Keeping your passwords secure

Very bad things can happen if your password is discovered by a hacker, so it’s vital to keep your passwords secure. Here we bring you our top tips to help you avoid your email account / website being hacked.

Why is it important?

Having to remember and enter passwords is annoying for everyone, but they are necessary to prevent unauthorised access to your computer, email, website and other accounts.

You may not realise it, but if your password falls into the wrong hands it could affect more people than just you:

  • Your email password could be used to access your email account and send huge volumes of spam, which can get your entire email server blacklisted so you and others can no longer send legitimate email. They could also email everyone in your address book and it would appear to come from you.
  • Your website password could be used to upload a virus or phishing page to your website, to launch an attack on more people. This could get your website blacklisted and be costly to fix.
  • If you have access to personal data, especially sensitive data, it could be stolen and used for identity theft or blackmail. You could potentially incur penalties under the Data Protection Act if you have not taken appropriate steps to ensure security.

So it is vital that you keep your passwords safe. Please take the time to read the following recommendations to ensure you know how to do that.

Use hard to guess passwords

To be secure, a password must be hard for an attacker to guess, even if they are able to use a computer program to guess millions of different combinations.

The best way to do this is to use a long password – at least 12 characters long – as it will take a long time to try that many combinations. Well-known phrases should be avoided (e.g. “tobeornottobethatisthequestion”), but a secure long password can be made by picking four completely unrelated words. For example, “correctbatteryhorsestaple” is easier to remember yet more secure than “Tr0ub4dor&3” because it is so much longer.

You can also add capital letters/numbers/symbols to make it more random. This is especially important if your password is less than 12 characters, because a short password with only letters can be guessed relatively quickly.

You should never have a password less than 8 characters, for the same reason.

You should avoid using just 1 or 2 words (including names of people/places/pets) for your password, because these are the first that will be guessed. Even adding additional numbers/symbols to make it look more random will not make it much harder to guess.

For example, these are good passwords (but don’t use these examples – make up your own):

  • Correctbatteryhorsestaple4
  • Talwsatgig,asbas2h! (“There’s a lady who’s sure all that glitters is gold, and she’s buying a stairway to heaven!”)
  • jJGQkf4toNRKZjc3hzYL (random)

And these are bad passwords:

  • p@ssw0rd
  • jsmith123
  • rush2112
  • bunnyhop!

Do not reuse passwords

Passwords are hard to remember, so it is tempting to pick one and use it for everything. But if you do and one of them gets hacked, the hacker would be able to get into all of your accounts.

By using different passwords for each account you limit the damage in the event that one is compromised. This happens more often than you would think – including to big companies like Sony and Adobe – so don’t assume it won’t happen to you.

Use a secure password manager to store your passwords

Remembering lots of different passwords is hard, so the best solution is to use a password manager such as KeePass or LastPass. These store all your passwords securely encrypted, so you only have to remember your Windows login and a “master password” – then you can look up the rest when you need them.

This will allow you to generate secure random passwords (e.g. 20 characters long) for each account, because you won’t need to remember or type them anymore.

Many password managers can also sync your passwords with your smart phone, so you can still access them when you are away from your PC. (LastPass does this as standard, and KeePass can be used with Dropbox.)

Be careful when writing passwords down

In general you should not write your passwords down (or print them out) unless absolutely necessary, in case someone else gets hold of them.

If you need to write a password down, do not leave it near your computer – even if you think it’s hidden. Instead, put it in your wallet/purse and keep it with you. Do not write down your username or anything that would identify what it is for, in case you should lose it. If you should lose it, get it changed immediately to be safe.

Install antivirus software

If you get a virus on your computer, it may steal passwords from you without you knowing. So it is important to have a good, up-to-date virus checker installed on your computer.

This includes your home computer, especially if you access work email or files from home. There are free antivirus products available for personal use, such as Avast or AVG, or your company license may cover personal computers.

Beware phishing emails

Phishing (pronounced “fishing”) is where a hacker sends you an email that looks like it comes from a legitimate company (e.g. your bank) or from your own IT support department, but it actually directs you to a fake website under their control. If you were to go there and enter your login details as instructed, you would be sending your username and password straight to the hacker instead.

To avoid this, treat all emails with caution. Some phishing emails are easy to spot due to poor spelling/grammar, but some are more convincing. Be especially cautious if you have not received similar emails from the organisation in the past, or they look different to normal. Do not act on them unless you are sure they are legitimate.

To make sure you’re going to a real website and not a fake one, type the URL yourself (or use a search engine), rather than clicking a link in an email. If you do click a link, double-check that the URL is the right one – sometimes they look real at a glance but on closer inspection are not – for example, http://signin-ebay.com/ would not be a legitimate website.

In a similar way you should be careful if someone calls you on the phone and asks for any sensitive information, especially passwords and PINs.

Be careful on shared internet connections

When you use a shared Wi-Fi connection, it is possible for other people using the same connection to spy on your internet usage. If you log into an insecure website while on a shared Wi-Fi connection, someone else may be able to find out your password.

The good news is you don’t need to stop using shared Wi-Fi connections – there is a solution that keeps you safe. The solution is to use an encrypted connection, which prevents anyone else from eavesdropping. This technology is known as SSL, TLS or HTTPS.

The bad news is not all websites support it, so you need to be a little careful. Most big providers do (e.g. Google, Microsoft), but smaller websites often do not because of the added cost/complexity of setting it up.

You can check if the connection to a website is secure by looking at the address bar in your web browser – typically you will see a padlock icon and the prefix “https://”, though it varies by browser. For example:

Google Chrome secure-connection-chrome
Firefox secure-connection-firefox
Internet Explorer (padlock on right)secure-connection-explorer
Opera (no “https://”) secure-connection-opera
Android Browser Secure Connection Android
Safari on iPhone (no “https://”) Secure Connection Safari on iphone

 

If you do not see this, you should avoid logging into the website. This is especially important if you have reused the same password for other websites.

This also applies to your email – make sure your phone and computer are using SSL/TLS for checking your email, else your password could be sent unencrypted without you even noticing.

Finally if you get any warning messages such as “There is a problem with this website’s security certificate”, do not continue as the connection is not secure.

Conclusion

This may seem like a lot to remember at first, but it boils down to:

  1. Use a password manager, so you can have strong, unique passwords without having to remember them all.
  2. Use antivirus software to protect you from viruses that may try to steal your passwords.
  3. Be vigilant so you don’t accidentally reveal your passwords to anyone else.

We hope you will agree that the possible consequences of losing your password (listed at the beginning) make it worth the effort to stay safe.

About Alberon

We have been designing and building bespoke software solutions and websites for organisations in Oxford for over 12 years, helping them to work more effectively and realise their full potential.

Our friendly, highly experienced team of web designers and software developers are dedicated to helping our clients achieve the outcomes they want. From web design and development, to complex software solutions, we apply our creative and technical know-how to deliver the perfect solution.


leave a comment

Your email address will not be published. Required fields are marked *.

KeePass Password Manager Best practices for writing web content