Stop Using QWERTY: 4 Easy Tips for Better Passwords



Don’t have the password to get into the speakeasy? You’re out of luck unless you can trick the bouncer into telling you the password is “Swordfish.” A simple password like that would be a terrible choice to protect your email access or a bank site. And yet, chances are good you’re using something just as bad, because stronger passwords are too hard to remember.The only safe way to store proper passwords is in a password manager. If you’re not using one, you probably rely on a highly crackable password like baseball or 12345, or you’ve memorized one complex password and use it everywhere. Password security is no small matter. Given the enormous scale of risk, you need to do everything you can to keep your passwords safe.Even the best password manager doesn’t guarantee the safety of your accounts—not if you use it to store the same old, tired passwords. You have to switch out your old and weak passwords for new and stronger ones.Once you’ve replaced all your lame passwords with strong, unique ones, you can relax, at least until a data breach forces a change. The National Institute of Standards and Technology no longer recommends changing passwords every 90 days. NIST now recommends using long phrases like “Correct-Horse-Battery-Staple” and changing them only when necessary. But if you’re using terrible passwords, “when necessary” means right now.Just what makes a bad password? Let’s look at some of the attributes of terrible passwords, then give you some pointers on how to make them the right way.1. Stay Out of the DictionaryEvery few months a news outlet posts a list of the worst passwords. We see a lot of easy-to-type options, like the aforementioned 12345 and qwerty. Easy for you to type? Sure. But also easy for hackers to crack. Other common (and poor) passwords consist of simple dictionary words. We’ve seen baseball, monkey, and starwars in the list of worst passwords. These, too, are easy to crack.
The Best Password Managers We’ve Tested

Some secure websites lock down after a given number of wrong password attempts, but many don’t. For those with no bad guess lockout, hackers can cross a list of email addresses with a list of popular passwords and set up an automated process to keep trying combinations until they get in.A properly secured website doesn’t store your password anywhere. Instead, it runs the password through a hashing algorithm, a kind of one-way encryption. The same input always produces the same output, but there’s no way to get back to the original password from the resulting hash. If the password you type hashes to the same value that’s stored, you get access. Even if hackers capture the site’s user data, they don’t get passwords, just hashes.But smart hackers can crack weak passwords even when they’re hashed if they know what hashing function the site used. They start by running a huge dictionary of common passwords through the hashing function. Then they look for the resulting hashes in the captured data. Each match is a cracked password. Sites with the very best security enhance the hash function with a technique called password salting, which makes this kind of table-based cracking impossible, but why take the risk? Just stay out of the dictionary.2. Think DifferentlyA friend once told me her perfect password: 1qaz2wsx3edc4rfv. She could “type” it by just sliding a finger down four slanted columns of the keyboard. It was so perfect, she used it everywhere. And that was a big mistake.Hardly a week goes by without news of a breach at some company or website, exposing thousands or millions of usernames and passwords. Smart victims change their passwords immediately. Those who ignore the problem may find themselves locked out of their own accounts after the hackers reset the password.

How Your Password Was Stolen

Those hackers know that all too many people recycle their passwords. Once they find a working username and password pair, they try the same credentials on other sites. You may not be so worried about losing access to your old Club Penguin Rewritten account, but if you used the same login on your bank’s website, you’ve got big trouble.It gets worse. If someone else takes control of your email account, they can first lock you out by changing the password. Then they can break into your other accounts by having a password reset link emailed to that account. Worried yet?3. Don’t Get PersonalUsing personal information as the basis for your passwords is awfully tempting, but it’s a bad idea. Whether your dog’s name is Fifi or Khaleesi, that name probably appears in the dictionaries hackers use for brute-force attacks. Other possibilities such as the initials and birthdate of a family member probably won’t fall to a brute-force attack, but if someone wants to hack your account specifically, that personal data can fuel a trial-and-error guessing attack.

Recommended by Our Editors

Don’t think for a minute that your personal details are private. There are dozens of sites people can use to find details about anybody: address, birthdate, marital status, and more. Your social media posts can be another source of personal info, especially if you haven’t properly secured your accounts. A determined hacker (or a nosy neighbor) can probably guess any password that you build based on your own data.4. Close the Back DoorIf you’re not using a password manager, you’ve surely experienced forgetting the password for a site. It’s all too common, which is why virtually every login page includes a “Forgot your password?” link. Some sites send a reset link to your email address, while others let you reset the password after answering your security questions. And that opens a back door to anyone wanting to hack your account.Most sites offer abysmal options for security questions. What is your mother’s maiden name? Where did you go to high school? What was your first job? As noted, your personal life is an open book to anyone with internet searching skills. When possible, ignore the preset questions. Create your own question, with a unique answer you’ll always remember but nobody else could guess.It’s harder when the site doesn’t let you define your own questions. In that case, your best bet is to use a memorable answer that’s a total lie. My mother’s maiden name is Fauci. I went to school at More Science High School. For my first job, I was a linotype operator. There is an element of risk since you might forget which lie you chose. I would suggest storing these oddball answers as secure notes in your password manager—but if you were using a password manager you wouldn’t have this problem in the first place.What to Do Now That You CareI hope I’ve convinced you that using common passwords is a rotten idea, as is building passwords from personal information. And even the best strong, random password becomes a liability if you use it everywhere. If you’re ready to spring into action, here are some starting points:If a secure site doesn’t take care of security, you could still lose that site’s credentials to a data breach, but by making all your passwords long, strong, and unique, you can rest assured that you’ve done everything you can to protect your online accounts from password-based attacks.

Simple Tricks to Remember Insanely Secure Passwords

Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

We will be happy to hear your thoughts

Leave a reply

AnsarSales
Logo
Compare items
  • Total (0)
Compare
0
Shopping cart