Passwords are lamented by users for being an annoying barrier between them and the task they want to get done. These are of course the very same people who then wonder why their account that uses the password "letmein" has been hacked.
Of course, choosing an extremely complex password can also be a recipe for disaster. How many post-it password reminders have you seen stuck to the monitors of PCs in workplaces and at home? Surely there's a better way…
^Passwordmeter.com analyses your password and rates its security
How passwords work
Before covering alternatives to your current password setup, it's important to understand how passwords work and why this single security step can be the one weak point of your entire online life.
At their most basic, passwords are stored alongside usernames in a database. When you log in with your username, the site checks that the password matches the appropriate entry in the database, and if it does you're able to log in. But it's actually more complicated than that.
Any business worth its salt will not be storing passwords as plain text in a database, as this is the least secure way of storing passwords. If a database of user information has passwords stored in plain text, any hacker who manages to get into the database instantly gains access to every user's credentials. Because so many people use the same password for all their online services, this database is a veritable gold mine of information that can put millions of accounts and businesses at risk.
Passwords in a database should be stored as what is known as a "hash". In this case, a hash is a unique combination of numbers and letters that represents what the password is. For example, the MD5 hash of the word "password" is "286755fad04869ca523320acce0dc6a4". When you enter your password into a website's password field and hit the log in button, the website compares the hash of the password you've entered to the hash it has stored next to your username in its database. If it's a match, you get logged in. If not, try again.
Password hashes can't be reverse engineered into their original text, but the hashes of common passwords are well known and can easily be looked up; it doesn't take long for a hacker to create a dictionary of every single eight-character letter/number combination and run that against a list of stolen password hashes.
A pinch of salt
Because of this, many companies use a second step for password security. Each password hash is modified based on another string called a "salt". This string is added to the hash and could be based the user's login name or email address. So the username "shopper", the hash of which is added to "password" as a salt, results in a complete salted hash that looks like this: "b47a9c791d653c8fa7ce7eff2abdd428".
So, while the hacker will likely know your username, the fact that your password is mashed up into a single salted hash means that they won't be able to figure out which part of the hash represents your username, and which part is your password. That's why salted hashes are so secure.
Salted hashed passwords
Word | MD5 hash | Hash security | |
Username | "shopper" | d0d191dc174af5d9208318bdb7b53bd0 | Low |
Password | "password" | 286755fad04869ca523320acce0dc6a4 | Very low |
Salted password | "shopperpassword" | 7df3966a25335f471159cb17572e1d6e | High |
Still, we can't assume that every company stores our passwords in this way. If you use the same password across multiple sites, it only takes one weak link for all your login details to all those websites to be made known to a hacker or hackers. That's why unique and uncommon passwords are so important.
Security through obscurity
We all know the basic steps for a secure password. Signup pages will make suggestions and give you an encouraging coloured bar to tell you how secure your new password is. Make it as long as possible, you're told, add numbers and symbols, and don't include your username. All good tips, but while your passwords may now be secure, they're all but impossible to remember.
The problem, as you can see below, is that some websites force you to include symbols and other characters that make a basic passphrase impossible.
Google: 8 characters
Microsoft: 8 characters, at least one capital letter, number or symbol
Facebook: 6 characters
Yahoo: 8 characters with number, symbol or capitalisation, 9 characters with lower-case letters
iTunes: 8 characters with one capital letter, one number, no more than two consecutive identical characters. Must also not be "common" (Password11 isn't allowed, for example, even though it matches all the other criteria)
PayPal: 8 characters, no more than two consecutive identical characters
What about passphrases?
Passphrases are longer passwords that are much easier to remember, and while they will contain words from the dictionary, the best passphrases will put together words you'd never expect to find consecutively. Recent research has found, however, that a typical long passphrase is only marginally more secure than a complex, shorter password. This is because, according to the authors of the 2013 paper "Linguistic properties of multi-word passphrases", "users aren't able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language."
This means while the concept of a passphrase is strong, the public at large are unwilling to commit to a memorable phrase that also isn't a sentence that makes sense.
Making a secure password
Security firm Kaspersky Lab unsurprisingly has an awful lot to say about password security, and Kaspersky principal researcher David Emm says a passphrase makes a great base for a password, but other modifiers are needed to make a passphrase properly secure.
Emm's example routine is as follows
Come up with a base phrase. In this example, it's "Don't put all your eggs in one basket"
Take the first letter of each word: "Dpayeiob"
Now apply some changes. It's for your eBay account, for example, add a word you'd associate with eBay after the fifth character
Capitalise the seventh character
Put a "4" after the tenth character
Add an asterix after the second character
You'll end up with something like "D*payetOysi4ob"
All future passwords should follow this pattern, but the additional word will be different each time, meaning each password is unique and hard to guess.
Now this will certainly produce a wide range of secure passwords for various services, but personally we’d struggle to recall this many steps, and probably forget which ‘associated’ word we’d inserted in each. Add to that the ease of mistyping something so complicated and most will want to look for another option.
AVOID these passwords
Each year, security firm Splashdata releases its list of the 25 most popular (and thereby worst) passwords. Many of the top-ranking passwords are clearly insecure, but there are a few surprises here too. Avoid all these, and anything vaguely similar, at all costs.
123456
password
qwerty
baseball
dragon
football
monkey
letmein
abc123
mustang
michael
How to manage secure passwords
If you have an arsenal of secure passwords but are struggling to remember them all, a password manager is a great way to keep them all organised. The best password managers store your passwords in the cloud, allowing you access them from anywhere with a single master password. There are flaws to the system, of course - having your passwords stored in the cloud means they're no longer in your control, so if the provider is hacked, your passwords might be at risk.
Your browser also stores your passwords to make it easier for you to log into your favourite sites. Unfortunately, these are rather easy to compromise; there are some very simple and free tools that can extract passwords from your browser's Registry entries. So while they may work perfectly well, there are certainly better options available.
Using Dashlane to store passwords
We'd recommend Dashlane as a password manager. At its most basic it can store your passwords and autofill them, as long as you have it installed on your PC or smartphone. What's more, it can generate different, ultra-secure passwords for all the sites you use.
The only password you have to remember is your master password, which is used to log into Dashlane itself. If you forget the master password, there is no way to retrieve it, so you should keep that in mind and write it down somewhere secure.
Because you don't have to remember individual passwords anymore, Dashlane can make them extremely long and complicated. And by having dashlane installed and auto-filling your passwords for you also means you're going to be less susceptible to password-stealing keyloggers.
Of course, using those highly secure (and so utterly unmemorable passwords) does mean you always need to have Dashlane installed on your devices. That shouldn’t bother most people, though, who rarely jump from device-to-device on a daily basis.
If you’re still using some old passwords, Dashlane will take you to task if they aren't secure enough. Click on the Security Dashboard to get a detailed analysis on all of your passwords. It'll tell you how many passwords you've reused, how many are weak and will even let you know if a site your password is stored on has been compromised. Even if you don't follow tech security news closely, if Dashlane picks up that a site has been hacked, you'll be informed and told to change your password.
Another handy tool is the ability to share your passwords with emergency contacts. Simply type in the email address of the person you want to share passwords with, and they'll be allowed to send you a request for access to your passwords. You can either allow them to see all of your passwords, or just a select few that you think they might need. This is very handy if you’re travelling and need a friend or family to sort out something for you online.
All the above features are free, but if you shell out $40 (around £25) for a year of Premium, you'll also get the ability to synchronise your password data across devices, including to mobile apps. This means you can view your passwords while you're on the move, which is particularly handy if you want to access sites from both mobile and desktop devices.
Two-factor authentication
A simple way to dramatically increase the security of any given account is to enable two-factor authentication. If a service you value highly uses two-factor authentication, you should enable it as soon as possible.
Two-factor authentication requires two steps in order for you to log in, your usual password plus a second one-off code. The second code is usually texted to your phone on request, so anyone wanting to log into your account would need both your password and your mobile.
For convenience you can set most accounts to only require two-step authentication the first time you log in from a new device. The service will remember the device or PC and you won’t be hassled with two-step again.
This makes your accounts very secure to hackers who are trying to compromise your account from afar (say after getting a haul of passwords from a compromised service) but less useful if the attack originates from your own home or a stolen mobile phone. If your problems are more local, you can usually request two-step authentication for every log in.
There are also specialised smartphone apps that are used for authentication, such as Google Authenticator. These apps generate one-use codes that can be used to access your account and adds an extra verification step. Again, these codes don't protect against your phone being stolen. Despite having Google branding, Authenticator can be used with any service that supports it. For instance, Dashlane supports Google Authenticator and can be enabled through "Tools>Preferences>Security>Two-factor
How to make your own password manager with KeePass
The advantage of using Dashlane is that such companies use extremely complex security systems to prevent breaches. However, the sheer concentration of data held by these firms means they will always be a tempting target. While it's unlikely actual passwords will be stolen, more serious hacks could lead to a password management service being taken offline, which means you won't be able to access your passwords.
Instead, why not hide all your passwords in a more innocuous service such as cloud sync software including OneDrive, SugarSync, Dropbox or Google Drive, too.
KeePass is a simple and lightweight piece of database software with a few extra features that make it suitable for password storage. Its password database remains encrypted unless you enter a master password, which you can choose yourself. If you forget the master password, your data will be unreadable, so even if your OneDrive account was to be compromised, a hacker would struggle to unlock your database.
How to use KeePass in the cloud
Go to keepass.info/download.html and download the Portable edition of KeePass Professional Edition. On the webpage, this is the fourth download choice, in the bottom right. Download the .Zip file
![Make sure you pick the right KeePass download link]( "Make sure you pick the right KeePass download link")
Open the .Zip file and click Extract all files. Click Browse and navigate to your cloud folder (C:\OneDrive, C:\Dropbox etc) and extract KeePass into a new folder called KeePass
Run KeePass and click the "New" button on the top-left. Navigate to KeePass folder and click Save. This is where your password database will be stored, and it will synchronise across your computers each time you modify it
![View all your passwords from the main KeePass window]( "View all your passwords from the main KeePass window")
Set a strong master password and use the "Estimated quality" bar to gauge how secure it is. You'll need this password every time you want to access your password database
![Enter a password to access your KeePass database]( "Enter a password to access your KeePass database")
On the next screen, you can add a database title and description if you want, or you can leave everything blank and hit OK. You'll be taken back to the main KeePass window
The area on the left will display various categories of passwords, making it easier to find the password you want. You can add your own categories by right-clicking in this area and clicking "Add group"
Add a new password by clicking the icon with a yellow key and green arrow next to the save button
Enter the name of the service, the username and the password. If you want to use KeePass' autotype feature, enter the domain on which you use this username and password combination. For instance, http://paypal.com for your PayPal password.
![You can generate entries in KeePass for every website you use]( "You can generate entries in KeePass for every website you use")
By default, the Auto-Type feature can be activated by pressing Ctrl+Alt+A, but this can be changed under Tools>Options>Integration
Use a USB stick instead
If you'd prefer not to store your password database in the cloud, you could install KeePass on your local hard disk or on a USB storage device. For added security, you can protect it with encryption. We'd recommend Veracrypt for this.
Download VeraCrypt from veracrypt.codeplex.com and run the installer. Once done, open the program and select Create Volume and select "Encrypt and non-system partition/drive". Leave the next screen on its default settings and click next, and on the screen after that select the location of the USB drive you want to encrypt - make absolutely sure that you're encrypting the right device by checking the drive letter
Click next again and enter the size of the volume and then enter a password, which you'll need to remember in order to access your KeePass data. Any data on the USB disk will be lost, so make sure there's nothing on it that you need. Once you're done, simply follow the instructions above but extract the .zip file to your USB drive instead.
Whenever you want to access your drive, you'll need to run VeraCrypt and select "Select Device". Select your encrypted drive and press OK. Then click Mount and enter the password you selected. You'll now be able to access this drive as normal.
