To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

How secure is my password? | How to create a safe password

Passwords on post-its

We check your password security, and show how to make safe passwords with your own free password manager

Passwords are a pain. We’ve all got lots of online accounts these days: email, banking, cloud storage, shopping, holiday & transport bookings, work logins, social media, gaming and many, many more. You just want to be able to get online and get stuff done, but every site requires you to have a password and the general advice is to have a different one for every site.

It’s no wonder that so many of us ignore the advice and have just two or three passwords that are randomly scattered across numerous sites and services. We write them down on post-it notes and leave them stuck to our PCs or turn to our browsers to help us remember them all, again without taking the necessary precautions.

View latest eBay discount codes

If you’re worried about the state of your passwords and are looking to tidy things up with a new method to keep things both secure and easy to remember, then read on. Here we’ll explain how passwords actually work, so you understand what makes a good one, passwords to avoid, a good password manager and two-factor authentication, which sounds complex but which is actually brilliantly simple and ultra-secure.

Passwordmeter lets you test the strength of your password

^Passwordmeter.com analyses your password and rates its security

How passwords work

Before covering alternatives to your current password setup, it’s important to understand how passwords work and why this single security step can be the one weak point of your entire online life.

At their most basic, passwords are stored alongside usernames in a database. When you log in with your username, the site checks that the password matches the appropriate entry in the database, and if it does you’re able to log in. But it’s actually more complicated than that.

Any business worth its salt will not be storing passwords as plain text in a database, as this is the least secure way of storing passwords. If a database of user information has passwords stored in plain text, any hacker who manages to get into the database instantly gains access to every user’s credentials. Because so many people use the same password for all their online services, this database is a veritable gold mine of information that can put millions of accounts and businesses at risk.

Passwords in a database should be stored as what is known as a “hash”. In this case, a hash is a unique combination of numbers and letters that represents what the password is. For example, the MD5 hash of the word “password” is “286755fad04869ca523320acce0dc6a4”. When you enter your password into a website’s password field and hit the log in button, the website compares the hash of the password you’ve entered to the hash it has stored next to your username in its database. If it’s a match, you get logged in. If not, try again.

Password hashes can’t be reverse engineered into their original text, but the hashes of common passwords are well known and can easily be looked up; it doesn’t take long for a hacker to create a dictionary of every single eight-character letter/number combination and run that against a list of stolen password hashes.

A pinch of salt

Because of this, many companies use a second step for password security. Each password hash is modified based on another string called a “salt”. This string is added to the hash and could be based the user’s login name or email address. So the username “shopper”, the hash of which is added to “password” as a salt, results in a complete salted hash that looks like this: “b47a9c791d653c8fa7ce7eff2abdd428”.

So, while the hacker will likely know your username, the fact that your password is mashed up into a single salted hash means that they won’t be able to figure out which part of the hash represents your username, and which part is your password. That’s why salted hashes are so secure.

Salted hashed passwords

Word

MD5 hash

Hash security

Username

“shopper”

d0d191dc174af5d9208318bdb7b53bd0

Low

Password

“password”

286755fad04869ca523320acce0dc6a4

Very low

Salted password

“shopperpassword”

7df3966a25335f471159cb17572e1d6e

High

Still, we can’t assume that every company stores our passwords in this way. If you use the same password across multiple sites, it only takes one weak link for all your login details to all those websites to be made known to a hacker or hackers. That’s why unique and uncommon passwords are so important.

Security through obscurity

We all know the basic steps for a secure password. Signup pages will make suggestions and give you an encouraging coloured bar to tell you how secure your new password is. Make it as long as possible, you’re told, add numbers and symbols, and don’t include your username. All good tips, but while your passwords may now be secure, they’re all but impossible to remember.

The problem, as you can see below, is that some websites force you to include symbols and other characters that make a basic passphrase impossible.

Google: 8 characters
Microsoft:
8 characters, at least one capital letter, number or symbol
Facebook:
6 characters
Yahoo:
8 characters with number, symbol or capitalisation, 9 characters with lower-case letters
iTunes:
8 characters with one capital letter, one number, no more than two consecutive identical characters. Must also not be “common” (Password11 isn’t allowed, for example, even though it matches all the other criteria)
PayPal:
8 characters, no more than two consecutive identical characters

What about passphrases?

Passphrases are longer passwords that are much easier to remember, and while they will contain words from the dictionary, the best passphrases will put together words you’d never expect to find consecutively. Recent research has found, however, that a typical long passphrase is only marginally more secure than a complex, shorter password. This is because, according to the authors of the 2013 paper “Linguistic properties of multi-word passphrases”, “users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language.”

This means while the concept of a passphrase is strong, the public at large are unwilling to commit to a memorable phrase that also isn’t a sentence that makes sense.

Making a secure password

Security firm Kaspersky Lab unsurprisingly has an awful lot to say about password security, and Kaspersky principal researcher David Emm says a passphrase makes a great base for a password, but other modifiers are needed to make a passphrase properly secure.

Emm’s example routine is as follows

  1. Come up with a base phrase. In this example, it’s “Don’t put all your eggs in one basket”

  2. Take the first letter of each word: “Dpayeiob”

  3. Now apply some changes. It’s for your eBay account, for example, add a word you’d associate with eBay after the fifth character

  4. Capitalise the seventh character

  5. Put a “4” after the tenth character

  6. Add an asterix after the second character

  7. You’ll end up with something like “D*payetOysi4ob”

  8. All future passwords should follow this pattern, but the additional word will be different each time, meaning each password is unique and hard to guess.

Now this will certainly produce a wide range of secure passwords for various services, but personally we’d struggle to recall this many steps, and probably forget which ‘associated’ word we’d inserted in each. Add to that the ease of mistyping something so complicated and most will want to look for another option.

AVOID these passwords

Each year, security firm Splashdata releases its list of the 25 most popular (and thereby worst) passwords. Many of the top-ranking passwords are clearly insecure, but there are a few surprises here too. Avoid all these, and anything vaguely similar, at all costs.

123456
password
qwerty
baseball
dragon
football
monkey
letmein
abc123
mustang
michael

How to manage secure passwords

If you have an arsenal of secure passwords but are struggling to remember them all, a password manager is a great way to keep them all organised. The best password managers store your passwords in the cloud, allowing you access them from anywhere with a single master password. There are flaws to the system, of course – having your passwords stored in the cloud means they’re no longer in your control, so if the provider is hacked, your passwords might be at risk.

Your browser also stores your passwords to make it easier for you to log into your favourite sites. Unfortunately, these are rather easy to compromise; there are some very simple and free tools that can extract passwords from your browser’s Registry entries. So while they may work perfectly well, there are certainly better options available.

Using Dashlane to store passwords

We’d recommend Dashlane as a password manager. At its most basic it can store your passwords and autofill them, as long as you have it installed on your PC or smartphone. What’s more, it can generate different, ultra-secure passwords for all the sites you use.

The only password you have to remember is your master password, which is used to log into Dashlane itself. If you forget the master password, there is no way to retrieve it, so you should keep that in mind and write it down somewhere secure.Dashlane can generate complex passwords automaticallyBecause you don’t have to remember individual passwords anymore, Dashlane can make them extremely long and complicated. And by having dashlane installed and auto-filling your passwords for you also means you’re going to be less susceptible to password-stealing keyloggers.

Of course, using those highly secure (and so utterly unmemorable passwords) does mean you always need to have Dashlane installed on your devices. That shouldn’t bother most people, though, who rarely jump from device-to-device on a daily basis.Dashlane gives your passwords an overall rating and tells you how to improveIf you’re still using some old passwords, Dashlane will take you to task if they aren’t secure enough. Click on the Security Dashboard to get a detailed analysis on all of your passwords. It’ll tell you how many passwords you’ve reused, how many are weak and will even let you know if a site your password is stored on has been compromised. Even if you don’t follow tech security news closely, if Dashlane picks up that a site has been hacked, you’ll be informed and told to change your password.Dashlane will analyse the security of your passwords and check for dupesAnother handy tool is the ability to share your passwords with emergency contacts. Simply type in the email address of the person you want to share passwords with, and they’ll be allowed to send you a request for access to your passwords. You can either allow them to see all of your passwords, or just a select few that you think they might need. This is very handy if you’re travelling and need a friend or family to sort out something for you online.

All the above features are free, but if you shell out $40 (around £25) for a year of Premium, you’ll also get the ability to synchronise your password data across devices, including to mobile apps. This means you can view your passwords while you’re on the move, which is particularly handy if you want to access sites from both mobile and desktop devices.

Pages: 1 2

Read more

In-Depth