Keeping your password secure shouldn't be a big deal.
First to the very basics:
The longer the password, the better.
Of course it's a bit annoying having to enter
a 20 char password everytime you want to check your email,
so you don't need to be that radical. As long as
it has a strict minimum length of 8 chars.
Recommended is 12 or more.
* Since recent news of GPU computing to break passwords,
minimum length increased from 6 to 8.
Never use personal information!
No special dates, no names, no postcodes, no telephone numbers,
nothing that can be easily guessed or linked to you.
Use letters, numbers and symbols.
Mix them, including uppercased and lowercased letters.
These will highly increase its strength against brute force attacks.
Use only abstract values.
Chars in sequence like AAA, ABC or 123 are easily cracked.
And words are also the first thing to be used by brute force
attacks, so avoid known words even in foreign languages.
Keep it fresh. Change your passwords at least
once every year. If you opt to use our
updating your passwords can be done frequently and easily.
Use different passwords for different services
It's simple: if someone gets your password for the site
X, the first thing (s)he will try is testing the same
password against other websites and services.
Maintaining multiple passwords may sound painful
or annoying to some, but you have options to make your
life easier. We'll cover this on the next section.
Extra attention to the password used for your email account,
as it might have important information regarding other accounts inside
(welcome emails and password reminders sent by other websites).
Using a dynamic prefix/suffix
That's probably the most effective way to keep your online
accounts and information safe, without the hassle of "keeping" a list
of different passwords. Basically you'll use a dynamic
password prefix/suffix for each service, using a choice of
patterns. Let me explain: suppose your current password is Abc123.
You just need to append a prefix (or suffix, or both!) to
this password, related to the specific service or website.
For example you can use the first 3 characters of the website name.
So your password for Google.com will be gooAbc123, for facebook.com
it will be facAbc123 and for MySpace it's mysAbc123.
Why should I use a dynamic prefix/suffix?
It seems quite easy for you to figure out the password pattern,
because you know it. But if someone steals your password, they'll
try the same value on other websites and it won't work. Depending
on the pattern chosen, two passwords will seem completely different
even if they're based on the same original. Also, password cracking
tools will be trapped by this method.
Examples of prefix/suffix patterns
Suppose you'll choose your passwords for Google and Facebook.
Starting with the "simple 3" pattern.
First 3 characters of the website name as a prefix, lowercased.
Google: goo - gooAbc123
Facebook: fac - facAbc123
The first character of the website uppercased as prefix,
and the last letter lowercased as suffix.
Google: G, e - GAbc123e
Facebook: F, k - FAbc123k
The length of the website name and the first character lowercased.
Google: 6, G - 6gAbc123
Facebook: 8, f - 8fAbc123
Prefix with the first vogal of the website name and the vogal count as
Google: o, !!! - o!!!Abc123
Facebook: a, !!! - a!!!!Abc123
Prefix with the next letter in alphabet for the first letter
of the website name, suffix with the last letter.
Google: h, f - hAbc123e
Facebook: g, l - gAbc123k
Even the most simple pattern will highly decrease the chances
of having multiple accounts compromised because of a
single hacked password. It's also an easy way of updating
your passwords frequently, as you can use parts of the current date
in the prefix/suffix pattern as well.
Using password management softwares
Another alternative is using a
password management software
which will remember all of your passwords for you.
Which means you can use long and complex passwords that are difficult
Some good examples are
The main problem with password management softwares is, of course, trusting the publisher or developer. Shall you
trust all your passwords to one specific service/system/vault? What
if a hacker manages to crack it and force the software to email
all these passwords to him? Not very likely, but still it could happen.
Nowadays you can find a multitude of biometric devices used
are by far the most common,
but you can also find devices that use your
to identify you. The device can generate random passwords
and store them encrypted within its software. As soon as you authenticate,
the software will send the correct password to the website or service.
So what's the catch? First of all, you won't have to remember passwords
anymore. You just use your thumb and the authentication is made by
the device. Also the passwords can be quite strong, using as many
characters as the system supports and a good mix of letters,
numbers and special symbols. Remember, you won't have to remember, because
the device does it for you.
But there's still some points. First, if you don't have a portable
biometric device, then you can't simply use a huge random password
because you'll need to know and remember it to authenticate using
other machines. So a laptop with a built-in fingerprint reader
won't help when you need to authenticate using your work machine,
or a public cyber cafe.
Also these biometric devices just help you at your end. As soon
as the password is sent to the website, there's nothing you can
do to make it stronger. The website is not using any biometric devices,
so it's as vulnerable to brute force attacks as any other
Never share your passwords with anyone
Keep them to you, only you, and no one else. Sharing your password
with your partner or friends might expose you to external security risks
that are not under their control. It's not just about trusting
them. For example your partner could log to your email
account from a public machine at the internet cafe. If this machine has a
running in the background... you know what might happen.
If for some reason you want to give access to someone else,
change your password to a temporary one, and set it back after
the person did whatever he or she needed to.
How to proceed if everything goes wrong
No matter how hard you try to keep your password safe and strong,
there's still chances of having it hacked. What shall you
do if you suddenly discover that someone hacked in?
First of all, if the password is still the same and you're able
to login, change it immediately.
If your password doesn't work anymore, check if the website has a
"Password reset" page, and if so, reset your password.
If you can't reset your password online, send an email to the
support team with high priority, telling them that someone got
access to your account and you need to change your password
as soon as possible. Provide your username and/or email and
your personal information (name, contact number, city...)
so they can verify it's really you and proceed with your
request without having to do further security checks.
Never send other passwords or financial details by emails,
like credit card numbers.
If they have a support contact number, call them as it's usually
faster than sending emails.
If your account link you to other people or services,
please let them know that you've got your password hacked
and that they should forward anything they might receive
to you, via an alternate email or fax.
For example if the attacker gets into your email account,
he might send emails to other people with second intentions
and increase the damage.
Revision: 25th August 2010