Deutsch
English
Every time a year ends, we're treated to the "top 10" from various categories. What were the most often used baby names, which car models sold best, who had the most followers on Twitter? A snore fest. One piece of news, however, woke me up from my winter slumber. A collection of 1 billion stolen data sets was analyzed to find the most popular passwords. Would it just be a case of same old, same old or had there been a learning process? What I found seemed like an invitation to unwanted visitors.
Among ingenious selections such as "hello123" and "qwerty" (take a look at your keyboard), there was a multitude of common swear words, nicknames or football clubs. If you compare this situation to home security, it would be like putting your key on the door mat, shining a couple of spotlights on it just in case and then advertising the whole thing in your local newspaper. It's so easy to come up with good passwords even if you don't want to remember cryptic strings.
Hackers aren't dumb, there's been huge lists with the most common passwords on the Internet for years and various hacking tools will patiently iterate them until a match is found. Experts believe it only takes a list of the 1000 most commonly used passwords to infiltrate more than half of all user accounts, not exactly a nice thought. Since many users use only a single password for email addresses, online shops like Amazon or social networks, the damage may be considerable which is why providers are always adjusting their password policies for better security (longer passwords, upper- and lower-case letters and so on). In practice, "1234" may simply turn into "12345678", no security breakthrough here.
Expert advice is unanimous on this one: At least 8 characters, upper- and lower-case letters including special characters and digits. Passwords should not include any guessable, personal connections to their users nor should they show up in dictionaries or encyclopedias as that's one of the sources hackers will use. Funny keyboard patterns or strings of adjacent characters are also insecure. But how can you remember lengthy, impersonal passwords? There's a couple of tricks for that.
Think of a phrase that is familiar to you and that you'd be able to look up if need be. For me, that would be the last line in "Back to the Future", i.e. "Roads? Where we're going, we don't need roads!". If you take only the first letter from each word and the punctuation marks you get "R?Wwg,wdnr!", a great password that is almost impossible to hack. You may also want to spice up "normal" passwords a little! If you replace letters with special characters or digits, you'll greatly increase password security. Turn "Oli-Minnesota" into "Ol1-M1nn3$ota" - hackers will find it hard to crack this one and it only takes a little practice for you to get used to this pattern.
Another nice approach is to omit all whitespaces in a short (but individual) sentence. "MyphoneisaSamsung" is already quite secure but if you replace letters with special characters, as described before, you'll get "Myphon31$a$am$ung" which is a tough nut to crack for any hacker. You may also want to think of colleagues and friends. "Michael Meyers" and "Lisa Walters" may turn into "MiMeyLiWal" or whatever way you want to shorten their names. If all of that seems to complicated, take two familiar words and add a number. This way, a friend of mine came up with "ChicagoJHancock69", not uncrackable but still better than "hello12345".
If you want to play it safe but don't trust your memory, you can always fall back on password management software. There's various applications with tons of features including freeware solutions like "KeePass". All you need to do is remember a single password to gain access to any number of stored passwords (or create a key file on a removable disk that you'll have to plug-in to use the program). Many of these applications also include the option to create and manage highly cryptic passwords for you so you'll stay safe without having to memorize a myriad of hard to remember strings of characters. At present, I'm still relying on my memory but I'll most likely use password management software in the future, you know, the ravages of time.
What I would like to know: Do you have any tips on how to create strong passwords? Do you use any particular method?
Good read, Sven.
I used the link to HPI, and discovered that 7 sets of trusted website credentials had been compromised, including linkedin! No dodgy sites.
I don't remember being notified of a breach, and considering that 160,144,040 other accounts have been affected, that's bad.
I have recently been receiving e-mails stating that my email and password had been hacked on porn sites, and that my webcam (I don't have one) was recorded while I watched the all alleged porn, and a ransom of thousands of $ in Bitcoin were demanded to delete the material. Of course, I just deleted the e-mail.
I don't have any porn site accounts, but the e-mail was mine and the password shown (not a real word with numbers) was also a password I used in the past, but I can't remember which site(s), it was an old password. That level of detail is more than a simple scam mail.
Perhaps if websites simply created unique usernames, the login, at least, would not reveal a real e-mail address at the point of entry.
II think that even two-factor authentication could be breached eventually, and when that happens, people's phone numbers will be published on similar lists.
Hi,
Most interesting.
One technique I use is a couple of special characters either end of a memorable word or words without spaces, and substitute the letters between the first and last letter of each word with the number of letters you have removed from each one.
So if you are a Beatles fan and go for a song title, say
Strawberry Fields Forever you'd get something like this
$S9yf4Sf6r&
Upper case letters where the mood takes you and voila, quite uncrackable unless a hacker hears you humming in the internet cafe while you work :-)
Cheers
Dave
Good article but I would have liked to see some mention of testing for strength. There are several sites/apps that do this.
I have a couple of passwords that consistently test as very strong.
Are such tests valid? I think I need all the help I can get to ensure that my passwords are at least strong - which cuts down on the hackability.
There are many sites that can verify the strength of your passwords. I consider most of them too insecure, who knows what they’ll do with the data? I like to use Kaspersky. https://password.kaspersky.com
Great article Sven. All great remedies.
I am 68 years young and sometimes tend to forget.
what I have done is to have a very strong master password. This is what I have done:
1. Create a spreadsheet (in Excel) which contains all my passwords.
2. Hide all rows.
3. Protect the worksheet with the very strong password.
4. Make the worksheet very hidden (as opposed to just hidden.
Do you consider this good enough, or should I get a program or app for this?
I believe that will do, Mr. Dineley. I’m genuinely impressed by how much effort you put into this.
"Hackers have lists with the most common passwords"
Fair enough, but would any hacker traul through my Facebook, Twitter and other feeds to find the name oy my wife, my family, where I was born and live, etc, to find some inane passwords for some pretty useless website logins?
I use a pretty silly name for logins to many sites that can never compromise anything important, such as banks. For banks and any other login I do not want anyone to access, then I mainly use a password generator of 8 to 12 characters and store these in a secure password manager - which has a very strong password itself!
That depends on how important you and your account are to hackers. :) There’s enough reports by Facebook users where “smart” guessing (with the help of some background research) helped others break into their accounts.
When I was still working I was required to change my system logon password every 4 weeks, and the new password could not have been used for the last 10 changes and had to be at least 50% different, the company was a bit anal about security. I have used first letter of words in quotes for years I have a book of quotations for example "Now is the winter of our discontent" from Richard III becomes nitwood, I then modify with numbers, capitalisation and symbols such as NiT282wOod!, I rejected this one as I thought nitwood would be to easy for a word search program. I use individual passwords for sensitive logons but use more generic ones for less critical things such as blogs. I have a hand written cheat sheet (not on any PC) with clues 'nitwood' would be r3 282, i.e. P282 Richard III.
Decent article Sven. You would think it would be obvious to make a password indecipherable. Not everyone thinks their accounts will be targeted. It takes something like an alert from a site reporting they have been hacked to move people. That's my take anyway.
I use a combination of vehicle Reg # and Driver's License.
Change combination often.
This is good advice, the German blog als has a few unique combinations contributed by car fans. :)
Good advice Sven. There are many websites that do not allow anything other than an alpha-numeric password. Character such as $#& are not usable.
I use alpha-numeric with upper and lower cases along with a password manager. The most aggravating abuse of passwords is the lack of recognition from websites that we do use several devices. The sites know my location right down to the street address yet continually want verification.
To top it off I never use the same password twice. It makes my mind struggle to find a different one so often.
I’m aware that some providers restrict the number of available characters. It’s a shame since it robs users of many possibilities.
My GOTO for the past, many many years, has been Roboform2Go !
Couldnt live without it. All passwords stored on an encrypted password protected USB stick that never leaves me.
Very good suggestions: I read somewhere, but haven't used it yet, that just using a phrase with blank spaces would be hard to crack, but is very easy to remember. I don't know. An example would be "Ashampoo has terrific products." ... What do the experts say??
Thanks.
Best password ever. :)
Dead right!
My passwords were always formed as described but there were just so many needed that I would end up duplicating them (NOT good)!
Eventually gave in and used a password manager, selecting 'LastPass' as it was free and worked across ALL my Windows devices including 'phone. For well used sites like Amazon it can even change your passwords automatically! and at any point you can view the allocated passwords for any site.
Don't forget your master password though, AND MAKE SURE IT REALLY IS UNBREAKABLE. :-)