How to make your passwords more secure

Fingers on keyboard
Don't make it easy for hackers

There is a reason why the best password managers are beginning to catch the attention of more individuals and businesses. Alongside the best internet security suites and the best antivirus software, password managers are an essential tool in protecting one of the best defenses against cyberattacks out there. But the password itself needs to be looked at first. 

Inadequate passwords pose a significant security threat, as they are the only barrier preventing hackers from accessing numerous online services. To mitigate the risk of unauthorized access to your online accounts, it is crucial to take measures to make your passwords more secure.

Generally, a weak password is one that is short and composed of eight or fewer lowercase letters. In contrast, a strong password is at least eleven characters long and consists of uppercase and lowercase letters, numbers, and special characters such as * or &.

Reader Offer: Save 30% off Business plans

Reader Offer: Save 30% off Business plans
Keeper Security is a top-rated password management solution for businesses with subscription plans to suit every company.  It offers industry-leading security with a simple interface that both end-users and IT managers will find easy and enjoyable to use. Save 30% off business plans. 

Preferred partner (What does this mean?

To avoid the need to invest in the best malware removal tool, it's better to prevent malicious actors from getting access to your technology in the first place. This means getting your password protection right. 

To underline the difference in security that your chosen password makes, let's assume a hacker gang with a fast computer can make 100 billion attempts per second to guess your password. Here's how long it might take them to infiltrate your personal, enterprise, or small business software:

  • A short password made up of six random lower case letters - a fraction of a second
  • A long password made up of 11 random lower case letters - 11 hours
  • A long password made up of 11 random lower and upper case letters - two and a half years
  • A long password made up of 11 random lower and upper case letters, numbers and special characters - 500 years

Best methods

Bearing that in mind, here are 10 tips to make your passwords more secure.

1. Don't use personal information as a password. Many people use the name of a pet or child, but if a hacker knows you - or can find out this information from a source like Facebook - it will likely be their first guess. Social media management tools can provide some added visibility into the public sites where you may be sharing sensitive information.

2. Don't use common passwords - security company Sophos provides a list of 50 popular ones that hackers are bound to try. The most common ones include "123456", "password", and "qwerty".

3. Don't use any single word or pair of words that appear in the dictionary. That's because hackers can use software that can test every word in a dictionary in very short amount of time. And don't be fooled that common substitutions, such as a "5" for an "s" (e.g. pa55word), make a difference - hackers and their software are wise to this.

4. Do use a long password. 11 or 12 characters is probably sufficient, although the SANS Institute, a security research organization, recommends at least 15.

5. Use a password drawn from a pool of as many characters as possible to protect the most sensitive accounts. That means using at least one upper case letter, lower case letter, digit, and special character (although not all websites allow special characters.)

6. One way to create a long password that's easy to remember is to use a whole phrase as a password - something like "WhoDaresWins". Another is to use the first letters of the words in a longer phrase - perhaps capitalizing every other letter. For example, "God save our gracious queen long live our noble queen" would produce " GsOgQlLoNq ".

7. The longer and more complex your passwords, all else being equal, the better. So you can make them more secure by choosing a simple sequence of three or four characters, like "B52" or "M&S" and adding them to the end of all your passwords, e.g. WhoDaresWinsB52 and GsOgQlLoNqB52.

8. Changing passwords regularly can make them difficult to remember but it's sensible to change them occasionally. An easy way to do this is to add the year to the beginning or end of your passwords - e.g. WhoDaresWinsB522013 and GsOgQlLoNqB522013 - and update them annually. This has the advantage of adding length and complexity, and it's also easy to remember how old the password is.

9. If you have too many passwords to remember them all easily, consider using a password manager program such as LastPass or RoboForm. These encrypt and store your passwords securely, and enter them automatically when you supply one master password - which you still have to remember. In fact, remember the importance of encryption software, generally. Many solutions include encryption as standard, such as the best cloud storage, and this is certainly something to look out for with your password manager. Even free password managers sometimes include this.

10. To get an idea of how much security a given password provides, check it at Gibson Research's tester. But remember, if your computer is infected with a keylogger then a hacker could still get hold of any password you type in, no matter how secure. For that reason, it is important to use different passwords for different sites.

Hacker approach

To understand why these tips are effective, it's worth looking at how hackers actually break into online accounts.

The first way is simply by going online and attempting to log in to your account by guessing your password. This is actually quite hard because most websites will lock your account if the wrong password is entered more than a handful of times. If you're creating a website yourself, look out for this functionality in the website builder you choose.

This cyberattack approach is also quite slow: even when using hacking software that enters different user names and passwords automatically it's unlikely that a hacker can try more than 100 passwords every second.

The second way is for a hacker to break into a web service's computer systems and download a copy of the password file. If it actually contains a list of usernames and corresponding passwords it's effectively "game over" - no matter what password you had chosen, the hacker would have it.

Fortunately, most (but not all) website administrators are smarter than that. Instead of storing the passwords themselves, they transform each one by passing it through a mathematical feature called a hashing function. What comes out is an apparently random sequence of characters, called a password hash, and it's these that are stored.

Hashing function

A hashing function is a one-way function, which means that once a password has been transformed into a hash, there is no going the other way: turning the hash back into the original password is impossible. When you enter your password it is turned into a hash that is compared with the one stored in the password file. If they are the same then you must have entered the right password, and your login will be successful.

So if a hacker manages to steal the password file, all they generally get is a list of usernames and password hashes, but they have no easy way of turning those hashes into usable passwords.

That means they have to guess a possible username's corresponding password, turn that into a hash, and then see if it matches the one stored in the password file. This is known as an offline attack, and using software such as John the Ripper it's possible to make guesses very quickly indeed.

The first passwords that hackers are likely to try are commonly used, such as "password", "123456" and "qwerty". They will then likely launch a dictionary attack - trying every word in the dictionary, and even pairs of words.

Finally, they'll try a "brute force" attack, using every combination of one, two, three and so on lower case letters, or lower and upper case letters or even lower and upper case letters and numbers and special characters like @ or & or '. The deeper into this they go, the longer the process takes, hopefully to the point that it is a deterrent in itself.

With contributions from