secure password, some of which is good advice, a lot of which is useless or old and irrelevant advice.

You don't have to regularly change your password. By changing your password regularly, most people fall into the trap of using patterns, such as just changing a number at the end of the password. Patterns make things more predictable and thus easier to guess. It's fairly easy to realise that once you learn someone's password was previously “password12”, it may now be “password13” or something similar.

You should certainly change your password if you have even a tiny suspicion that your account has been compromised or that somebody has learned what it is.

A longer password is more important than a more random password. Generally, a password of at least 12-15 characters (letters, numbers, symbols) long is recommended. If using a passphrase like “IlovetobeSuperSecureOnFacebook” is more memorable than “6Epo%DU”, go ahead. In the book Perfect Passwords by Mark Burnett, he writes “Usually all it takes is a password just two characters longer to make up for a lack of other types of characters such as upper-case, numbers, or symbols”. This is because the length of the password also relates to how difficult it is for a computer program to guess (crack) the password.

In addition to having a long password, you should make it as unique as possible. Using a password like “passwordpassword” for all of your accounts is hardly going to earn you any points.

Generally, the best password is one that you don't even know yourself, which may at first seem like a strange concept, but I'll get back to that later on in the password manager section.

Managing your passwords

Using the same user name and password for everything

Just don't. Seriously.

Pros:

Cons:

Remembering each password in your head

If you follow, at the bare minimum, the best practise of having a different password for each online account, and then consider that the average person has 22 online accounts (according to figures in A Large Scale Study of Web Password Habits published by Microsoft in 2006, meaning that there's likely more than an average of 22 accounts now, a decade later), remembering each password would be impossible for most people.

Pros:

Cons:

Using different passwords, but keeping the passwords written in a book or note somewhere

I've also seen people keeping their passwords on a post-it note under their keyboard, written on stickers on their screen etc. I've even quite despairingly witnessed people in businesses with a password text document on their computer's desktop.

Pros:

Cons:

Using a password manager

You can think of a password manager as a sort of digital bank to store your passwords in. There's many password managers available to chose from, each with a slightly different set of features. A password manager can securely take care of your login credentials for each of your accounts so that you don't have to. When visiting a website you want to log into, you enter a master password which unlocks the password manager, then the password manager takes care of the rest. This is similar to the convenience of having one password for everything, and a book to store them in, but with a lot less risk involved.

Remember to change your master password if you have even a tiny suspicion that somebody else might have found out what it is. This is one password to rule them all, so make sure it's a very strong one, and treat it like it's precious (if you'll excuse the Lord of the Rings comparison.)

I personally use bitwarden because it is open source and trusted by various security professionals I follow. Other popular and widely-used password managers available include 1Password, Dashlane, LastPass, and StickyPassword. Be wary of other less well-known password managers as they may be a scam.

Pros:

Cons:

Bonus Tips

Use multi-factor authentication (also known as two-factor authentication, 2FA, two-step verification, 2SV). 2FA normally means that you'll receive a code through a text message on your phone (or a specialised app) to enter alongside your username and password as an extra layer of protection to prove that you are who you say you are when logging in. It adds a bit of extra work to sign into your account, but it also adds an extra mountain for potential hackers to climb in order to access your data. Popular online services that use 2FA include Facebook, Twitter, Gmail, Dropbox, PSN, Microsoft, and plenty of others. Check the settings page on these apps or websites to see if they offer a 2FA service, it's well worth it!

Multi-factor authentication can also include biometric identifiers, such as facial recognition, fingerprint readers, and iris scanners, but these bring with them their own set of issues. Unlike a password, biometrics can't be changed. Some biometric identifiers can be relatively easily copied, but for low-risk accounts they may be worth it for their speed and convenience. If used in conjunction with a regular password instead of as a complete replacement, they're a welcome extra hurdle against hackers, and certainly better than having nothing extra at all!

Don't log into public or shared computers. It's not worth the risk when they may, even unknowingly, have keyloggers (hidden programs that record keyboard presses) or something similar installed. If you absolutely have to use an other persons computer to sign in, use the private browsing mode to browse the internet as a precaution. This way at least your password and visited websites aren't as easy to retrieve from most healthy systems.

Don't log into your accounts using public Wi-Fi hotspots. It's surprisingly easy to spoof a lot of public Wi-Fi hotspots, or to extract data from them, so it's really not worth the risk in most cases. If a hacker is smart about it, this can be done completely transparently without any indication that it's even happening. No amount of antivirus in the world can protect you from these types of attack.

A precaution you can try is visiting websites where the connection is encrypted, such as websites where the address starts with https and has a green lock in the address bar. It's a little more complex than that, but that's a whole other article entirely. You can also try connecting to public hotspots through a VPN (virtual private network) as an extra layer of protection, which I would generally recommend if you use public hotspots a lot.

Lock your screen when you leave your computer in a public or shared space, even if it's just to go make a coffee. It only takes a few moments to extract data from an unlocked computer or mobile phone. Holding the Windows and L keys together on your keyboard will lock most computers. Normally, a quick press on the power button will lock your phone.

Use fake answers to security questions to avoid social engineering attacks. These security questions exist to recover your account if you forget your password, but can just as easily be used by other people. If somebody really wants to access your account, they might find ways to research this information or coax the answers from you or other people that know you. Just make sure to remember your fake answers… You get bonus tin foil hat points for using different fake answers for different sites! A useful trick is to use your password manager to store the fake security answers too. Generally, you can use them for any sensitive authentication information.

Make sure there's no malware on your computer. Some malicious software is designed to extract passwords from your system either by extracting them directly from your browsers, or by using keyloggers and all kinds of other weird and wonderful techniques. By keeping the general health of your computer in a good condition, you're less likely to suffer this kind of attack.

Don't use your browser's default password manager. These are targeted by some malware, and surprisingly easy to break into in most cases. While extremely convenient, if you want to take your security up a level, it's worth considering abandoning them. You can clear the remembered passwords from your browser in its settings if you want to start this habit, or if you accidentally ask it to remember a password. You can also disable the feature entirely in most browsers.

Change the default password on your devices. If somebody knows what the default password is for one of your devices (your router, CCTV system etc), using the password that it came with is effectively the same as using no password at all and leaves it very easy to bypass.

Extra tips for mobile users

Use a passcode longer than 4 digits long. The longer the passcode, the harder it is to guess, or for people looking over your shoulder to remember… And for goodness' sake, don't use your bank PIN or birthday as your passcode.

Disable the visible lines on pattern lock screens. Pattern unlocking is the square grid of normally nine dots that some people use to unlock their phones. The lines which your finger creates as you draw the pattern can be watched easily by people “shoulder surfing”. By disabling them in your phones settings, it makes them harder to copy. It also might be a good idea for you to increase the size of the grid, if your phone allows it.

Rub the fingerprints from your phone each time you use it. If you're the kind of person that is extra paranoid about security, you should be aware that people can in some cases guess your passcode or pattern password from the marks that your fingers leave on the touchscreen. A bit over the top you might think, but worth considering for completeness' sake.

In conclusion

Your bank and e-mail host aren't going to let hackers try and guess a million attempts at your password of course, but some websites might, and that might just be the weak link that leads hackers to having access to more sensative accounts. When it comes to your online security, risks are really not worth taking, you probably have a lot more to lose than you think.

Making your digital life as secure as possible can be a fun challenge for some people (or a pain in the arse to others) but either way it is incredibly important. Just make sure that whichever methods you chose to protect yourself that you don't get locked out of your own accounts!

Hopefully you've learned some new tricks here, and found my collection of tips and tricks a helpful starting point! Password security is only a small part of an overall secure system so of course please get in touch if you'd like further advice on securing other aspects of your cyber security. This has only been a quick and brief article (honest!) on the topic of password security. There are many books, papers and other articles online from which you can read deeper into the topic if you wish to do so, but please be sure of their credibility and that they are still relivant to todays digital world.

Written by James Allen, September 2016. Last updated January 2017.