10


Strong password rules:

A few things to avoid in passwords:
  1. Default passwords: These are usually initial passwords set by vendors. Vendors usually require you to change these on the next login. Examples: admin, guest, password, default.
  2. Non-secure, common passwords like, “password123”. Use our password strength meter to check your password to avoid these.
  3. Any type of personal information, such as: family names, pet names, birth dates, phone numbers, SSU numbers, company or domain names.
  4. Dictionary words
  5. Dictionary words with specific letters replaced by special characters or numbers (e.g. Mammoth becomes m@mmo+h)
  6. Repeating characters comprising passwords such as: cccc555333 or a series of characters such as: 123456
  7. Keyword sequences, like: “zxcvb” or “98765”
  8. Dictionary words with a number(s) appended: password12
  9. Numeric sequences that contain well-known numbers e.g. 911
  10. Information that might be easily associated with the account owner: children’s names, high school attended, city of birth etc.
Additional password rules
  1. To make your password strong, always use a mix of at least 12 characters, using a combination of: uppercase/lowercase letters and numbers, symbols and special characters (@ ! & *). At this length and combination, it requires more than 200 years to be cracked.
  2. Make your password even stronger and replace letters with symbols and numbers. Just an example: “Wood letter” becomes “Wo0d l3+tEr”
  3. Never share your passwords with anyone (this includes family members, roommates, colleagues, etc.).
  4. Avoid typing them on public computers that you do not trust; e.g. in an Internet café, malls, airports.
  5. Use a passphrase. It’s recommended that the phrase to be long enough; at least 20 characters and it should contain: numbers, lowercase and uppercase characters as well as special symbols. The phrase should be easily memorable with some meaning. You can even use random words and put them together into the phrase.
  6. Do not send your plain (unencrypted) passwords through email or messenger
    Never save passwords for a web form on a computer that you do not fully control or that is used by more than one person.
  7. If you want to allow access to your account for anyone, generate different credentials for them when possible.
  8. If you want to share your password with others (not recommended), always use an encrypted connection (HTTPS, SFTP, FTPS, SMTPS) instead of standard unencrypted connection (HTTP, FTP) as these can be compromised very easily.
  9. Never write your password down. Avoid notes, especially near your computer, workspace or workplace.
  10. Update/change your password every 3 months.
  11. Always use the password strength meter to test your password.
  12. Do not use the same password for different accounts as it’s very risky. Just imagine, someone may figure out your password and then it opens the door for all of your other accounts.
  13. Use a password generator with the options to include lowercase/uppercase characters, numbers, and special symbols. If you see this when generating your password, you are on the right website with the random password generator mentioned.
  14. Use secure and well-trusted password managers like: 1password (Mac) or KeePass (Windows). Then, you just have to remember one master password and all others are located in the secure encrypted storage.
    These password managers are paid software. If you can’t afford them you can still store passwords in plain text files. It’s necessary to zip/rar them and protect them with a strong password.
  15. Backup your passwords in an encrypted format to different locations (backup drive, cloud).
  16. There are cloud-based services like LastPass. It’s not recommended to store your critical/master passwords there. Keep them in local secure storage instead.
  17. Encrypt your hard drive to make the information secure and wipe or destroy the old one. Please keep in mind that when you fast format or delete a partition the data is actually still there (you just made them invisible). Use tools like DBAN to completely wipe your old drive.
  18. Use VPN (virtual private network) if possible, especially if you’re traveling and you’re connected to a Wi-fi connection with unknown security settings. You can set up your own VPN (you need a home computer or VPS -> virtual private server) or, you can use popular VPN services like TunnelBear. If this is not an option for you, use Opera browser with integrated VPS service and choose between 3 different locations.
  19. Some websites allow you to use two-step authentication. Use it when possible.
  20. Firewall and antivirus software are a must for your computer. Use reputable free solutions like AVAST, AVG or paid solutions like NOD, Kaspersky, Norton security. You can’t go wrong with any of these.
  21. Use anti-malware software to check your computer for possible keyloggers, backdoors or any other malicious software. Malicious software like keylogger can record keystrokes while you’re typing and send them to a 3rd party.
  22. Download software from reputable download directories and use antivirus/antimalware before you install. Do not install software from unknown publishers… EVER. Both Mac and Windows have a security layer implemented to prevent install software from unknown publishers.
    For even more security, you can use sites like virustotal.com which allows you to check the downloaded file against tens (59 currently) of different antivirus engines at once.
  23. It is important to keep your operating system up-to-date with the latest updates. Updates usually contain improvements and security patches that can prevent you from future attacks.
  24. Always lock your computer and phone before you leave. Don’t forget to implement password-protected/fingerprint unlock.
  25. Carefully check password reset links in emails before you click them, as those can be fake.
  26. Do not copy your passwords to online tools like paste tools.
  27. Check your password against the MD5 database. Passwords on servers are usually stored in the MD5 format which is actually 32 character long hexadecimal hash (e.g. MD5 hash of “password123” is “482C811DA5D5B4BC6D497FFA98491E38”). There are online MD5 decryption services on the internet with a huge database (of a few billion records) of MD5 hashes. An attacker can search for MD5 hash and if it’s in the DB he/she will get back your unencrypted password.
  28. For web programmers, it’s highly recommended to store the salted hash (SHA1, SHA256, SHA512) of the password in the database instead of plain version or MD5 hash. The same applies to security questions. Do not store them in plain text in the DB. It’s highly recommended to store some additional information specific to the user like screen resolution, browser version or OS version. You can even generate a specific additional hash and store it both in the DB and browser cookies. It allows you to create an additional user verification layer.
Server/VPS specific recommendations:
  • Avoid using passwords completely and switch to private/public key authentication if possible.
  • Change the SSH port number (22) to a different number e.g. 2154. Do not use port numbers like 222 or 2222, as these are easily predicted by attackers.
  • Use tools like: fail2ban to prevent brute force attacks. fail2ban enables you to set special rules and block access to the server for the specific amount of time or even permanently.
  • Allow only specific clients to connect to the server, based on the clients IP address. This can be done by configuring your firewall or updating iptables.
  • Disable empty passwords completely.