Password guide and security tips

The basics

Keeping your password secure shouldn't be a big deal. First to the very basics:

  • The longer the password, the better. Of course it's a bit annoying having to enter a 20 char password everytime you want to check your email, so you don't need to be that radical. As long as it has a strict minimum length of 8 chars. Recommended is 12 or more.
    * Since recent news of GPU computing to break passwords, minimum length increased from 6 to 8.
  • Never use personal information! No special dates, no names, no postcodes, no telephone numbers, nothing that can be easily guessed or linked to you.
  • Use letters, numbers and symbols. Mix them, including uppercased and lowercased letters. These will highly increase its strength against brute force attacks.
  • Use only abstract values. Chars in sequence like AAA, ABC or 123 are easily cracked. And words are also the first thing to be used by brute force attacks, so avoid known words even in foreign languages.
  • Keep it fresh. Change your passwords at least once every year. If you opt to use our master tip, updating your passwords can be done frequently and easily.

Use different passwords for different services

It's simple: if someone gets your password for the site X, the first thing (s)he will try is testing the same password against other websites and services. Maintaining multiple passwords may sound painful or annoying to some, but you have options to make your life easier. We'll cover this on the next section.

Extra attention to the password used for your email account, as it might have important information regarding other accounts inside (welcome emails and password reminders sent by other websites).

Using a dynamic prefix/suffix

That's probably the most effective way to keep your online accounts and information safe, without the hassle of "keeping" a list of different passwords. Basically you'll use a dynamic password prefix/suffix for each service, using a choice of patterns. Let me explain: suppose your current password is Abc123. You just need to append a prefix (or suffix, or both!) to this password, related to the specific service or website. For example you can use the first 3 characters of the website name. So your password for Google.com will be gooAbc123, for facebook.com it will be facAbc123 and for MySpace it's mysAbc123.

Why should I use a dynamic prefix/suffix?

It seems quite easy for you to figure out the password pattern, because you know it. But if someone steals your password, they'll try the same value on other websites and it won't work. Depending on the pattern chosen, two passwords will seem completely different even if they're based on the same original. Also, password cracking tools will be trapped by this method.

Examples of prefix/suffix patterns

Suppose you'll choose your passwords for Google and Facebook. Starting with the "simple 3" pattern.

  • First 3 characters of the website name as a prefix, lowercased.
    Google: goo - gooAbc123
    Facebook: fac - facAbc123
  • The first character of the website uppercased as prefix, and the last letter lowercased as suffix.
    Google: G, e - GAbc123e
    Facebook: F, k - FAbc123k
  • The length of the website name and the first character lowercased.
    Google: 6, G - 6gAbc123
    Facebook: 8, f - 8fAbc123
  • Prefix with the first vogal of the website name and the vogal count as "!" exclamations.
    Google: o, !!! - o!!!Abc123
    Facebook: a, !!! - a!!!!Abc123
  • Prefix with the next letter in alphabet for the first letter of the website name, suffix with the last letter.
    Google: h, f - hAbc123e
    Facebook: g, l - gAbc123k

Even the most simple pattern will highly decrease the chances of having multiple accounts compromised because of a single hacked password. It's also an easy way of updating your passwords frequently, as you can use parts of the current date in the prefix/suffix pattern as well.

Using password management softwares

Another alternative is using a password management software which will remember all of your passwords for you. Which means you can use long and complex passwords that are difficult to remember.

Some good examples are Password Safe and LastPass.

The main problem with password management softwares is, of course, trusting the publisher or developer. Shall you trust all your passwords to one specific service/system/vault? What if a hacker manages to crack it and force the software to email all these passwords to him? Not very likely, but still it could happen.

Biometric devices

Nowadays you can find a multitude of biometric devices used for authentication. Fingerprint readers are by far the most common, but you can also find devices that use your iris, face and voice to identify you. The device can generate random passwords and store them encrypted within its software. As soon as you authenticate, the software will send the correct password to the website or service.

So what's the catch? First of all, you won't have to remember passwords anymore. You just use your thumb and the authentication is made by the device. Also the passwords can be quite strong, using as many characters as the system supports and a good mix of letters, numbers and special symbols. Remember, you won't have to remember, because the device does it for you.

But there's still some points. First, if you don't have a portable biometric device, then you can't simply use a huge random password because you'll need to know and remember it to authenticate using other machines. So a laptop with a built-in fingerprint reader won't help when you need to authenticate using your work machine, or a public cyber cafe. Also these biometric devices just help you at your end. As soon as the password is sent to the website, there's nothing you can do to make it stronger. The website is not using any biometric devices, so it's as vulnerable to brute force attacks as any other password.

Never share your passwords with anyone

Keep them to you, only you, and no one else. Sharing your password with your partner or friends might expose you to external security risks that are not under their control. It's not just about trusting them. For example your partner could log to your email account from a public machine at the internet cafe. If this machine has a key logger running in the background... you know what might happen.

If for some reason you want to give access to someone else, change your password to a temporary one, and set it back after the person did whatever he or she needed to.

How to proceed if everything goes wrong

No matter how hard you try to keep your password safe and strong, there's still chances of having it hacked. What shall you do if you suddenly discover that someone hacked in?

  • First of all, if the password is still the same and you're able to login, change it immediately.
  • If your password doesn't work anymore, check if the website has a "Password reset" page, and if so, reset your password.
  • If you can't reset your password online, send an email to the support team with high priority, telling them that someone got access to your account and you need to change your password as soon as possible. Provide your username and/or email and your personal information (name, contact number, city...) so they can verify it's really you and proceed with your request without having to do further security checks. Never send other passwords or financial details by emails, like credit card numbers.
  • If they have a support contact number, call them as it's usually faster than sending emails.
  • If your account link you to other people or services, please let them know that you've got your password hacked and that they should forward anything they might receive to you, via an alternate email or fax. For example if the attacker gets into your email account, he might send emails to other people with second intentions and increase the damage.

Revision: 25th August 2010