Passwords are your last defense against malicious attacks - particularly if you don't enable two-step verification. Attackers have lots of ways to get hold of online passwords, and in most cases users don't make it hard enough for them.
Password security: How do passwords get stolen?
Before learning how to secure your passwords, let's understand how hackers try to steal your passwords.
First, there might be people who know you trying to steal your password. Using your name, birthday or pet's name makes it very easy for them to guess your password.
Second, malicious attackers use brute-force tools to steal passwords. These tools automatically check for dictionary words, dictionary words written backwards, or letter sequences like "qwerty". When using such passwords, it is very easy for attackers to "guess" your password.
Third, there has been a data breach where data including your passwords may have been stolen from an online service. Stories about data leaks make the news every week. If you are using the same password with multiple services, such a leak puts all your accounts at risk.
Krebs on security points out that particular care needs to be taken for email accounts:
Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.
Why are email accounts at risk?
Email accounts are a profitable target for hackers as they can use your email account to take over other accounts - Facebook, PayPal, Twitter - with a simple password reset via email. Please check our email security guide for details.
Three steps to password security
Choosing a secure password is easier than you might think. The important part is: Don't try to remember your password, but write it down somewhere safe.
Of course, you can pick a password that is easy to remember - but make sure to have a back-up when your memory fails you. This makes you more confident to use more complex passwords. And only complex passwords make an attacker's life hard.
Pick a long password, at least eight characters, but preferably close to twenty characters.
Use all keyboard keys: Upper case letters, lower case letters, numbers, special characters.
Find something that is easy for you to remember, but hard for anyone else. Here's an example that looks more like passphrase than a password, but it's not made up with dictionary words only: Me94-loves-cauliflower!% (If I am born in 94 and love califlower, I would only have to remember the last two special characters.)
However, as pointed out before, you should not use the same password over and over again. When making up a new password for every site, you will understand why you need to write down the passwords. Even the easiest-to-remember long password, can't be remembered if you need five or ten of these. Plus, you must remember which password is for which site.
That's where paper and pen come in - or a password manager. We agree with security experts Bruce Schneier and Brian Krebs that it is safe to write down your passwords on a piece of paper. As long as you hide this somewhere safe or write it in a way that it's not obvious that these are passwords. However make sure to also write it down in such a way that you will still be able to understand what password is for what site in a couple of months.
The best bet, therefore, is a password manager. If you save all your logins in an encrypted password manager, you only need to remember and write down the master password. This will make everything much easier.
We recommend open source password managers such as KeePass DX, but there are lots of good password manager when you do a research online.
Password managers not only help you store your passwords securely, they can also create random passwords that follow all the guidelines, making them secure by default. For this reason, securtiy experts love password managers.
Maximize login security
To maximize your login security, we recommend turning on two-factor authentication whenever available. Two-factor authentication means that someone trying to login to your account will need your password as well as access to the second factor, which can be an authenticator app, an SMS code, or a physical key.
The most secure option here is a physical key (U2F) such as a YubiKey or Nitrokey.
Once you've secured your login with a password and a second factor, the only risk that remains is social engineering.
How does social engineering work?
Social engineering a form of malicious login take-over by people who know a lot about you and use this knowledge to take over your account. This is possible, for example, if the online service offers recovery questions should you forget your passwords. These questions are usually very easy to find out such as 'What is your mother's maiden name?' or 'What street do you live in?'.
If you want to make absolutely sure that no one - not even your neighbor - can take over your account with social engineering, be very careful with these questions. The safest bet would be to answer them incorrectly. Then, however, you can either not use this option for recovery, or you need to write down the fake answers.
To maximize your password security, you need to
- choose a strong, long password,
- set up two-factor authentication,
- write down your login details, and/or use a password manager.
If you follow this password security guide, your accounts are protected to the maximum. This makes it extremely hard for any malicious attacker to steal your login credentials.
How we make sure that your password is secure
- We check the password strength when you sign up with Tutanota.
- We let you use as many characters as you like.
- We let you use all special characters.
- We use Bcrypt to protect your password against brute-force attacks.
- We offer two-factor authentication to further secure your email login.
With Tutanota, we focus on securing your private emails to the maximum. The biggest remaining risk for your encrypted email account are phishing attacks.
Read our guide on how to prevent email phishing.