OK, that’s a bit unfair: some of you might be using all the suggestions I’m about to make. But the vast majority of online passwords in use by people today can be cracked with ease by brute-force technology …and it doesn’t need to be this way.
The biggest culprit in helping hackers are those system designers who demand that you put odd characters in your passwords (sometimes insisting on numbers, capitals and symbols) but let you use just 6 or 8 characters. There are apps available which can run through every combination of 8 characters in a few hours, especially as there are nearly always patterns in them, such as having the number at the end. The ‘password requirements’ are quite pointless and simply give the user a genuinely false sense of security.
So, Rule One is to make your passwords long. In fact, don’t think of them as passwords, think of them as passphrases. Here is the reason why you should do this, and if you can’t think of a phrase, here’s a site which will do it for you. Passphrases are actually surprisingly easy to memorise.
Rule Two is to use different passwords on every website. I know, you probably have hundreds. But I learned this lesson several years ago when I received a resubscription form in the post for an annual ticket I purchase. To my horror, the seller had printed, in black and white, my name, email address and password. Now, as it happened, anyone seeing this would have been able to do nothing more than resubscribe for me. But guess what? I used that password all over the place. The solution to the problem of remembering hundreds of passwords is to use a Password Manager. I use 1Password.
Finally, Rule Three is to use two-factor authentication on your most important services, including email. This is where you need something else other than a password to get in; a code sent to a mobile phone, for example. To me, email is the most critical of all services. Once somebody has access to your email, they can go to most other services, click ‘I forgot my password’, and reset your password to anything they want, because email will be used to confirm the change. So put every security measure you can on your email. Most services, including Outlook and GMail, offer this now.