People often talk about online security and using strong passwords, but how do you make one? Here's some tips to help keep your account safe. Passwords should never be used alone, no matter how strong, and you should always activate 2FA (two factor authentication) on all your accounts (including those not financially related - add it to everything you can). 

Tips for choosing passwords

• Whatever you do, do not use 123456, qwerty, your name, password, guest, admin, your birthday, or your dog’s name for your passwords!
• Make your password as long as possible, never less than 12 characters, and 16 and above if allowed. The length of a password is far more important than the number of different characters, for simple reasons of mathematics.
• Do not use a browser password manager, if your computer is compromised, you will give away access to everything.
• Do not underestimate good old pen and paper! Store your passwords offline in a small dedicated notebook and keep it with your passport, or at least treat it with the same value.
• Never, ever, ever reuse passwords! Ever. Not even twice. Just don’t.
• Don’t use suggested passwords from your browser or Mac etc, as you have no control over them and they are usually very short – also if their service goes down, or your computer crashes you’re screwed.
• Never use full words that would appear in a dictionary. These can be easily guessed or cracked in a ‘dictionary attack’. Likewise, never include anything personal in a password, eg. favourite football team, dog’s name, birth year, or anything like that – a hacker can easily find these with a Google search.
• Change your passwords from time to time (at least twice a year).

How to create strong passwords

Let’s look at some examples. Remember, if your password has less than 8 characters, it can be cracked in minutes (or seconds) by an attacker with the right software. Length and salt are the two biggest things you can do to make your passwords more secure. Example:

You should not use a dictionary word, but for the sake of examples, let's take something basic and demonstrate the difference. So we start with this bad password:

• Manchester2021

Length is not bad, 14 characters, but it contains a dictionary word and no special characters. So it’s useless. We could try this:

• M@nch3ster2021

It now has special characters, and is an improvement, but can still be guessed, since hackers know that people substitute common lookalikes – like ‘a’ with @, ‘e’ with 3, etc. So let’s continue:

• M@n/ch3ster/2021

Already it’s more secure, has 16 characters, but again not impossible to guess. So what about this:

• M1@nk.c2H3/st1rr-r:20

At 21 characters, this is pretty secure, but could still be better.

So how do we do that? You should add what’s called a ‘salt’ in cryptography – an additional part of the password that is stored separately or never written down.

And this is one of the most secure ways you can do it, since even if someone stole your notebook, or hacks your computer and sees your passwords, they can’t use them as they are missing part of it, and at this length it becomes way to computationally difficult to brute force or guess the rest (we’re talking thousands of years for a computer to ‘brute force’ it). But we want that salt to be easy to remember since you’ll never write it down anywhere, ever. Perhaps something funny, like:

• w00p$w00p

So the password is now:

• M1@nk.c2H3/st1rr-r:20w00p$w00p

At 30 characters long, lots of letters, numbers, upper and lower case, special characters, this would put off most hackers by being difficult to guess, and computationally too intensive to crack. You can always take it further of course. It’s much better to have to reset a password because it’s too difficult than to have someone else access your data! We also recommend changing passwords at least twice a year anyway. If you want to check if your email (and therefore possibly also password) has been in a data breach, go to https://haveibeenpwned.com/ . If so, change your passwords and email immediately.

Additional steps to take

• If you have the option, always add 2FA (two factor authentication), using an app like Authy or Google Authenticator.
• Always add fingerprint or biometrics if you have the option inside apps on your phone.
• Always lock the screen of your phone (especially) and laptops / computers, even when in a trusted area, and definitely while at work.
• Use a hardware OTP device like a Yubikey, then you do not need passwords at all, and is much more secure.

This article was adapted from the original here.