Skip to main content

10 ways to make your passwords secure

Hacker approach

To understand why these tips are effective, it's worth looking at how hackers actually break in to online accounts.

The first way is simply by going online and attempting to log in to your account by guessing your password. This is actually quite hard, because most sites will lock your account if the wrong password is entered more than a handful of times.

It's also quite slow: even when using hacking software that enters different user names and passwords automatically it's unlikely that a hacker can try more than 100 passwords every second.

The second way is for a hacker to break in to a web service's computer systems and download a copy of the password file. If it actually contains a list of usernames and corresponding passwords it's effectively "game over" - no matter what password you had chosen, the hacker would have it.

Fortunately most (but not all) website administrators are smarter than that. Instead of storing the passwords themselves, they transform each one by passing it through a mathematical feature called a hashing function. What comes out is an apparently random sequence of characters, called a password hash, and it's these that are stored.

Hashing function

A hashing function is a one-way function, which means that once a password has been transformed into a hash, there is no going the other way: turning the hash back into the original password is impossible. When you enter your password it is turned into a hash that is compared with the one stored in the password file. If they are the same then you must have entered the right password, and your logon will be successful.

So if a hacker manages to steal the password file, all they generally get are a list of usernames and password hashes, but they have no easy way of turning those hashes into usable passwords.

That means they have to guess a possible username's corresponding password, turn that into a hash, and then see if it matches the one stored in the password file. This is known as an offline attack, and using software such as John the Ripper it's possible to make guesses very quickly indeed.

The first passwords that hackers are likely to try are commonly used, such as "password", "123456" and "qwerty". They will then likely launch a dictionary attack - trying every word in the dictionary, and even pairs of words.

Finally they'll try a "brute force" attack, using every combination of one, two, three and so on lower case letters, or lower and upper case letters or even lower and upper case letters and numbers and special characters like @ or & or '. The deeper into this they go the longer the process takes, hopefully to the point that it is a deterrent in itself.