real strong qwertycard

Strong Passwords

Here are five rules for strong passwords:

large padlock picture
  1. Pick characters at random from any key on the keyboard
  2. Make them long
  3. Don't try and make your passwords memorable
  4. Never save your passwords on a computer, phone or other device
  5. Use a different password for every website

And keep them safe! A simple way is to write them down and put them in your wallet. This makes a physical barrier between the online and real worlds that even a hacker with access to your computer cannot break.

Qwertycards give you this security and keep your passwords safe even if your wallet is stolen.

The simple plastic card that goes in your wallet
for easy to remember very strong passwords
qwertycards picture

Dictionary attacks - why you should forget your passwords

Websites have to save a copy of your password to compare against each time you login. Because passwords are so vulnerable to being stolen they are not saved as plain text but in a special format called a 'hash'. A hash is a one-way process that converts your plain text password into something that would look to us like random data. This one-way process cannot be reversed, so if a file of hashed passwords is stolen the thief cannot convert them back into plain text passwords. When you request to login the website makes a 'hash' of the password you entered and compares it against the hash it had saved previously. If these match you are given access.

one way hash picture
Hackers target websites to steal copies of files containing the hashed passwords of all their users. Once they have stolen these files and put the copies on their own computers they go to work on breaking these down to find plain text passwords.

As they cannot directly convert the hashed passwords back into plain text passwords they have to try and guess passwords in the file. They do this by using advanced software to make up plain text passwords, hash them using the same method the website uses, and looking in the stolen files for exact matches. Every time they find a match they have another password.

It is important to understand the sophistication of hackers and the resources they use to break passwords:

They are financially motivated and have the best hardware and software available
They can make billions of guesses every second, checking a vast number of password combinations
Their guesses are not just random, they use very intelligent algorithms to exploit the exact same tricks people use to make their passwords memorable
They have a wealth of data on previously revealed passwords from across the internet going back many years
The software they use is constantly evolving, even if the method you are using to make an easier to remember password is safe today it might not be in six months and you have no way of knowing
They read the same advice forums as you on how to create a strong memorable password, and then they exploit it in their software
They have as much time and as many attempts as they like to break the passwords
Stolen password files may contain thousands of users passwords and the hackers will keep going to steal as many of these as possible

Trying all the words and places in every dictionary in every language, putting in purposeful spelling mistakes, replacing letters with numbers, making passwords from simple phrases and keyboard keys that are close together. These are just a few of the tricks the criminals try.

Even with all of their resources they still cannot break truly random, long, passwords, there are just too many mathematical combinations. This is why they focus on the weaknesses people use to make their passwords memorable. Don't take the chance - use a random password.
letter cloud picture

Viruses, malware and trojans - why you should never save your passwords

For convenience people save their passwords on their computer, in a keychain or other password manager system.

Do not save password picture
The convenience this affords is also a security weakness that criminals want to exploit. Your computer is at risk of being compromised every time you download an application, open a file, or click on a weblink. Anybody gaining remote access to your machine will immediately have access to all your stored passwords. Worst of all, you probably won't even know they have been stolen.

Don't take the risk – type your passwords in each time you need them.

Weakest link websites - why you need different passwords

Hackers target the websites with the weakest security. If you use the same password on multiple websites they need only get your password from the site with the weakest security and they have access to all your accounts.

Here are some warning signs of poor security on weakest link websites:

Restricting password length to a maximum length or not letting you use certain keyboard characters
This makes your passwords easier to guess
No secure encryption between the website and the server
When you enter your password and send it to the server anyone can read it
Forcing you to change your password on a regular basis.
You should only change your password if there is a reason to believe it has been compromised. Forcing you to change it without cause is a hassle that might actually push you towards an easy to remember, less secure password
You click the forgot my password link and they send you an email containing your actual password
Disaster! This means they are actually saving your password as plain text on their systems
Allowing unlimited attempts if you forget your password
These should be limited to a fixed number of attempts to make it harder for criminals

Don't be a victim of the weakest link websites - use a different password everywhere.