Site5 - Built For Designers & Developers MENU
Home  ›  Security  ›  Security: Why You Should Use A Strong Password

Security: Why You Should Use A Strong Password

Monday, December 3rd, 2012 3 Comments

Passwords, we all use them; they are a part of our everyday life. Passwords are one of the most private pieces of information that we have. Unfortunately, there is and always will be people out there with bad intentions. These people are always on the lookout for people with weak or insecure passwords. Their intentions can vary, but it almost always one of the following:

  • To steal your software/data
  • To graffiti or damage your website
  • To create a phishing/spamming website

We can help prevent this by using secure passwords that no one else knows.

If you need assistance changing or updating your passwords, please see the links within the Related Articles section at the bottom of this article.

Let’s break that last sentence down into its parts…

“…by using secure passwords…”

A secure password is the key when dealing with any kind of important, secure information. Here are a few basic guidelines that may be helpful when working with your day-to-day passwords.

  • Don’t use the same password twice!
    • As we have learned from the countless breaches from different (high profile) companies, passwords may not always be safe. Because of this, it’s a very good idea to use different passwords for each site you visit. For example, don’t use the same password you use for your email at your bank website. Also as an example, use a different password for each one of the social network sites you use. If one of the sites you visit has a breach where your password is exposed, this helps turn what could be a massive security breach into an isolated, single site, incident.
  • Use a STRONG password!
    • It is important that we use strong, hard to crack/guess passwords. Most people with bad intentions don’t “guess” your password, they crack it. They can do this a number of ways. The most common is using a dictionary wordlist and attempting each word in said wordlist. They can also attempt to bruit force the password. This is done by trying every single possibility (aaab, aaba, abaa, baaa, and etc) and seeing if any of them match. Because of the many ways people can attempt to crack our passwords, we need to make it as hard for them as possible. Here are a few things that can help accomplish this:
    • Don’t use just words!
      • Like we said above, dictionary wordlists are one of the many ways people attempt to crack passwords.
    • Use a mix of characters.
      • Use UPPERCASE and lowercase letters, numbers, and symbols. With a mix of characters, it will be much harder for people to crack your password because they will be forced to use the bruit force method, and that takes MUCH longer than using a wordlist.
    • Long and sweet
      • Use long passwords! Try not to use anything less than 8 to 12 characters, however 18 to 24 is recommended for sites with a life changing risks (banks, credit cards, insurance, password managers, etc). Adding more characters will also add to the time required to crack your password using the bruit force method. This is because for each character you add, it adds an exponential number of combinations that the attacker must try.
    • Change it up.
      • For your more secure passwords, it’s recommended that you change your password every so often. Most people recommend doing this every 3 to 6 months. Some people even have a system in place to help them remember their new passwords by using a standard password with rotating dates, capitalization changes, etc. That way you have a new password, but it’s still something easy for you to remember. However, keep in mind that this may slightly reduce the quality of your password. If you use a rotating password system, you should always change your whole schema/system every year or two to help keep things fresh. You should also never go back to a password you used in the past. It could open up an old security hole that you may not have known about at the time.
    • Password Managers
      • If you use the internet a lot, it’s not unlikely that you visit 20 or more sites regularly. Remembering complicated passwords for each one can be cumbersome. There are tools out there that allow you to store your passwords (in a secure, encrypted database) to help make your day to day life more easy. These tools are known as password managers or password keepers. You have two main types of managers, online and local. We will outline the pro’s and con’s of each storage type.
      • Online
        • Online services such as LastPass store your passwords in an encrypted database on their servers. The only way to access these passwords is to download this database and use a master password to temporally decrypt it allowing you access to your stored passwords. This is all done transparently so you never have worry about the actual download or decryption process.
        • Pro’s
          • You can access your passwords anywhere through a secure web connection using your browser or mobile device.
          • They normally have easy-to-use browser plugins that make using/accessing your passwords easy.
          • Most online services have good privacy statements outlining what they have access to and how they respond to breaches.
          • If your computer is lost, stolen, or damaged, you will still have access to your passwords saving your time in the event of an emergency.
        • Con’s
          • If the online service had a breach in security, it would be possible for the encrypted database to be downloaded by 3rd parties. While the database is secure, given time, it would be posible to access the encrypted data.
      • Local
        • Local services like KeePass work in a similar fashion to online services, however they store the passwords in a local encrypted database, rather than keeping it online.
        • Pro’s
          • You keep control over the password database.
          • They normally have easy-to-use browser plugins that make using/accessing your passwords easy.
        • Con’s
          • If you lose the database, you lose your passwords.
          • No access from remote locations like other computers or mobile devices.
    • Here are examples of good passwords (Do not use theses directly):
      • ku!q4XEqa3T.UW
      • pR@aceBe=pr3dU
      • hEy!UPh@ejaP7a
    • Here are examples of great passwords (Again, do not use theses directly!):
      • XuTruB@r9PheweSPA!Fa
      • KaR!AgasTa44E.japhaX
      • KE3w*eWruGe4!3brafra

 

“…that no one else knows.”

A password is only secure when it is being used by its intended owner. In this section, we will talk about ways to keep your password safe.

  • Physical Access
    • Something you always need to keep in mind is your physical/on-site security. You don’t want to keep your password written down in the open as you may have unexpected guests with bad intentions.
  • Viruses
    • It is very important that you keep up-to date anti-virus software running on your computer. Viruses could contain key loggers and trackers that could allow the password to be snatched and used by 3rd party, unintended users.
  • Where you Surf
    • In this day and age, it’s not uncommon for us to use our computers outside of our home or work environment. Because we don’t have control over the public networks we use at café’s, hotels, etc, it is possible for people to intercept our web traffic allowing them to see where we go (websites) and what we type into forms (passwords). In light of this, make sure that if you need to login to a website/system that you are using what’s called https or ssl. When browsing a site using https, it encrypts the information being sent and received, making it almost impossible for your data to be intercepted. Here are images of what you should be looking for in your browser when trying to use https.
    • Chrome
    • Internet Explorer
  • Phishing
    • Another big method people use to try and gain access to your login credentials is something called phishing. Phishing in its most basic setup is a fake version of a site you visit (e.g. a bank site) where they try to get you to login. Doing so wont actually do anything, expect send your username and password to the assailant. Do not click any links sent to you via email or chat. If you get a notice about something (e.g. from your bank) and you need to check it, open a browser and type the address in yourself.

This concludes our section on passwords.

Posted in: Security Tags: , , , , ,

Still have a question? Or need help?
If you need technical support with your account, please email us or chat live with a representative.

3 Comments

  • Don Cowper March 8, 2013 at 1:45 pm

    User seriously concerned about password security should check out a Yubikey. Combined with LastPass it gives excellent two factor authentication that can be very difficult to crack. Check it out at

    http://www.yubico.com (I am in no way connected to this company!)

    • John Oliver at Site5 March 8, 2013 at 3:59 pm

      Hello Don,

      Thanks for the information!

      I personally use YubiKeys and they are a great addition to security. Plus another benefit is with most models of YubiKeys, you can set a second option that you can customize. I have found for sites that don’t support the one-time-password option of the YubiKeys, you can set a 20+ character password for the second option and combine that with your normal password.

      For example, when I log into my email, I use the password I remember (e.g. “yADutHaD7cep”) than I hit the 2nd option of my key and it adds another 20+ characters (e.g. “SwadA3uSevefraNe2r5T”). So my actual email password would end up being something very long, secure, and VERY difficult to crack (e.g. “yADutHaD7cepSwadA3uSevefraNe2r5T”).

      Once again, thank you for your input! :)

  • Ludo de Lathouder May 1, 2013 at 9:52 am

    I use keepass on a truecript drive ( or usb stick).

Money Back Guarantees