All week we’ll be posting our best guidance on how to create, protect, and manage your passwords.
Passwords are your first line of defense against hackers. Pick passwords that are difficult to crack but easy for you to remember.
Each time cybercriminals hack into a database of passwords, they learn more about the kinds of passwords that people use. (Come back on Friday to read Part 3 of our password series on what passwords you should never, ever use.) Now, even passwords that we think are tricky can be guessed by cybercriminals who’ve harnessed the right technology to crack passwords.
Stuart Schechter and other colleagues from Microsoft Research have developed a free online tool that helps you avoid passwords that are predictable. Try the tool.
Contains at least eight characters.
Does not contain your user name, real name, or company name.
Does not contain a complete word.
Is significantly different from previous passwords.
Is different from passwords that you’ve used on other websites.
Get more advice on how to create strong passwords.
Once you’ve chosen a strong password, you can protect it from hackers by following a few simple rule:
Don’t share your password with friends.
Never give your password to people who call you on the phone or send unsolicited email, even if they claim to be from Microsoft.
Change your password regularly.
Tell your children not to share your passwords (or theirs) with anyone. Check back tomorrow for more guidance on how to help kids create and protect their passwords.
Evaluate password managers and other password tools carefully. If they keep all your passwords in the cloud, they should use encryption. If the service has problems, understand that you might be locked out of your accounts.
Enable two-step verification. Two-step verification uses two ways to verify your identity whenever you sign in to your Microsoft account. Two-step verification is optional, but we recommend that you use it. Learn how to turn it on.
Learn more about how to protect your passwords.
Microsoft has built biometric support into Windows 8.1 for user log-on and UAC elevation prompts. Why not build your own biometric password manager for website credentials? Authentec used to make a pretty good one, Protector Suite, until they were bought by Apple Inc.
We keep hearing the same advice: use complex passwords, don't re-use them, change them periodically, and so on. A password manager integrated into Windows would help this become simpler in practice.
I had a stron password. No hacker broke it for 13 years.
Now Microsoft broke my hotmail account and has temporary blocked it because of this. I can not get into my account. I can not get any support to fix this. I alreadt tried your suggestion in other post and none work.
Do you know who I can call at Microsoft to get back into my account?
This is good advice, so WHY does Microsoft not build any tools into Active Directory to prevent passwords like "Longhorns1" which AD considers very complex because it contains an uppercase, lowercase, and number?
Hey, do what I do to generate passwords: Pick one of your favorite poems or song lyrics. Take the first line, and use the initials Like a bridge over troubled waters, I will ease your mind : Labotwiweym... Then tack some number that's significant to you for some reason, and there you go, but put the first or last digit in upper case 1973 !973, so, you have Labotwiweym!973, which will meet almost any password requirement, and all you have to do is remember what poem/song you're in. Next time you need a password, move down to the next line. Tatshbmttlattd87#1
"Longhorns1" is a bad password. A modest improvement is "l0nGhornZ1" The rules are simple:
1. Put the caps in strange places.
2. Substitute a number for a letter as appropriate. Numeral zero "0" can be a good substitute for "o", Numeral three "3" looks sort of like a backwards capital "E", and so forth. Numeral "1" looks sort of like a capital "I", etcetera. Don't restrict yourself to what I gave. Let your imangination roam free but when all is said and done you have to remember it. Also, although I could have used zero twice it is actually stronger with one being the "oh" and the other the "0".
3. When possible use a phonetic alphabet substitution. Actually "werdz" is closer to the sound than "words."
4. If you have too many vowlels, drop some of them. The Cyrillic letter for Russian mostly threw the vowels out.
If you are clever and a Da Vinci or me, "1ZnrohGnol" means it is brute force time. The less duplicates of any symbol you have, and using the maximum number of s9mb0lz makes it harder and harder to brute force. But the Facebook No-No of having the passwords stored in clear-text doesn't help.
Account recapture is really only possible with two separate accounts. For example, using Hotmail and GMail you would use your account recovery for Hotmail with propery recovery question answer sent to GMail and vice versa. Now that this has been given I need to go check if I need a new Hotmail password. The new temporary password will be sent to another email account.
Changing passwords often does not take human beings into account. Even with proper coaching I consider six months or even a year to not be an unreasonable time frame. Also don't force them to change their passwords RIGHT NOW. Some people will never be able to come up with a good pasWerd (misspelling intentional). People like me need at least eight hours to mull on it and come up with something that uses near or at the maximum allowed with no duplicates, numbers, CAPS mised in novel ways, etc.