Keeping passwords secure

From Tracks
Jump to navigation Jump to search
This page is a translated version of the page Veilig omgaan met wachtwoorden and the translation is 100% complete.
Other languages:
English • ‎Nederlands • ‎français

Many websites and computers are secured with a password, but not everyone handles passwords safely, which creates security risks.
In this article, you’ll learn:

  • How do you handle passwords securely?
  • What is a good password?
  • How do you use a password manager?

You often need passwords for the computer systems and websites you use in both your personal and professional life. But this creates a security risk, and it can be difficult to remember all the different passwords.

Wilka 3VE.jpg

Saving your passwords on paper or in a document is a not a good idea. This article explains how to create a strong and secure password, how to double-check that your password is strong and secure, and what a password manager is and how to use it.

How to keep passwords secure?

Use strong and secure passwords

Many of us use obvious passwords that are easy to remember. After all, you want to be able to log in quickly and not make things hard for yourself. And it’s never nice to discover that you can’t remember your password yet again, and need to click the infamous ‘forgotten password’ button for the umpteenth time. But this approach usually results in poor password choices – such as ‘123456’, ‘password’, ‘qwerty’ or a combination of your name and birthday – which aren’t secure because they’re much easier for computer programs to crack.

The Safeonweb.be website, an initiative by the Belgian Government, provides a series of useful tips for creating strong and secure passwords.

What you definitely SHOULD do:

  • Use a combination of uppercase and lowercase letters with numbers, symbols and punctuation marks.

Using numbers, uppercase letters, symbols and punctuation marks makes your password harder to crack because it dramatically increases the number of possible combinations. You can use numbers, uppercase letters and symbols anywhere in your password or passphrase.

  • Use a long password

Use a password that contains at least 13 characters. It’s often easier to remember a passphrase than a password, but you should choose a phrase or sentence that is meaningful only to you and does not consist only of existing words that are easy to guess – making up your own words or writing words backwards, for example, makes your passphrases much stronger. Obvious phrases, such as ‘iloveyou’, are therefore not a good choice.

What you definitely SHOULDN’T do:

  • Do not use a predictable password.
  • Do not use personal details, such as your name and year of birth (e.g. ‘YourName1985’).
  • Do not use common expressions, such as ‘seizetheday’.
  • Do not use a serial number, such as ‘seizetheday1’, ‘seizetheday2’, ‘seizetheday3’...
  • Do not just use repeat characters (e.g. ‘aaabbbccc’).
  • Do not use the same password for different accounts.

Using the same password for different accounts is inadvisable. If cybercriminals crack your password for one website, they could then try to use that same password for other websites too. It is therefore recommended to use long and completely different passwords for different applications, especially for accounts that include payment or personal details.

  • Do not share any passwords.

Sharing passwords is unwise as you never know what might happen with them. If you do want to share a password, however, make sure you use a password manager or vault (see below) to do so securely.

  • Do not save passwords in such a way that they are visible.
  • Do not save your passwords anywhere they can be seen near your computer – so not on a piece of paper stuck to your screen or desk, for example. It’s also best not to save passwords in an email or document on your computer, smartphone or tablet.
  • Do not use the same password for a long period of time.

It is recommended to change your passwords regularly: at least every year for your personal accounts, and even more often for your professional accounts. If one of your accounts gets hacked, you need to change all your passwords immediately. When you change your password, always check that any issues with the website have already been resolved first; you could very well be changing your password in vain if they haven’t.

  • Do not use any ‘secret questions’.

Sometimes people use an answer to a question as their password (e.g. what’s your pet’s name?) Try to avoid secret questions like this as the answers can often be found on the internet.

Check your password is strong and secure

Want to find out if you’re already using a strong password? You can test how fast hackers can crack your password on the How Secure Is My Password website. The longer it takes for hackers to crack your password, the better. Enter your password on the website to do the test.

how secure is my password

We tested the website by entering ‘azerty’, and it says that this password can be discovered instantly because it’s one of the top 10 most used passwords. The website also uses the colour red to indicate that it’s not a strong password.

If we enter ‘nastasia’, the website says that it can be found in about five seconds, because it’s possibly a word or name. It also says that adding numbers and symbols could make the password more secure. Entering ‘nastasia1’ as a password increases the time it would take a computer to crack it to 42 minutes, and even just changing the first character to uppercase (‘Nastasia1’) increases the time taken for a computer to crack it to three days.

Changing the password to ‘Nastasia1!’ further increases the time it would take for a computer to crack it to 5 years.

We prefer to use a longer password, and indeed even opt for a passphrase (rather than a password) – which is a complete sentence rather than just the shorter sequence of letters, numbers and characters used in a password. One advantage of using a passphrase is its length, but they’re often easier to remember too. If we enter ‘CoffeeIsDelicious’, for example, the website tool indicates that it would take a computer about one hundred billion years to crack.

If we then add numbers and punctuation marks to turn it into ‘C0ffee1sDe1icious!’, it would take about seven quadrillion years for a computer to crack. But punctuation marks and numbers aren’t always necessary: Entering ‘Thebrunchwasdelicious’ results in the tool saying it would take a computer about eight hundred quadrillion years to crack this password.

You can check if you’ve already been a victim of a data breach in the past on the haveibeenpwned.com website. If you have, it’s best to change your password.

Use two-factor authentication

A further way of dealing with passwords more securely is to use two-factor authentication. This normally uses something that you ‘know’ (e.g. a password) in combination with something that you ‘have’ (e.g. a mobile phone) or something that you ‘are’ (e.g. fingerprint). Using two-factor authentication is easy.

In the first step, you use your password to log in to your account (e.g. Facebook, Twitter, Google, Microsoft). In the second step, the website sends a code to your phone which you then enter to gain access to your account. There are other methods for two-factor authentication, such as the Google Authenticator App or physical (USB) keys.

Use a password manager or vault

If you have lots of complex passwords that you need to remember, it’s a good idea to use a password manager or vault. Password managers allow you to save your accounts and their associated passwords securely in the form of an encrypted database. You then use a strong password to secure the password vault itself. This has the advantage that you can access your passwords quickly and relatively securely, and you only need to remember one password in principle. But this is an important point for attention: you are encrypting all your passwords with a single password, after all. So make sure that your master password is long enough and contains a mixture of uppercase and lowercase letters with numbers and punctuation marks.

There are different types of password managers, each with their own pros and cons:

  • hardware password managers;
  • software password managers;
  • online password managers.

Hardware password managers come in the form of a USB stick, which serves as a physical key. But the disadvantage of this is that the key can be lost or stolen. The main advantage, however, is that your passwords are stored offline and safeguarded from security risks that could arise from being connected to the internet or other software.

Software password managers are installed as a program on your computer, and programs that run on your computer are potentially vulnerable because other software can cause your computer to crash or make your database corrupt or otherwise unavailable. One example of an open source password manager is KeePass. The fact this this password manager is open source means that anyone can view the source code, which is not ideal for software that’s used to manage all your passwords. It also allows developers to use this password manager source code to make it run on different operating systems and web browsers (e.g. Linux, Windows, MacOS, Firefox and Chrome).

You can only access online password managers through your web browser, which has the advantage that your passwords can be accessed from anywhere. The downside, however, is that you relinquish control and don’t have full certainty about what might happen with your data (stored in your passwords database). LastPass and Dashlane are examples of online password managers. They work like a cloud service where you log in using your master password, and it then sends your passwords to your computer, smartphone or tablet via the internet. LastPass is mostly used as an extension/add-on to your web browser or as a mobile app. Dashlane also offers local installation. They differ from other software password managers in that all the features can be used free of charge.

KeePassXC and Tusk are discussed in the user guides below.

Authors: Lode Scheers (meemoo), Nastasia Vanderperren (meemoo) and Rony Vissers (meemoo)