Is your password secure? Why should you use a different word on each site and each application you use? And above all, how to not forget them? So many questions that should be answered here.
Is my password secure? Should we use a different word on each site and each application that we use? How many characters should I use, and above all, how can I not forget it, without writing it down on a small piece of paper stuck on the computer screen?
For ten years, there have been countless attacks on the part of cybercriminals among major publishers … Attacks which sometimes result in a “success” for hackers, who manage to steal valuable information about Internet users.
Banish the eternal “123456”
If these threats are enough to panic Internet users, they also put their finger on a flaw of which we are all guilty. Because hackers are quick to reveal users’ passwords. And the scariest thing is perhaps to discover that ultimately, our habits have hardly changed. Yes, many of us still write our passwords on a piece of paper pasted at the bottom of the screen or in a text file stored in a directory on the computer.
And the worst part is that the most used password is always the essential “123456”. How to imagine that this password is effective 2 seconds? Same thing for the other clichés: “password”, “qwerty” (or it’s variant “azerty”), “admin”, “abc123”, “111111”…
Stay alert, stay alert
Of passwords, we really use on all devices. On our PCs and Macs, of course. But also on our smartphones, our tablets, our network disks, our ADSL box … And passwords are found all the time: when the computer or smartphone is started. But also to connect to a local network, to post on a forum, to consult your accounts online, to make a purchase on a website, synchronize your data between different devices, etc. In short, they have become essential and guarantee a maximum of securityto users. But still, it is necessary to use them wisely because they can sometimes be very easy to guess, find themselves in the public square and exchange between hackers around the world. In order to choose them well, but also to remember them and ensure that they are stored in a tamper-proof space, here is a series of tips related to passwords.
How hackers go about finding a password
There are several techniques for stealing a password and the associated identifier. The most common is to use the password “dictionaries”. A small script will test all the “terms” or “combinations of terms and numbers” commonly used by users around the world. Hackers can obviously use classic and localized dictionaries, but that would not be very effective. They indeed have at their disposal much more complete catalogs of passwords. One of them, Stun, even compiled a dictionary of more than 1.5 billion passwords and disseminated it via the BitTorrent p2p network. It is to date the largest password database ever made (the file once compressed weighs more than 4 GB).
Another method: brute force attack. In this case, a script tries all possible combinations, without using a dictionary. This method is certainly longer, but turns out to be more fruitful, since, in theory, it is able to find any sequence, as complex as it is (upper case, lower case, number, special characters…).
A complex password discovered in just a few hours … in theory
When you know that a computer is capable of performing several million calculations per second, and therefore generate as many passwords as a result, we could quickly panic. In theory, within a few hours, an eight-character password can be hacked using a standard PC. But it is not that simple. Because our computers, websites, smartphones, and other devices are better protected than it seems. They can, for example, use a “timer”: after three unsuccessful attempts to enter a password, the system refuses the user (or the hacker) the fourth try. He must wait a few minutes, even a few hours, before he can try his luck again.
Therefore, if the password is a bit complex, it is impossible to find it using a dictionary or in brute force… Unless you spend a few millennia. Some systems, such as webmails for example, even go so far as to definitively refuse the fourth attempt, forcing the user to contact the after-sales service, in order to reset the forgotten password.
There is a second method, quite similar, which consists of doubling the time between each entry attempt. We do not prevent the user from entering a password, but we greatly increase the chances that a hacker will get their hands on the precious sesame using a raw attack.
Finally, all of these methods can also be combined with more “physical” techniques, such as fingerprint recognition on computers or smartphones, facial recognition or voice recognition.
Can we verify that a password is secure?
On the web, there are hundreds of services offering to check the “strength” of a password. For example, go to The Password Meter and enter your password to test its effectiveness. Microsoft also provides an online service to verify the validity of a password. There is nothing to download, just go to the Password Checker site and enter the password, in order to better test its resistance to hacking attempts. But there is more fun, still at Microsoft. The service in question is called Telepathwords and aims to guess the entire password as you enter it. Again, there is something to worry about: Telepathwords is able to detect the letters or numbers that you will enter in 50% of cases.
Do you have to change your password regularly?
In theory, all of your passwords should be changed at least once a month. A truly restrictive manipulation, which (almost) no one performs. And yet it is the key to a tamper-proof password. The best advice we can give you is to change them at least once a year, rather than monthly. And if you’re worried you won’t remember, use an aggregator. Finally the last advice: systematically vary your passwords.
Never use the same twice on the web, especially if you associate them with the same email address. Imagine indeed that a site, despite all its precautions, comes to be hacked and that all of its user accounts are disclosed. In theory, passwords are encrypted in the site’s database, but nothing guarantees it 100%. Consequently, if a hacker comes to recover your username and password on a site, there is a good chance that he will try to use them on other platforms. This is why it is strongly recommended that you never use the same password twice.
Above all, beware of keyloggers!
Also, make sure that no “keylogger” is installed on your computer. A keylogger, or keylogger in French, detects and stores all the uses of the keys on the keyboard. Clearly, he is a little spy, who intercepts your identifiers and passwords and then transmits them over the web to a cybercriminal. If you suspect a keylogger on your PC, install any security suite, even a free version. All antiviruses, even the most basic, are indeed capable of detecting a keylogger: there is no need to use dedicated software.
Random and technical generation of offset keys
The generator: practical, but difficult to memorize
To effectively secure a password, several effective techniques can be envisaged. One of the best known is to use a generator that allows you to create a password randomly, with lots of different characters. Password generators, there are hundreds on the web, such as on Exhaustif.com, Creation of passwords or the publisher’s site Norton. There is a software to install on your PC (Password Generator, Efficient Password Manager, etc.) or plugins for your browser (PWgen for Firefox).
The trouble with these generated words is that it will then have to be remembered. And when you get something like “4s (9V8 + $ 7BzexYN *”, it’s really not that easy. The other problem is that this kind of password is not necessarily easy to enter on a device that does not have a physical keyboard, such as a game console or media player (for accessing an online service or network, for example). In short, this may be a great way to protect your data, but it’s not the most user-friendly.
Key offset: simple and effective
Another, more practical method uses a little trick. It consists of imagining a password that will be easily remembered and shifting all the characters in a row to the left or right of the keyboard. An example? Take for example this password: 19sartrouville80kitty.
In this example, 19 and 80 constitute the year of birth of a typical user, Sartrouville his place of birth, and Kitty the name of his cat. Problem: hackers can quickly find such a password, despite the presence of numbers. Now let’s shift everything one column to the left relative to the position of each character on the keyboard. The “s” becomes “q”, the “a” becomes “p” (we shift to the far right since we arrive at the end of the travel to the left), the “r” becomes “e”, the “t “Becomes” r “, etc. And we do the same for the figures. So we get 38qperiycukkz70jurrt(let’s not forget that, if we arrive at the left end of the keyboard, we start again at its right end). Add to this a capital letter at the beginning and end of the word, it then results in 38QperiycukkZ70JurrT.
This is something to occupy our pirates for a little while, and which will prove easier to memorize than a randomly generated password. Casually, the password thus created already occupies 20 characters. We can obviously complicate the thing by adding another term or another date, which we will also shift to the left of the keyboard. But also add for example a small symbol (* /, – +…) before or after the dates.
Two-factor authentication: behind this somewhat complex expression, there is actually one of the safest ways to protect your information. Two-factor authentication, also known as two-step validation, requires, as its name suggests, two manipulations on the part of the Internet user. When connecting to a site like Facebook, for example, he begins by entering his email address and password. Until then, nothing is unusual. But once this step is completed, he must also enter a second code, which he generally receives by SMS on his phone, or by email.
But it is on which sites?
Two-factor authentication is particularly useful if you have to change hardware regularly. Clearly, make use of it if you are often on the move and you find yourself in front of a PC or a smartphone that is not yours. This kind of service is gradually spreading (Google, Microsoft Live account, LinkedIn, etc.), but it is often deactivated by default. To set it up, do not hesitate to refer to our Guide file which lists the largest services that use two-factor authentication.
The password wallet
This type of device does not contain any particular mystery. In all cases, you will need to have at least one strong password. But the aggregator makes it possible to get rid of all the others since they are stored within a “safe” or “wallet”. In the end, you just need to enter a password to reveal all the others.
The other big advantage, apart from being a simple memory aid, is that a password aggregator can be used on any type of platform and that the data is synchronized between different devices (a generally chargeable option). So you can configure all your passwords on your PC or Mac, and find them on your smartphone, without having to enter them one by one again.
The number of programs capable of carrying out this operation is legion. Here is a small selection:
- Price: free (exists in premium version at € 39.99 / year)
- Platforms: OSX, PC, iOS, Android
In just two seconds, Dashlane analyzes all the passwords stored in the browser and determines their level of security. It’s simple and very visual, and you immediately understand where the flaws can come from on your machine. It offers an automatic entry tool for classic sites, but also for merchant services. One of the most powerful and complete of all.
Keepass Password Safe
- Price: free
- Platforms: Windows, Android, iOS, OSX
A more basic tool than most of its competitors, but which has an impressive list of functionalities (manager by “groups”, password generator, automatic cleaning of the clipboard, etc.).
- Price: free (exists in premium version at $ 43.20 / year)
- Platforms: browsers, iOS, Android
LastPass is a rather special tool since it is mainly an extension to the browser (Internet Explorer, Opera, Firefox, Chrome or Safari). There is, therefore, no executable under Windows or Mac OS X and everything takes place within the browser. The application is nonetheless very effective, in French and very complete. The little assistant at the start of the installation is quite welcome.
In summary, how to choose your passwords correctly
In the end, there is no totally foolproof password, however long and complex it may be. On the other hand, the more you follow the few recommendations below, the more difficult the task will be for a hacker to find your precious sesame. And when it takes several years to finish it, chances are that the information related to your password will become completely obsolete. In short, your data will be safe for a long time. If we had to summarize the different techniques related to the development of an effective password, we could do it as follows:
- A password should be as long as possible. At the minimum, compose it of 8 characters, but as we saw in the part devoted to the technique of the offset of the keys of the keyboard, it is easy to work out one of about twenty characters, and especially, and to manage to memorize it easily.
- Alternate uppercase, lowercase, numbers and if possible special characters. Again, the keyboard offset technique can be a good asset to remember.
- Never write it down on a small piece of paper or save it in an accessible file in clear (unencrypted). If you are afraid of losing all your passwords, use a wallet (or aggregator).
- Never pass on your passwords in clear text and to your loved ones. Avoid spreading instant messaging software or traditional emails.