Latest Replies


Latest Threads


Security Tip Secure passwords guide

Discussion in 'Safe Online Practices' started by bogdan, Jan 25, 2011.

  1. Yes

    7 vote(s)
  2. No

    2 vote(s)
  3. I'm planning to use one

    1 vote(s)
  1. bogdan

    bogdan 1 of the 4
    MalwareTips Founder

    Jan 7, 2011
    Likes Received:
    Secure passwords guide

    A password is a form of authentication represented by a string of characters that the user can easily provide, but it is hard to guess. In front of the registration form people use obvious passwords such as the names of their children or their house number in order not to forget them or simply because they can't come up with a better one. Their importance is often ignored - at least until the account gets hacked. This guide will show you how to choose secure passwords and still be able to remember them, you'll find links to software that might help and hopefully you'll be determined to change your passwords to more secure ones.

    What makes a password strong?

    The answer is length, complexity and randomness. The common way to crack passwords is by using a brute force attack. The attacker attempts to crack passwords by trying as many possibilities as time and processing resources permit. A related but much more efficient method is a dictionary attack. Words in one or more dictionaries and lists of common passwords are tested. A long password, composed from multiple types of characters in a random order will be hard to crack.

    Guidelines for creating a good password:

    • Minimum length of 8 characters. Actually the longer they are, the better. Length is the most important factor when it comes to strong passwords.
    • Passwords should use all of the following four types of characters:
      • Lowercase
      • Uppercase
      • Numbers
      • Special characters such as !@#$%^&*(){}[]
    • Don't use passwords that are based on personal information because it can be easily accessed or guessed.
    • Do not use words from dictionaries (English or foreign), names or places.
    • Even if you slightly misspell words, spelled them backwards or used 1337 speak your password is not secure.
    • Do not use consecutive numbers or letters such as “1234” or “abcd”.
    • Do not use adjacent keys on your keyboard such as “qwerty” or “asdf”.
    • Do not repeat the same character in your password such as “aaaa” or “2222”.

    To achieve such complexity while still being able to remember your password you can use mnemonics.

    "My favorite song is Led Zeppelin - Stairway to Heaven". This phrase is easy to remember (especially if this is your favorite song). It is a phrase with a question and an answer. I can convert it to a password like this:
    • Using the first letter of every word, while keeping cases and punctuation: MfsiLZ-StH
    • Adding a special character between the question and the answer: Mfsi/LZ-StH
    • Adding numbers to my password by converting L (the first letter in the answer) to 12 (L being the 12 letter in the English alphabet): Mfsi/12Z-StH
    The result is a good password. It is long enough, has complexity by using letters (both lower and uppercase), numbers and special characters and finally it is sufficiently random. The password itself might not be easy to remember but it is easy to reconstruct from the easy to remember phrase and the 3 simple rules that generated it.

    Tom172 shared a video by SophosLabs that demonstrates a similar way of creating a good password.

    Test your passwords: Link 1, Link 2, Link 3.

    Using your passwords safely. Software that you might need.

    Making a good password is just the beginning. In the beginning I've mentioned dictionary attacks as being the most used method to crack passwords, however it is easier to steal passwords from unaware users and this is why you should exercise caution when using them.

    Guidelines for using passwords securely:

    1. Don’t write down your passwords on paper or inside a non-encrypted file. Instead of using weak passwords, it might be better to use strong ones, even if you have to write them down. Fortunately you can do so in a secure way by using a password manager.
    2. Do not use the same password for all accounts such as additional email accounts or other log-ins you may have on the Internet. To keep track of all passwords you'll have to use a password manager. A password manager encrypts all your passwords using a single password that you’ll have to remember.
    3. Use a password manager (It should be obvious by now). I use LastPass browser plug-in (the free version). It offers support for all major browsers and the free version is sufficient for even the most demanding users. Furthermore it works as a cloud service - your passwords are sent encrypted and through a secure connection on their servers. As a result they are available everywhere, even on multiple devices. If you would rather use a stand-alone application instead of a plug-in, try KeyPass (open-source). It doesn’t include a cloud service (and some might appreciate that) but it offers a portable version that you can carry everywhere on a USB stick. Both can also be used to create strong passwords so next time when you’ll be facing a registration form you won’t have to spend time creating a strong password.
    4. Do not share your password with anyone. Anyone includes your friends and family. First of all, passwords are private and second you don't know if the person your are sharing the password with will take necessary precautions to safeguard it.
    5. Watch for attackers trying to trick you into revealing your passwords (phishing attacks). Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. Do not reply to phone calls or email messages requesting that you reveal your passwords. Legitimate websites or organizations will never ask you for your user name and password. To protect from malicious websites, I recommend using a browser add-on that warns you when you try to visit such a site: Web of Trust (all major browsers) / Norton Safe Web (Firefox and Internet Explorer). I also encourage you te check out Chiron's guide: How to tell if a website is secure.
    6. Be aware of when a password is sent securely across the Internet. Sites that begin with “https:/” rather than “http://” are secure for use of your password. Most sites offer https connection, but unfortunately they use http as default or fall-back to http immediately after the log-in. I recommend using a plug-in that enforces a secure https connection: HTTPS Everywhere (for Firefox and Chrome). NoScript for Firefox can also force https connections (Go to NoScript Options -> Advanced -> HTTPS).
    7. Secret questions are vulnerable to guessing attacks. Most websites offer this method as a way to recover your lost password. Choose answers that are hard to guess and if you fear you might forget them, use a password manager.
    8. Do not use the "remember my password" feature offered by many programs. These programs have varying degrees of security protecting your passwords. Some store the information in clear text in a file on your computer or with a weak encryption. Software tools that can retrieve passwords in all major browsers, instant messengers and e-mail clients are available.

      Tip: Firefox can protect your passwords with a "master password". If you plan on letting it store your passwords you must enable this feature. Go to Tools > Options... > Security, check Use a master password. A window asking for the master password will pop-up. This password will be used to encrypt all your other passwords so make sure it is strong and remember it.

      Note: Latest versions of most IM clients (ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype) do not save the password itself, but its hash that is used for authentication. Even so, if an attacker gets a hold of that file he can use it to log-in into your account.
    9. Keep your PC malware-free. Make sure the security software you are using is up-to-date and offers protection against key-loggers. A key-logger is a type of malicious software that runs on your computer logging every keystroke. If your security software doesn’t offer this kind of protection, I recommend installing Keyscrambler Personal (IE and Firefox add-on).
    10. Don’t type your passwords on someone else's computer. If possible, don't use someone else's computer that you don't trust to log-in to any website, especially to very sensitive websites such as your banking account. That PC might be infected with a key-logger or other types of malware that can steal your passwords. Public PC-s are highly insecure, it is best to avoid them altogether but if this is not possible consider using multiple factor authentication. For example, Google users can opt in to the Google Authenticator service. When you log in from a device that is not trusted, you will be asked for your password (something you know) and a code, provided by Google via your phone (using an app or a simple SMS) (something you have). This way, even if your password is compromised, no one will be able to log in into your account without your phone.
    11. Secure your wireless connection. Using a non-encrypted wireless connection or a WEP encrypted one (WEP is flawed by design and easily breakable) exposes you to a man-in-the-middle attack. An attacker can easily connect to your network, intercept transmitted packets and possibly steal your passwords or hijack your session. Use WPA2 or WPA encryption (if you own devices that can’t use WPA2) with a strong pass-phrase to protect your wireless connection. Be aware that most public hot-spots don’t offer a secure wireless connection.
    12. Change passwords immediately when they are compromised. Even if you have the slightest doubt that one of your password was stolen, change it immediately.
    13. Change your passwords regularly. Changing you passwords twice a year ensures you that a persistent attacker won't have enough time to brake them by using brute-force.
    Malware1 likes this.
  2. Brian

    Brian Guest

    Excellent guide!
  3. acuariano

    acuariano New Member

    May 16, 2011
    Likes Received:
    what about using zemana or spyshelter to prevent keylogging,,these also use anticlipboardlogging
  4. illumination

    illumination Guest

    This is a great tutorial!
  5. Umbra

    Umbra Moderator
    Staff Member MVP

    May 16, 2011
    Likes Received:
    Windows 10
    i use a paraphrase like "im a sexy boy" then use "hacker" writing then add symbols so it becomes: (1m,4,53xy,b0y.)

    not complicated
  6. jamescv7

    jamescv7 Level 61

    Mar 15, 2011
    Likes Received:
    A must that don't remember password especially in shared network. That's why I don't like to sign in on some public places.
  7. WinAndLinuxTutorials


    Aug 23, 2011
    Likes Received:
    Check the password strength

    Here is a website to check the password strength:
  8. win7holic

    win7holic Banned

    Apr 20, 2011
    Likes Received:
    RE: Check the password strength

    this way was already posted by bogdan. this thread.
  9. nldmyanmar

    nldmyanmar New Member

    Sep 20, 2011
    Likes Received:
    thanks bogdan appreciated :D
  10. McLovin

    McLovin Level 36

    Apr 17, 2011
    Likes Received:
    Windows 10
    Trend Micro
    Thanks for the very helpful guide Bogdan. Will suggest this to other people that are having trouble on how to make a strong password.
  11. LochNess

    LochNess New Member

    Apr 2, 2011
    Likes Received:
    Excellent !!! Thanks Bogdan... I just printed and 'stuffed' it into my 'cluttered' briefcase...
  12. Fedora

    Fedora Level 41

    Feb 23, 2014
    Likes Received:
    Windows 10
    Bookmarked this page, thanks.
Other threads that you may like Forum Date
Mitro | The easiest way to remember & share passwords securely Browsers and Extensions Aug 16, 2014
8-Character Passwords Are Not Secure Any More News Archive Jul 15, 2013
Companies Keeping passwords Secure on their End Malware Analysis Archive Jun 20, 2011