Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll)
What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals may well already have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.
It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple process to achieving this.
First, what NOT to do
– Do not use a word from a dictionary
– Do not use names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.
– Do not use the same password for multiple different purposes.
– Do not share you passwords with anyone else, ever.
Brute forcing tools use dictionary attacks and hybrid dictionary attacks (where dictionary words are automatically modified using the common number/special character substitutions). So it is not sufficient to take a dictionary word and just change a few letters to numbers (Password into P455w0rd! for example) these sorts of password can be cracked in a matter of minutes
Here’s how you do it.
1- Think of a phrase you can easily remember, for example:
“Mötley Crüe and Adam and the Ants were the soundtrack of my youth.”
2- Take the initial letter of each of those words:
This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !£$&+ for example, let’s change cases first:
Now change some of those letters for numbers, maybe the letter O to a zero
Now add the special characters, I’ll change the “and” into + and &
As a special point of interest, a great character to include in passwords (if you have a UK keyboard) is the £ symbol, as it is overlooked by many of the mainstream password brute forcing tools, so maybe we could end up with:
Now you have a secure password, you need to devise a way to differentiate it for each site you use. For example you could put the first and last letters of the web site name at the beginning and end of your complex password, making it unique yet easy to remember
As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember!
Guess, I’d better go and change my passwords…