Choosing Strong Passwords for Websites

Written By PhilG

Bradford Marketing Hub contains articles and information that help small and medium service businesses.

Strong passwords and two-factor authentication are your first line of defence.

Strong passwords are just one part of your protection plan.

  1. Use a password manager to make and remember strong passwords. A password manager makes it so you only need to remember one password, the master password for the password manager.
  2. For all but your master password, auto generate very long gobbledygook strong passwords. You don’t need to remember these. The password manager does that for you (make passwords as long and complicated as the site you’re logging into allows).
  3. Use dual factor (two-factor) authentication wherever you can. This means you need your password and your phone to login. Provided only you have your phone, only you can log in.
  4. For your master password, use a long, easy to remember passphrase that includes upper and lowercase letters, special characters, spaces and numbers.

Beware Phishing Attacks!

Phishing is where a hacker contacts you directly by phone, text or email etc. They lie to you and say your account has been compromised. They put pressure on you to give them information or go to a link they provide and ask you to divulge your account information. And they want you to act now.

Phishing attacks are very convincing. The people are skilled and intelligent. The phone numbers and links they show you appear to be legitimate phone numbers and links.

But it’s a scam called a phishing attack.

If someone contacts me like this I do not engage with them and I do not click the links they provide.

If in doubt, I contact the website in question by typing in the domain name I know to be correct or phone the company using the number I know to be correct.

What is Phishing?

OK, enough about phishing, lets get back to making our passwords secure.

Use two types of strong password.

Use a passPHRASE to log into your password manager.

For everything else, use passWORDS generated by your password manager.

Make the passwords that are generated by your password manager strong passwords, that is, as long and complex as you’re allowed. You don’t have to remember them, the password manager does that. You only need to remember one passPHRASE that opens the password manager.

Use two-factor authentication such as Google Authenticator when ever possible.

A quick side note. If you’re maintaining your own website make sure you restrict the user roles to only trusted individuals.

Choosing a strong password.

PassWORD and passPHRASE are two different things, but what’s the difference?

A good password is usually gobbledygook, making it difficult to guess, but also making it difficult to remember, and difficult to type.

This is a typical passWORD: x\12heK{>2&H3`KX}76gjf/Z

This is a typical passPHRASE: Win/Stretch/Quiet Cottage/8

As you might notice, the passWORD is gobbledygook and not easy to remember.

The passPHRASE is easier to remember because it includes several real words. It’s important to include symbols or special characters (^/£%-+=) and numbers in your passphrase too. The symbols and numbers make your passphrase much more secure. A passphrase is a strong password that’s easy to remember.

At first I thought passPHRASES were too simple to be secure. If you think so too, read what Gibson Research Corporation say a needle in the haystack.

The important point is that a passPHRASE is…

  • long (more than 24 characters)
  • uses upper case
  • lower case
  • special characters (symbols)
  • spaces
  • and numbers

Make it easy for you to remember, but difficult for a machine or a human to guess.

The words in the passPHRASE should not be related.

For instance, don’t use:

Car/Wheel/Tire/4

because the words are all related.

Unrelated words could be:

Golden Eagle-Embroidery-Manchester-9

If your chosen passPHRASE is rejected by your password manager or cannot include a space between the words, shorten it and change spaces to hyphens. Remember, you only need to make your own passPHRASE to log in to your password manager, use the password manager to create all your other strong passwords.

And remember to include all the character types you’re allowed (uppercase and lowercase letters, numbers, symbols) and make it as long as practical. And always enable two-factor authentication if the site allows it.

A password manager is a must for strong passwords.

The important point to remember is, always use a password manager, then you only need to remember one master password. If you make your master password a long passPHRASE that includes uppercase, lowercase, special characters and numbers. Then add the protection of two-factor authentication, you’ll be more secure than most.

How password hacking works…

The first attempt to hack your password is likely to be a dictionary attack. The hacker will use known common passwords. Next, they’ll try to use common words or common phrases to login to your account. (A single word, or a phrase that does not include numbers and special characters is not a strong password.)

If the dictionary attack doesn’t work, they must start an exhaustive password search using random characters. This means a long password is more secure, provided it’s not a common phrase. Such as “God Save Our Gracious Queen”.

You can also pad your password by adding a short sentence to the end. For instance, you could change this password…

Golden-Eagle9

Into this…

Golden-Eagal9-that-i-saw-flying.

Remember, because you’re using a password manager, you only need to make and remember the master password. Use your password manager to make and remember all of your other passwords, so your strong passwords can be very long and very complex.

Also, if the business that run your password manager gets hacked and you’re using two-factor authentication, the hacker is still locked out of your individual websites. Because the hacker needs your password and your phone to log in. LastPass had a data breach, it is possible, so make sure you use two-factor authentication.

Some of the biggest brands with massive budgets have been hacked or had data breaches, but having a good password plan will make you more secure than most of your competitors.

Strong Passwords.

You really do need strong passwords and two-factor authentication, don’t wait until it’s too late before you start using them.

Useful links.

BitWarden:
Free password manager.

Google Authenticator:
App store.

Gibson Research Corporation:
Needle in a haystack.
Perfect passwords.

Read more useful articles like this in my blog...