How to create strong passwords?

Our tips to protect your passwords and improve the security of your information.

The internet has become integral to our daily lives. And managing everything, from banking to healthcare, through websites is now part of our routines. But with this convenience comes a question: how can we maintain good cyber hygiene and protect our sensitive information? Keep reading to get answers!


Do’s and don’ts of creating rock-solid passwords


Don’t: use common passwords


Popular passwords are vulnerable to spraying attacks. During those, the attacker tries to break into your account using a list of the most commonly used passwords.

In order to prevent this type of attack, you want to avoid using sequential numbers or letters like “12345” or “qwerty”. In fact, even in their longest versions, they are too weak to prevent someone from accessing your accounts.

Passwords such as “sunshine”, “cheese” or “Iloveyou” are certainly a testament to your tastes or affections, but they won’t resist more than seconds to attacks, as they are very simple and widely used. And let’s not mention the infamous “password” or “letmein”.

Lastly, strong passwords given as examples on various websites are not sound choices either. Indeed, as soon as a password is rendered available to the public, it will most likely end up in leaked password databases. So it can’t be used to safeguard your account against attacks.


Don’t: use personal info or full words


Sharing personal information on social media has become an everyday occurrence for a lot of us. All it would take is a google search to uncover family first names, towns names and birthdays and that’s why they are to be avoided when creating passwords.

The same is true of full words. Why? Because including common names in your passwords exposes them to what is know as dictionary attacks. These attacks rely on databases that contain words, frequent or compromised passwords, their leetspeak equivalents (language based on replacing letters with look-alike numbers or special characters), etc.

Some experts recommend switching a few characters in common nouns to bypass those vulnerabilities, when is comes to creating passphrases. The idea being that long, easy-to-remember passwords are more secure (since they’ll actually be used) than passwords containing an abundance of impractical special characters. Nevertheless, databases used in dictionary attacks already contain a number of substitutions. So, if you would like to use this method, you will have to come up with your own unique substitution system.


Do: go for at least 18 characters


And up to 40.

This minimum aims at protecting yourself from brute force attacks. The more combinations someone would need to go through to find your password, the less likely it is to be discovered.

But why 18, when a lot of websites require users to create 8-character passwords? The answer: best practices evolve. As the technical means of cybercriminals improve, online security standards must adapt to keep up.

And those 10 additional characters make a tremendous difference. To give you an idea, the possible combinations using 18 characters are about 150,094,635,296,999,000,000,000,000,000,000,000 compared to 4,304,672,100,000,000 for 8 characters. The size of the password is therefore very important!

It is also best to avoid the first series of letters, numbers or symbols such as in this example “abcdef012345&锑(-” which will be the first combinations used by hackers to try to find your password.

Do: use 4 types of character


Using a mix of digits, upper and lower-case letters and symbols increases the number of combinations needed to find your password. However, adding a character to your password increases its strength more efficiently than replacing some letters or digits with special characters.

While they don’t play as important as a role when it comes to preventing brute force attacks, they can be used to avoid dictionary attacks, as we touched on earlier. Additionally, special characters can add a random factor to your passwords


How long does it take a hacker to find my password?


Here is how long it would take a hacker to find your password in 2023 based on the number of characters and the different character types used:

Table about how long it takes a hacker to brute force your password
Source: Hive Systems


Do: make it memorable


Long passwords containing symbols tend to be the strongest but also the most complicated; so how can we remember them?

There are a few options:

  • Use the first letters of a sentence

“I created a password using the advice I read on Netim’s blog” could become “Ic@puTa1roNb”.
  • Try phonetics

“I ate seven pounds of bananas today” could become “187LBSob2day”.
  • Create a passphrase rather than a password

It’s perhaps one of the easiest techniques to create long strings of characters. But you’ll need to follow some rule to ward off dictionary attacks: avoid famous quotes and song lyrics, add another level of difficulty (made-up or uncommon words, random series of characters to replace a word…), replace a word by a password (using the first letter method).

  • Your very own method!

This is probably  the most secure choice, as long as you go by the recommendations we have discussed so far!

There is another way around the memory issue, which we will tackle later: password managers.


Do’s and dont’s of properly using passwords


You did it, you found a technique to create strong passwords tailored to your needs! But you’re not done yet. Part of maintaining your accounts’ security is implementing some good cyber hygiene.


Don’t: communicate your passwords to anyone


You are now familiar the main types of attacks your passwords can fall victim to. Let’s take a look at a third and quite versatile one: social engineering. Multiple methods fall under the social engineering umbrella, but most of them aim at tricking users into giving out information or logins.

Phishing, how can you prevent yourself from this fraudulent practice?

Phishing is one of these methods. Netim will never ask for your password and the same goes for all trustworthy websites. If you’re ever in doubt about an email, check the sender’s address and don’t click on any links it might contain. Instead, go to the website the email is supposed to be from in another tab and check the information for yourself. You can find a list of good practices in our article: “Phishing, how can you prevent yourself from this fraudulent practice?”.


Don’t: write down or enter your passwords anywhere


Whether it’s on a post-it note (perhaps stuck to your computer screen) or a text file, writing and saving your password without encrypting them is a bad idea.

flat-lay-keyboard-with-notebook-with-password-informationCreated by freepik

Do you use public, shared computers? Be careful. Programs known as keyloggers can be installed on machines to monitor and record every keystroke you make. Similarly, public wifi can be unsafe by exposing your information to interception. In this situation, using a VPN can help keep your data safe.

Sending your password through text messages or email can also put your account security at risk.


Do: update your passwords


If you suspect someone has logged in to your account, if a data breach has occurred or if you typed your password on an unsafe device or website: update your password as soon as possible.

In addition, some websites offer a login history to monitor when and where your account was logged into. Others, like Netim, also have login alerts options so you can be notified whenever someone accesses your account. Both features provide a way to make sure your password hasn’t been compromised and used.

You also want to avoid keeping default passwords some websites use to set up your account. In the same way, recycling passwords you already used for one of your accounts is not recommended. They won’t protect your data as they should as they are at risk of already being in the possession of third parties or stored on cybercriminals’ databases.

You can check to see if your email address has been involved in a security breach or data leak with tools like Have I been pwned?.


Do: stick to the “one website = one password” rule


An account getting compromised is already bad enough, you don’t need it to morph into a security breach affecting all your accounts. But that’s precisely what can happen if you use the same password to secure all your accounts. The best way to prevent it is not reusing passwords (even rock-solid ones).

Another point to consider: changing one of the password’s characters doesn’t solve the problem. And it’s especially unsafe if the change follows any predictable pattern (password1, password2…).


Beyond passwords


While having a strong password is crucial, it’s not always enough to make sure your information and accesses are secure. Security breaches and sensitive data leaks are perhaps the most glaring examples of that problem. We recommend that you take some extra precautions to minimise the risks of your data being exposed.


Multi-Factor Authentication (MFA)


MFA involves adding one or several authentication factors in addition to passwords. Authentication factors can, for example, be something the user has (smartphone, smart card, U2F key) or is (biometrics). On the web, the most common multiple factor authentication method is one-time codes sent via text message or tokens generated by a Two-Factor Authentication (2FA) application.

Over the last few years, 2FA has established itself as a standard in account protection. And rightly so: with 2FA, even if your password gets compromised, your account is still safe behind an additional layer of security. Multiple websites, including Netim, offer this feature.

SMS-based 2FA provides that extra layer of security. Yet, as some cybercriminals have come up with ways to intercept text messages, 2FA apps are considered safer.


Password managers


While remembering a few passwords is a reasonable expectation, the task verges on the impossible when you have dozens of user accounts. Thankfully, a solution to this problem exists: password managers.

These programs store your passwords in a “virtual safe”, behind a master password. Said password should be as strong as possible, so appling all the suggestions discussed above is highly recommended. In addition, choosing a password manager with Multi-Factor Authentication is also a must.

And to increase the security of your passwords even further, encryption plugins can be added to some managers, like KeePass (free and ANSSI-certified).

Many password managers also offer custom password generation options (number and type of characters).


Security questions


After reading our tips, you might be questioning the usefulness of the security questions used to update passwords or verify your identity. And you would be right to do so, as they present the same risk as creating passwords containing personal information.

If the option is available, create custom security questions. This allows you to ask for facts that no one else has knowledge of or access to, even if they scoured your social media for info. Another solution is to give false answers to default questions or to modify them according to a code.

Keep in mind there is a risk of forgetting which strategy you ended up choosing!


Test your password strength


Once you have created your password, make sure it is strong! There is a very simple calculation presented here by the ANSSI (French Agency for Information System Security) that will allow you to determine the ability of your password to resist an enumeration of all possible different passwords (only available in French).

Calculate my password strength

Trustworthy websites


Being careful about the sites to which you entrust your information is certainly not the least of safety measures. However, it’s easier said than done. In fact, it can be difficult to know under what conditions your passwords are stored, among other crucial security issues. A few signs can nevertheless clue you in when browsing the website: no privacy policy, contact information or SSL certificate (URL starting with http instead of https). You might also want to check if the website has fallen victim to a security breach in the past and what has been done to avoid the problem reoccurring.

Any website promising to “test out” the strength of your password is best to be avoided as well. Despite what is advertised, there’s no guarantee what the tested passwords won’t be saved and stored.

Chek out our SSL certificates


Parting words


Computing capacities are ever-improving and data leaks are becoming more and more common. Security measures need to evolve accordingly to stay ahead of the curve.

Soon, passwords may disappear for good, replaced by U2F keys or other identification methods. In the meantime, it’s essential to remain vigilant in keeping your accounts and personal information safe from cybercriminals.


What Netim does for its customers’ security


Of course, Netim also takes security issues very seriously, which is why we have put in place measures to ensure our customers’ peace of mind in this regard.

After a certain number of failed login attempts, the customer’s account is blocked until he can confirm whether he is the author of the various login attempts.

We have also implemented a two-factor authentication system for greater security when our customers log in to their personal space.

Back to top button