Random Password Generator

Password Security Tips

To prevent your passwords from being hacked by social engineering, brute force or dictionary attack methods, and keep your online accounts safe, you should notice that:

1. Do not use the same password, security question and answer for multiple important accounts.
2. Use a password that has at least 16 characters, use at least one number, one uppercase letter, one lowercase letter and one special symbol.
3. Do not use the names of your families, friends or pets in your passwords.
4. Do not use postcodes, house numbers, phone numbers, birthdates, ID card numbers, social security numbers, and so on in your passwords.
5. Do not use any dictionary words in your passwords. Examples of strong passwords: &6s&$3h?JXFmm3ym , [sAf\78w6LF+yA=U , 2F~!hxQL;Fx:E{Cz. Examples of weak passwords: 123456, 123456789, abc123.
6. Do not use two or more similar passwords that have mostly the same characters, for example, ilovefreshflowersMac, ilovefreshflowersDropBox, since if one of these passwords is stolen. It means that all of these passwords have been stolen.
7. Do not use something that can be cloned( but you can't change ) as your passwords, such as your fingerprints.
8. Do not let your Web browsers (Chrome, Firefox, Safari, Opera, IE, Microsoft Edge ) store your passwords, since all passwords saved in Web browsers can be revealed easily.
9. Do not log in to important accounts on the computers of others, or when connected to a public Wi-Fi hotspot, Tor, free VPN or web proxy.
10. Do not send sensitive information online via unencrypted( e.g. HTTP or FTP ) connections, because messages in these connections can be sniffed with minimal effort. Use encrypted connections, such as HTTPS, SFTP, FTPS, SMTPS, and IPSec, whenever possible.
11. When travelling, you can encrypt your Internet connections before they leave your laptop, tablet, mobile phone or router. For example, you can set up a private VPN with protocols like WireGuard( or IKEv2, OpenVPN, SSTP, L2TP over IPSec ) on your own server( home computer, dedicated server or VPS ) and connect to it. Alternatively, you can set up an encrypted SSH tunnel between your computer and your own server and configure Chrome or Firefox to use a SOCKS proxy. Then, even if someone captures your data as it is transmitted between your device (e.g., laptop, iPhone, iPad) and your server with a packet sniffer, they won't be able to steal your data and passwords from the encrypted streaming data.
12. How secure is my password? You may believe that your passwords are robust and complex to hack. However, if a hacker has stolen your username and the MD5 hash value of your password from a company's server, and the hacker's rainbow table contains this MD5 hash, then your password will be cracked quickly.
13. To check the strength of your passwords and know whether they're inside the popular rainbow tables, you can convert your passwords to MD5 hashes on an MD5 hash generator, then decrypt your passwords by submitting these hashes to an online MD5 decryption service. For instance, your password is "1234567890". Using the brute-force method, a computer may take almost a year to crack your password. However, if you decrypt it by submitting its MD5 hash (E807F1FCF82D132F9BB018CA6738A19F) to an MD5 decryption website, how long will it take to crack it? You can perform the test yourself.
14. It's recommended to change your passwords every 10 weeks.
15. It's recommended that you remember a few master passwords, store other passwords in a plain text file and encrypt this file with 7-Zip, GPG or a disk encryption software such as BitLocker, or manage your passwords with a password management software.
16. Encrypt and back up your passwords to different locations, then if you lose access to your computer or account, you can retrieve your passwords quickly.
17. Turn on 2-step authentication whenever possible.
18. Do not store your critical passwords in the cloud.
19. Access essential websites( e.g. PayPal) from bookmarks directly; otherwise, please check the domain name carefully. It's a good idea to check the popularity of a website with the Alexa toolbar to ensure that it's not a phishing site before entering your password.
20. Protect your computer with a firewall and antivirus software, and block all incoming connections and all unnecessary outgoing connections with the firewall. Download software from reputable sites only, and verify the MD5 / SHA1 / SHA256 checksum or GPG signature of the installation package whenever possible.
21. Keep the operating systems( e.g. Windows 7, Windows 10, Mac OS X, iOS, Linux ) and Web browsers( e.g. FireFox, Chrome, IE, Microsoft Edge ) of your devices( e.g. Windows PC, Mac PC, iPhone, iPad, Android tablet ) up-to-date by installing the latest security update.
22. If there are important files on your computer, and others can access it, check if there are hardware keyloggers( e.g. wireless keyboard sniffer ), software keyloggers and hidden cameras when you feel it's necessary.
23. If there are WIFI routers in your home, then it's possible to know the passwords you typed( in your neighbour's house ) by detecting the gestures of your fingers and hands, since the WIFI signal they received will change when you move your fingers and hands. In such cases, you can use an on-screen keyboard to type your passwords. It would be more secure if this virtual keyboard (or soft keyboard) changed layouts every time.
24. Lock your computer and mobile phone when you leave them.
25. Encrypt the entire hard drive with VeraCrypt, FileVault, LUKS or similar tools before putting important files on it, and destroy the hard drive of your old devices physically if it's necessary.
26. Access essential websites in private or incognito mode, or use one Web browser to access important websites, and use another one to access other sites. Or access unimportant websites and install new software inside a virtual machine created with VMware, VirtualBox or Parallels.
27. Use at least three different email addresses, use the first one to receive emails from essential sites and Apps, such as Paypal and Amazon, use the second one to receive emails from unimportant sites and Apps, use the third one( from a different email provider, such as Outlook and GMail ) to receive your password-reset email when the first one( e.g. Yahoo Mail ) is hacked.
28. Use at least two different phone numbers, do NOT tell others the phone number which you use to receive text messages of the verification codes.
29. Do not click the link in an email or SMS message, do not reset your passwords by clicking them, except that you know these messages are not fake.
30. Do not tell your passwords to anybody in the email.
31. It's possible that hackers have modified one of the software or apps you downloaded or updated. You can avoid this problem by not installing this software or App for the first time, except that it's published to fix security holes. You can use web-based apps instead, which are more secure and portable.
32. Be careful when using online paste tools and screen capture tools; do not let them upload your passwords to the cloud.
33. If you're a webmaster, do not store the users' passwords, security questions and answers as plain text in the database; you should store the salted ( SHA1, SHA256 or SHA512 )hash values of these strings instead. It's recommended to generate a unique random salt string for each user. In addition, it's a good idea to log the user's device information( e.g. OS version, screen resolution, etc. ) and save the salted hash values of them, then when they try to login with the correct password but their device information does NOT match the previous saved one, let this user to verify their identity by entering another verification code sent via SMS or email.
34. If you are a software developer, you should publish the update package signed with a private key using GnuPG, and verify the signature of it with the public key published previously.
35. To keep your online business safe, you should register a domain name of your own and set up an email account with this domain name. You'll not lose your email account and all your contacts, since you can host your mail server anywhere, and the email provider can't deactivate your email account.
36. If an online shopping site only allows payment with credit cards, then you should use a virtual credit card instead.
37. Close your web browser when you leave your computer; otherwise, the cookies can be intercepted with a small USB device easily, making it possible to bypass two-step verification and log into your account with stolen cookies on other computers.
38. Distrust and remove bad SSL certificates from your Web browser; otherwise, you will NOT be able to ensure the confidentiality and integrity of the HTTPS connections which use these certificates.
39. Encrypt the entire system partition; otherwise, please turn off the pagefile and hibernation functions, since it's possible to find your essential documents in the pagefile.sys and hiberfil.sys files.
40. To prevent brute force login attacks to your dedicated servers, VPS servers or cloud servers, you can install an intrusion detection and prevention software such as LFD( Login Failure Daemon ) or Fail2Ban.
41. If possible, use cloud-based software instead of installing the software on your local device, since there are more and more supply-chain attacks which will install a malicious application or update on your device to steal your passwords and gain access to top secret data.
42. It's a good idea to generate the MD5 or SHA1 checksums of all files on your computer( with software like MD5Summer ) and save the result, then check the integrity of your files( and find Trojan files or programs with a backdoor injected ) every day by comparing their checksums with the result saved previously.
43. Each large company should implement and apply an Artificial Intelligence-based intrusion detection system( including network behaviour anomaly detection tools ).
44. Allow only IP addresses that are allowed to connect to or log into the critical servers and computers.