Passwords are a constant problem for computer users. If you use the web for anything these days, you’ve probably got at least half a dozen on the go at any one time. And, if you’re sensible, you’re not using the same one across different web sites.
The difficulty lies in coming up with a password that’s hard to crack, or even just guess. According to research by digital security company Dashlane, the likes of 'qwerty' and '123456' were among the most popular password choices in 2017.
Around 61.5 million passwords leaked from 107 online services during the last eight years were analysed by the company, finding that football teams, brands, movies and music were also popular.
How to pick passwords that can’t be cracked
Unfortunately, using a more complicated password doesn’t offer much more protection. Criminals now use computers to crack passwords by ‘brute force’, with specialist software that tries every possible combination of letters, numbers and other characters until it comes up trumps.
Current brute force technology allows hundreds of millions of passwords to be tried every second and the process is made much easier with ‘dictionary’ attacks. So for a six-character password, rather than start with AAAAAA, then AAAAAB, AAAAAC and so on, criminals just pick actual six-letter passwords from lists of leaked account details and start with variations on those.
The only way to deal with this level of sophistication is to choose a password that’s as long as possible and that mixes upper and lower case letters, numbers and symbols.
For example, according to www.howsecureismypassword.net,here’s how long a computer that can guess four billion passwords a second will take to crack the following passwords.
stoke = instantly
stokecity = 2 minutes
StokeCity = 19 hours
StokeCityFC = 6 years
StokeCityFC2015 = 609 million years
Of course “StokeCityFC” might seem secure theory, but it doesn’t take a computer to guess if it’s the password for your account at the Stoke City fan club forum. That’s why it’s also a good idea to introduce some randomness into your passwords.
BT recommends the following steps to choose a secure password, based on advice from Get Safe Online.
- Pick three random words eg: Jar Tea Phone
- Choose a date that is easy to recall eg: 2009
- Put the words together eg: jarteaphone
- Split the date up and put it at the start and end eg: 20jarteaphone09
- Capitalise a letter in each word eg: 20JarTeaPhone09
- Add two special characters to the end eg: 20JarTeaPhone09!!
Is it really random?
The human brain simply isn’t wired to create true randomness (if you’re mathematically inclined, look up Benford’s Law for more about this), which is why most people simply bash the keyboard when creating a ‘random’ password.
Don’t believe us? One of the most popular passwords found in a recent leak of real passwords was “qweasdzxc”. That might look like nine letters chosen at random, but if you find the Q key on your keyboard, you’ll see it’s anything but. The same applies to 1qaz2wsx, mnbvcxz and a host of other ‘random’ passwords.
While there are strategies for creating long, hard to crack, passwords that are pretty memorable, remembering more than a handful is a serious challenge — and that’s before you need to change one. The same goes for writing passwords down in a book and keeping it ‘somewhere safe’. Lose the book — or, worse, have it stolen — and you’re stuffed.
That means the best protection comes from a secure password manager application that generates truly random passwords of any length, remembers them and fills them in automatically when required. The best ones encrypt your passwords so that only you can access them using a single password that you do need to remember — so you’ll always need one
BT Broadband customers can use password manger True Key by Intel Security for free. Find out more.
A factor of two
Two-factor authentication adds an extra layer of support by requesting a short code that’s sent to as a text message or generated by a smartphone app, in addition to your password — the idea being that even if someone has your password, they’re unlikely to have your phone.