The longer
the password, the better.
This is the
most effective solution to strengthening your accounts. Unfortunately, this is
also one of the most commonly limiting factors as many sites don't support long
enough passwords. This could be because site designers don't properly
understand password security, or they are limited by some back-end systems.
Many sites require at least one number, letter and special character, then
limit the length to eight characters.
A better
password is something that is more than a word or two words combined together,
or ideally a sentence that is at least 15 characters in length. You can easily
start better protection today by updating simple passwords to a longer
passphrase. This becomes harder to crack for automated tools because the
combination of characters has increased greatly. But in the event that a longer
password is something simple, it could still present a problem.
Stay away
from "password" and "123456."
SplashData
recently published their findings for the top 25
worst Passwords of 2013 based on the password breaches that
occurred over the year. In a small twist, "123456" has taken the
number one spot away from "password." If your password is on this
list, it would be best to update it to a more secure password immediately.
Don't use
the same password across multiple sites.
A big
concern many users have is trying to remember a different password for all of
their applications or websites. This usually leads to re-using passwords across
multiple sites, which is a bad practice as it makes your accounts easier to
breach. Vary passwords across site logins to strengthen account security.
Don't use
the same username across multiple sites.
Many sites
don't even consider a username as sensitive information, but it is a necessary
component to successfully break into an account. Vary your username with your
site logins to build further armor against attackers. For sites that require
the user to login with an email address as their username, it can be possible
to set up different email aliases to vary the username per site. It is common
for many banking sites to allow the creation of a username that isn't an email
address. We recommend creating specific usernames for these accounts that don't
overlap with other accounts.
Use a
password manager.
A password
manager is an application that helps manage your passwords and login info for
your site memberships, as well as secret security questions for the
"forgot password" screen. Many of them allow syncing between devices,
and storing all the data on their servers on the Internet. Carefully research
the different password managers before choosing one. Have there been any issues
with the password manager safely storing passwords both locally and on the
Internet? Properly implemented password managers are safer to use when saving
to the Internet. While Jardine doesn't endorse any specific password manager,
he personally uses SplashID from SplashData. There are many other ones out
there like LastPass and Security Everywhere. The key is finding a password
manager that aligns with your devices and specific needs.
Know that
swapping numbers and characters for letters doesn't help.
Another
common belief is that substituting numbers or symbols for letters in words will
make accounts more difficult to crack. Since attackers use sophisticated
automated tools to hack accounts, the systems are able to swap potential
characters. When password length is limited, rather than trying to use common
words that use substitution, try to choose values that do not sound like words,
or look like anything that would be found in a dictionary (t1i2m3e4 is not as
strong as Gu83fv1Z). Another option is to create a sentence you will remember,
then use the first letter of every word in the sentence. It is also good to
keep up with common passwords being used so you stay away from those as well.
Enable
multi-factor authentication where possible.
Many sites
now offer multi-factor authentication. A great example is the Google
Authenticator App, where you enter your normal login information, then a unique
code that changes every minute. The code is delivered via the Google
Authenticator App installed on your mobile device. Gmail, Wordpress and
Dreamhost offer the Google Authenticator App. This additional security feature
does not mean you can choose weaker passwords, but is an extra line of defense
if passwords are stolen.
If your
account is hacked, change the password immediately.
It is often
difficult to know your account has been hacked until something alerts you. For
example, your contacts may start receiving malicious emails from your email
account, or when you try to log in you find the password has been changed. Some
systems will show you a login history, including the IP address, so you can
verify no one else has logged into your account. If you discover that you have
had a password compromised, immediately change the password to stop any
attackers from accessing that account.
No comments:
Post a Comment