WRT passwords, is the most secure still supposed to be four random words separated by punctuation marks?
The most secure passwords are random charecters from the whole ascii character set with as many characters as the password field will hold, with a different combination being used for each site/system. This is inconvient for the wetware to remember though, so the best approach is a password safe of some sort. I use 1Password because I can use it across different systems whereas Apple keychain is limited to apple kit. Now that Apple have relented and let us fanboys use 3rd party password apps natively on apple products, things have become a lot easier.
More on passwords.
Using word strings is not really that secure in these days of pocket supercomputers, though it probably helps to explain how your passwords get compromised.
These days ‘hackers’ don’t generally try and log in via the user interface trying lots of different passwords, either manually or with a computer. This is mainly because nearly all systems with remote access have a limited number of tries before locking out.
By far the most common and lucrative attack these days is ‘social engineering’ that’s to say the ‘hacker’ calls you up, or sends you an email and asks you for your password/pin. This is now very sophisticated with the ‘hacker’ knowing how to manipulate you emotionally. The next level up on this, is when they target someone, who they will research online first (Facebook, linked in, forums, Twitter, Instagram et al) so the can tailor the emotional manipulation. In this case, no amount of technical password security will help. Why try and fight your way in when you can get someone to live you the keys.
The second mos lucrative approach is an inside job, either instigated by a bad person already inside, or via the usual MICE (Money, Idology, Coercion, Ego) route. Either way, the aim is to get hold of the password table or credit card details. If they get a password file, then this will, most likely, consist of a list of usernames with their passwords. In nearly cases these days the passwords will be encrypted in some way, with ever more sophosticated ways of encryption being used. However, there are a limited number of ways commercially available, so the bad guys will have some idea what to try. BUT, the clever bit is that the encryption is ‘one way’, that is there is no way to decode the password from the stored information. When you enter your password to gain access, what you type is encrypted using the same algorythm and the resultant output is checked against the stored information. So the bad guy has a list of common passwords that he has encrypted using the same algorithm and he checks this list against the password file for matches. An experienced ‘hacker’ will have several lists of common passwords, dictionaries, dictionaries with common substitutions, common phrases and quotes, multiple words with and without punctuation. All encrypted using common one way algorithms. Once he has a match, he’s got your username and access to your account on that system. If you’ve used the same password everywhere, he’s got access to your online life. A recent report I read on a friendly attack suggested that after the first run against the password file yielded 50% of the file using just common passwords which took him a couple of hours. After several more runs, using more complicated dictionary attacks, the friendly ‘hacker’ had 90% of the file at his disposal, though this did take him a little over 36 hours.
So to reiterate, the best advice is to use a password safe ad get into the habit of creating a new password for each system you use. If at all possible, am for randomly generated character strings using upper and lower alpha, numerals, punctuation and other special characters and aim for 20 or more characters.
N.b. The above explanation is grossly simplified but hopefully will encourage you to use more secure passwords if you don’t already.