User's online identities are usually not well protected, with a password of a few characters standing between their private data and hackers. But creating a password no one can guess means coming up with something that's next to impossible to remember.
Security experts almost unanimously advise against using words that can be found in the dictionary - word and names are the most common, but least secure passwords, able to be broken quickly by hackers employing attacks that keep trying out different combinations until successful. One safe option is a long string of characters.
Word-based passwords are a necessary evil, according to Norbert Pohlmann, director of the Institute for Internet Security at the Gelsenkirchen University of Applied Sciences in Germany. "This is the least-suited mechanism for authentication that one could imagine." But there isn't really another option. "We have to learn to work with this as users and make the best of it."
The best password has at least 10 characters - including special ones - plus capitalised and lower-cased letters and numbers. "This way the key space is so big that (an) attacker would need more than 200 years to crack the code," explains Pohlmann. "But a lot of people use bad passwords, because they take the name of their girlfriend or company."
Any password that can be found online or in a dictionary is bad as a password. Also avoid anything that relies on a pattern, such as 12345 or QWERTY. But how to remember a complex password? Germany's Federal Office for Information Security (BSI) says users need to come up with their own cheat phrase. Thus "I have 100 secure passwords to register myself online" becomes Ih100sP, torMo.
Avoid special characters, since they don't appear on all keyboards. Never use years or birthdates for a PIN. Passwords should be changed every six months and users can never let down their guard against phishing attacks. It's a bad idea to use the same password for every account, even if it's a good one. If someone gets it, they'll have access to all your accounts.
"Ideally, you should have a separate password for every account," says Melanie Volkamer of the Centre for Advanced Security Research at the Technical University of Darmstadt, Germany. "But no one can remember 30 random character strings." A good password can be adjusted for different sites, sometimes by adding different strings of characters that have to do with the service's name.
And since every account isn't equally important, there's also the option of creating password groups - a compromise between security and user-friendliness. Thus, one password can be used for social networks, another for online shopping, a third for banking and a final one for email.
The email account password is especially important, says Pohlmann. "A lot of services have created a reset mechanism linked to an email address." Password management services that store multiple codes are of limited value. They can quickly prove to be a security problem if used with unsecure computers. Images are another option. "You can use graphic passwords, since our memory works better with pictures," says Volkamer. Some require a series of pictures to be identified in the right order. "I don't have to repeat it, I just have to recognise it." But these are not very common yet.
Comments
Comments are closed.