Online Passwords

Online Passwords and Guidelines

NOTE! This also applies to "Microsoft" accounts used to log in to Windows 8, 8.1 and 10.
(Microsoft accounts look like an email address and can be accessed on the Internet) 

I am increasingly seeing users having issues with online accounts they have created being fraudulently accessed or hacked due to the choice of very weak and insecure passwords.  Most of these passwords are either a simple word - or a word followed by 4 - 6 digits, typically a year or date.  Even passwords comprising two words and some numbers should not be considered in any way "secure" for online use as they can usually be cracked, even if they have some Upper case (Capital) letters included.

Why are these passwords so easy to crack?

Hackers use many techniques to attempt to guess passwords - but the most productive and common method is based on a "Dictionary" attack.  This relies on people using words, names or places with a few digits appended to make up minimum length requirements.

Unfortunately, even longer words do not make this type of password secure.  A list of say 50,000 words including names and places will match most words used in passwords and then adding up to 4 digits (starting with 1900 - 2020) will quickly match the rest of the password.

What should I use?

Passwords used to access ANY online service (email, facebook, apps, banks, shopping sites etc. etc.) MUST be "complex" and different for EACH site.  Using the same password for multiple sites risks exposing ALL your accounts if any one site is hacked or compromised.

Passwords should include (where possible) Lower case (a-z), Upper case (A-Z), Numbers (0-9) AND symbols (!£$%^&*[]{}-_:'@ etc) and NOT contain real words unless multiple letters are replaced with symbols and/or numbers.  Obvious changes like replacing I or L with 1 and E with 3 should be avoided or used with other less obvious changes to the word.

Making this easier...

It is possible to use a single complex prefix or suffix for multiple sites like "$Zwq!9#" and a different suffix or prefix for each site - but obviously the suffix or prefix must also be random and hard to guess.  This makes it considerably easier to keep all passwords different, but easier to remember and enter when required.  DO NOT USE THIS EXAMPLE!!

Keeping a document on a memory stick with a complete master list of passwords, as well as a printed out copy for easy reference is also useful - but DO NOT save your passwords in a document on a "cloud" based server - or in an Outlook (or other email) contact entry.

Who would want to hack my passwords?

A) It doesn't matter - and B) There's money in it.  Usernames and passwords sell on the Internet black market so hackers WILL try and crack accounts to sell on to others.

Hacking email or other online accounts can help hackers hain access to other personal information and even withdraw money from online accounts, or place orders using saved credit card details.


Robin Downs

Radix Services Ltd.