As Microsoft bans commonly used passwords, David Crookes reveals how you can create the most secure passwords ever
You should think of passwords in the same way as you think of the locks on your front door. Using a simple one is like leaving your door on the latch, while the most complex are comparable to a five-lever mortice deadlock. But with so many passwords for so many accounts to remember, there’s a temptation to either keep things short and sweet, or plump for a memorable skeleton key for the lot… but that’s where trouble can start.
In 2012, a whopping 117 million LinkedIn accounts were hacked, with the stolen email addresses and passwords eventually being sold online to unscrupulous buyers last month. Security experts were left astounded – not by the breach itself, but by the nature of the most popular passwords, which turned out to be ‘123456’, ‘linkedin’ and even ‘password’. If you ask us, the hackers might as well not have even bothered.
Even an inexperienced hacker who happens to get hold of your username or email address would probably try these obvious passwords first. That’s because they go against all the rules of strong password creation: a minimum of eight characters; a random mix of lower-case and upper-case letters; along with a few symbols and numbers for good measure. What’s more, using actual words in your password makes you easy prey for dictionary attacks – a popular method among hackers.
To combat this kind of sloppiness, Microsoft has now banned the use of weak passwords on its services (Read more at www.snipca.com/20795). The criteria will be based on a constantly updated list of the most commonly used passwords, compiled from the 10 million Microsoft accounts that are attacked every day. So the next time you set up a password for any Microsoft service (such as Outlook.com) that doesn’t cut the mustard, or is similar to one flagged up as unsecure on Microsoft’s list, you will see the message: “choose a password that’s harder for people to guess”.
But how do you ensure that the passwords you create not only satisfy Microsoft, but are strong enough to keep hackers at bay? Read on to find out…
Test your passwords
The first thing to do is put your existing password to the test by using sites like How Secure Is My Password (https://howsecureismypassword.net) and Kaspersky’s Secure Password Check (https://password.kaspersky.com). These kinds of sites can be useful as a general indicator, but aren’t definitive.
One such site created by BetterBuys (www.snipca.com/20797), for example, produced some surprising results. Would ‘united123’ really take more than two months to crack as it suggests? Kaspersky’s checker certainly doesn’t agree, citing just three minutes.
The problem is that password checkers don’t know anything about you, so they wouldn’t know your name, or if (for the purposes of this example) you support a football team with United in their name. Hackers on the other hand can look at your social-media profile to find out more about you, or simply use some educated guesswork based on where you live in an attempt to narrow down the passwords you might choose.
Online password creators
Instead of creating a password based on someone or something that’s dear to you, it’s best to use a randomly generated password. Try Norton’s Password Generator (www.snipca.com/20798), which lets you determine the length of a password and its structure (whether you want each character to be unique, for example). Norton’s tool is quick and easy to use and can produce more than one password at a time, which is handy if you want to give all of your accounts a new, safer password.
If you’d rather have a password that’s easier to remember, but still as secure, you could try the LastPass Password Generator (www.snipca.com/20799). This gives you the option of creating a password that’s easy to pronounce and therefore easier to remember. Simply select Make Pronounceable in the Password Formula box and repeatedly hit the Generate button until you find a password that works for you.
Browser-based generators
Chrome users can take advantage of the browser’s built-in password generator, which can automatically suggest a strong password whenever it detects a password field on a website you’ve visited.
To enable the function, type chrome://flags into Chrome’s address bar, scroll down to the ‘Password generation’ option and select Enabled in the dropdown menu. Now close and re-open Chrome and you’ll find that password suggestions are made whenever you sign up for a service.
Firefox and Internet Explorer users can take advantage of a similar function via a browser add-on by LastPass (see www.snipca.com/20801 for details on how to install it for your browser of choice). The add-on puts a button on your browser that when clicked provides a list of suggested passwπords. You can also tweak its Advanced Settings to tailor the complexity of the generated passwords.
Another very popular add-on for Firefox is the PWGen browser extension (www.snipca.com/20802). Once you’ve installed it, press the add-on’s ‘P’ icon to generate a password that can be copied into the relevant field when you sign up for a new account.
Create a password offline
There’s a school of thought that any password you create online could be exposed if the password-generating site is itself hacked. While there’s no evidence this has happened yet, to be on the safe side it might be worth using an offline password generator for your most sensitive accounts, such as online banking.
PWGen provides such a tool (www.snipca.com/20803), which also offers a passphrase option that randomly selects a series of words that make up the full password. A passphrase isn’t susceptible to disctionary attacks because it comprises more than one word and is often more memorable than a random-character password.
Another way to create a unique, strong password is using Microsoft Excel. For this to work, you have to run a formula that generates random letters, numbers and symbols within a set range. To generate one random character, type =CHAR(TRUNC(RAND()*90+33)) into the function bar at the top of Excel. As a single-character password isn’t going to keep anyone out, expand it by copying and pasting the formula (minus the ‘=’ sign) and typing ‘&’ between each run of the formula. For a three-character password, for example, you’d have the formula: =CHAR(TRUNC(RAND()*90+33))&CHAR(TRUNC(RAND()*90+33))&CHAR(TRUNC(RAND()*90+33)).
This might seem a long-winded approach but the result will be a hard-tohack mix of lower-case and upper-case letters, jumbled up with numbers and symbols – with the added security bonus that it was created entirely offline.
Mobile protection
There are also numerous password generators for tablets and phones. If you’re using an iPad or iPhone you can use Apple’s iCloud Keychain to generate passwords, though this only works in Apple’s Safari browser.
To enable Keychain, tap Settings, iCloud (on the left), Keychain and swipe the slider to the right. Next, launch Safari and open the website that requires you to create a password. When you tap the password field you’ll see an option for Suggest Password on the keyboard. Tap this and a pop-up will appear containing a secure password you can use. Safari will then save the password to the iCloud Keychain and automatically fill it out whenever you return to that website.
For Android phone and tablets Dashlane (www.dashlane.com) does a similar job. It can generate passwords, store existing passwords for the sites you use most often, and automatically log you into apps – click ‘Auto-login for apps’ in the main menu and follow the instructions.
WILL PASSWORDS DIE OUT?
Steps are already being taken to lessen our reliance on passwords. Currently, two-step verification is used on a number of services, including Gmail, Microsoft accounts and Facebook. This sends a code to your phone that you need to then enter alongside your password, giving you a second layer of security.
Touch ID – found on an increasing number of phones, tablets and laptops – uses your fingerprint to unlock your device, while Microsoft’s Lumia 950 phone makes use of iris recognition. But Google is currently taking an even bigger step towards banishing passwords by developing a system that uses a combination of sensors. It hopes to combine face and voice recognition, and even monitor your speech and keystroke patterns, to ensure you (and only you) have access to it – and all without typing a single letter of a password.