They can come in several ways:
- Can be stolen by spy programs installed on your computer, which record what you type or browse places where it can be stored without protection. It is very common for infection to occur by opening email attachments or downloading files of dubious origin. How to prevent:
- Install antivirus and anti-malware and periodically scan. There are good free programs, but if necessary, purchase the product license.
- Never open email attachments from strangers, even if they look legitimate. And even people in your family or friends can send you attachments with viruses or other types of malware without even knowing that your computers are infected.
- Do not access websites with passwords on public computers: you never know what may be running on computers at lan houses, libraries, at friends' houses, etc. They may not even know that they have a spy program installed and that they can steal your password as soon as you enter it.
- Keep your programs up to date, especially the operating system (Windows updates), browsers and antivirus / anti-malware.
- Do not store passwords in your browser: usually the protection of these passwords is weak and they can be obtained by a malicious user or program without major difficulties.
- Can be captured through fake websites, which pass through websites of banks, credit card companies, airline miles programs, etc., which ask you to confirm your details so as not to cancel the service, or any other excuse. This is called “phishing”. How to avoid:
- Be wary of links to websites in emails: see if the link actually leads to a website address with the official domain of the company in question. If in doubt, contact the company's customer service to ask if the email is legitimate.
- Can be obtained by “social engineering”, that is, someone who impersonates you and calls (that's right, by phone) or makes contact by chat with the customer service saying they lost their password, etc. How to protect yourself:
- Use two-step authentication on services that offer it: even if your password is compromised, the hacker will not be able to gain access without going through additional authentication steps. Some sites that have this option: Google , Facebook , Dropbox , Outlook and iTunes .
- Website security questions: Some websites and other services ask security questions in case you forget your password and can authenticate yourself, such as your mother's single name, name of your first pet, name of your teacher first grade, etc. If the answer is very easy to find, something that someone can check on Facebook or ask a friend, for example, choose answers that have nothing to do with the question, but that you are sure you can remember later.
- By “brute force”, where the attacker makes several automated attempts to guess your password (for accessing a website, for example), trying the most common passwords first and then moving on to other combinations. What to do:
- Do not use “weak” passwords. See examples below.
- Never use the same password on various services or websites: many people prefer to repeat passwords on various services as it is easier to remember. But if the password is discovered or stolen, the security of all of them will be compromised.
- Have a extra care with your email passwords: especially if it’s emails you used to sign up for services. Generally, someone who has access to your mailbox can request a new password for these services and receive it easily.
- Do not write down the password on paper: prefer to store it more securely (more on that below).
- Do not write the password to an unencrypted file on your computer: even if you don't write down the password on paper, it is completely unprotected. This goes for any file other than a password manager.
- Use a password manager: with such a program or service you can store your passwords securely (encrypted file) and you are free to use very difficult passwords without needing to know them by heart. We recommend the excellent KeePass, which is even free.
- Very bad:
- any password with 6 characters or less;
- combination of keyboard keys or number strings: 123456 (the most used in the world), 12345, abc123, 123123, 4567, 555555, qwerty, q1w2e3r4, asdfgh, etc .;
- simple words or names: password, jesuscristo, deuseamor, maria, jose, soueu, etc.
- the account name itself (bad idea).
- Great passwords: they have 12 to 20 characters, including lowercase letters, uppercase letters, numbers and possibly symbols. Examples: DMgG7igkm9ZU, sLd2 @ sRE$#3EwqQ7. You won't have to worry about memorizing complex passwords if you use a password manager.
See other tips for creating strong passwords in this Google help article .