How to choose secure passwords

Why use secure passwords?

 

  • If your server is exposed to the internet (this will be the case if you have remote access) – you can assume that there will be hundreds of hacking attempts on your server every day. These attacks usually are not coming from humans but by software. The software uses massive dictionaries of human names and potential passwords by trying out millions of combinations until something works. Once the software has access to your account it notifies the human hackers, who’s job it is to hack into your server to access information stored thereon.
  • Don’t assume that you are unimportant, that because your information is not valuable to anyone other than yourself that you will not be a target. Ransomeware systems could encrypt the entire system and demand money in exchange for a decryption service. Hackers also could utilise your system to send spam, an activity that would blacklist your server preventing your real emails from reaching their intended recipients.

    Unexpcted consequences of being hacked

  • How would you like it for all your contacts to be emailed (ostensibly from yourself) with adverts for Viagra or infected file attachments that destroy or damage data on their computers? They may open the attachments because they trusted you.
  • There’s money in this game, big money. A valid email address can be sold to spammers, fetching up to a pound each. If you have any emails in your systems, they are valuable.
  • Data protection liabilities. We all keep names and addresses of our clients and sometimes, under the Data Protection Act we are legally obliged to take care of this information.
  • Infections and Spam: As well as virus infections, slow computers, disrupted networks, you could end up inadvertently hosting objectionable material like as hardcore pornography, viruses or worse.
  • Being cut off by your ISP: Have you heard of “botnets” and “zombies”? A breach of your server like this can end up with your ISP shutting you down for participating in DDOS attacks.

    How do I change my password?

  • In mac/Linux do it through the user manager, or terminal and type: “passwd”  and ENTER. Answer blind (no typing shows) with old pass then new password (enter twice) and your done.
  • In Windows you can press CTRL-ALT-DEL, and click the button “Change Password”

Password good practise.

A perfect password is impossible, with quantum computing any password can be cracked eventually. However we are human, and we can only do our best.

Bear in mind that using an identical password for different services is highly inadvisable, if one of your services are compromised, the others will be too.

Good passwords can be a pain to remember, design and employ a system for your self and keep it to yourself. A good system will allow you to remember the password easily, and in the event that you end up having to reveal the password to anyone (for instance a friend needing access in emergency, or a technician you have asked to recover you computer) your other passwords will not be compromised.

Something simple that works well for many is using PREFIX, a BASENAME WITH SPECIAL CHARACTERS and a SUFFIX.  For example, I need to make a password for my gmail account, I might use:

2017%BaNaNa*1328PATIEgoogligoogli

  1. The PREFIX (2017) is the year I established this account.
  2. The BASENAME is common to all my passwords, I NEVER write it anywhere except at a password prompt. It’s made up of a few things that are easy to remember for me and quick to type, choose numbers and letters that have nothing to do with you personally or legally (as this might allow someone who knows a little about you already to guess). For this reason – NEVER use relative’s birthdays as part of your basename, they are very easy for attackers to discover.
  3. The SUFFIX is something unique to my gmail password only, I always think of this when I see google.
  • Some examples of reasonable (and memorable) passwords:
    7sing*to*me7
    99harryup1-oSCaR
    1Song^^And^^Dance
  • This is what a rubbish password looks like:
    password
    password1
    tuesday
    123
    harry
    10/12/81