Features

How to create awesome, uncrackable passwords

Hypertext

26th May 2016

Just take a moment to think how many websites you visit each day that require you to log in. Lots, right? The scary thing about that is that many of us use the same password and username combination for multiple services. It’s human nature; remembering a zillion logins can be confusing, and people are prone to simplifying things to make their lives a little easier.

In 2016, that’s not very wise because it also makes things easier for anyone actively targeting us – should someone gain access to one of your username and password combos, and it works in other places – like your online banking – you’re royally screwed. You might as well have just handed that criminal your entire online life, and given them your permission to run rampant through your online life doing whatever they like with your identity, your money and your reputation.

But we are not here to shout at you; rather, we’re here to educate. So… how do you keep your passwords – and thus yourself – safe online?

Unfortunately for you, the answer is “Use different passwords for every online service you use, and make every single one incredibly complex and thus uncrackable”.

This is not popular advice, but it’s true. Several academic studies have confirmed that complex and lengthy passwords are incredibly difficult for attackers to guess – even using powerful computers to do the hard work – which is why they are so highly recommended.

So, how should you structure your passwords to keep them as secure as possible? Follow these directions and you’ll transform from a vulnerable, password-duplicating online doofus (#sorrynotsorry) into a cyber whiz with a bulletproof online presence.

Method 1: Use random non-consecutive words

Create passwords made up of random, non-consecutive words with spaces between them. That way, you can tell yourself a little story to connect them so that they’re easier to remember, and your password will be invulnerable to what are known as “dictionary attacks”. These are computer programs that use the words and phrases contained in dictionaries and thesauruses to essentially guess passwords; because your words don’t appear one after the other in everyday language, there’s no chance the attack will be successful. Use at least 20 characters to do this.

Method 2: Don’t simply replace letters in single words with numbers and symbols

Hackers are on to your idea of turning everyday words into 1337 sp34k by replacing letters with numbers, characters and symbols, and have coded their attack tools accordingly. The best thing you can do is DON’T DO THAT, and rather stick to method 1 above. If you absolutely have to, string together several of these modified words, just follow Method 1’s guidelines re: their random nature.

Method 3: Don’t use passwords made up only of numbers. Ever. These take seconds to crack and are essentially useless.

Guidelines:

The longer your password, the more secure it is. Make your passwords a minimum of 20 characters.
Don’t use birth dates, relative names, your own name or anything personal at all in your passwords.
The more random elements your password contains, the better for you.

Got all that? Great! But now you’re probably wondering how on earth you’re going to remember all of these awesome, ridiculously-complex passwords. Fret not, for we have the answer: Password managers!

Password Managers

A password manager is exactly what it sounds like – it’s a bit of software that lives in your browser, which lets you store usernames and passwords for all of the online services you make use of, which automatically populates those fields when it detects you’re attempting to log in to those places.

And of course, it can only be accessed with its own username and password, in order to manage all of your other passwords.

Services like LastPass have made a name for themselves in this space by offering to do the remembering for you. It is rather simple to use as well, as you input all of your passwords and user names into the service, and secure it behind a single username and password. Preferably a complex, yet memorable one.

So in theory, you only need to remember your LastPass credentials in order to view all of your other login details. The service’s Vault is browser-based, so it pulls all of your passwords into the secure area.

As mentioned, there are other service just like LastPass that want to make your passwords more secure, but they all operate on varying degrees of similarity. If you want to make use of a password manager, just check out each one’s website to see what they have to offer. Not all are free, however, and honestly LastPass is about the best of them anyway.

Two-Factor Authentication

But even if you use a sophisticated password manager or think of the longest passwords in the world, one of the most secure ways to lock down any account that supports it, is Two-Factor Authentication (2FA).

When you input a standard user name and password combination, that is considered a single-factor authentication, as there are no other steps involved. You put in your credentials, and you are off.

With 2FA, the app or service that you use adds another layer of security by asking you to input a randomly generated secondary password, often sent to a separate device like your cell phone or another email account.

Services like Twitter and Microsoft have all opted to make use of the technology, as it is known to be one of the best ways to secure an account.

One you log in with your usual username and password, it will then send you an email, SMS or text message with a sort-of One-Time PIN. This can be anything from a string of numbers, to random characters to full words.

Since you will be the only one to get the email or SMS, only you (in theory) will be able to access your account further. Once you enter the generated 2FA pass phrase, you will be in.

The need to go through a 2FA process will depend heavily on the service that you make of, and can usually be set on an individual level. In Microsoft’s case, it can be set up to access your general account, or it can be tuned so that you need to go through 2FA whenever changes (including purchases) are made to the account.

As mentioned, you can set up 2FA for Twitter as well, where it would require you to enter the generated password when you log in. For those that make use of the service every day, it can be a laborious task – but if you have the need for it, it could prevent unwanted intrusions.

Device-side Biometrics

Beyond password managers and 2FA, there is another option that has slowly been making its way into mainstream technology – device-side biometrics.

Biometrics is anything that can be used to identify a person, and includes things like facial scans, finger prints and the scanning of retinas.

Device-side biometrics, to bring everything together, would be the authentication of a person’s identity through a fingerprint scanner or facial scan. This can be done through a smartphone’s camera or a webcam if the account is browser based.

The rollout of the technology for services are still in the its infancy, but a recent report by research firm PwC explained that it would be one of the most secure ways to fortify an account.

“Biometric authentication and verification can be one of the most secure ways to control access to restricted systems and information. Unlike authentication based on traditional passwords, authentication through biometric data is easier to use in practice, and can be far more secure,” explained Stewart Room, partner at PwC Legal.

While it could be the next step in globally securing passwords so that nobody steals your details, Room was quick to caution that there might be some issues involved.

“However, this is a double-edged sword, because biometric data is extremely sensitive due to its uniqueness and how intrinsic it is to a specific individual. Additional efforts must be made to keep this data secure including choosing a proper compliance system and infrastructure, training staff how to handle it and protecting it from unauthorised access or disclosure.”

Microsoft has been making some strides in this regard, as it has made Windows Hello available to some Windows 10 users.

Essentially the technology allows the Average Joe to set up enterprise-grade biometrics on a computer that (for now) has an Intel RealSense camera. It will be able to scan your finger, full face or your iris and then give you access if you meet the pre-defined criteria set up by yourself.

All about safety

You might think that a password is the only a way for you to get into your social media or email account, but if you are not careful with where and how you store your passwords, it could turn your entire world upside down.

Most people have the same password and username for multiple sites, and the first step to securing your information and identity is by switching passwords between services. It is also a very good idea to change all of your passwords once every six months, if not more often.

At the end of the day, it might be a tedious task to set up a password manager or sit completely still in order for the camera to capture your face, but it is all about your online safety and keeping your passwords secure, and what’s more important than that?

[Images – CC by 2.0/Krynowek Eine/Automobile Italia/Dave Crosby/scot alexander]

About Author

Hypertext

Hypertext is one of South Africa’s leading technology news and reviews sites, catering for consumers, small and medium businesses and the technology channel.