How to make a killer password that can’t be hacked

S tealing passwords is one of the oldest moves in hackers’ book. Ever since Internet accounts have existed, people have been trying to break into them. Password scavengers have been remarkably successful, too: in August, we learned that Russian hackers stole 1.2 billion username and password combinations, and in April, a vulnerability called Heartbleed was found to expose users’ data on websites from Gmail to Instagram.

Why are passwords so easy to hack? Some password-related hacks are beyond our control, but part of our vulnerability is our own fault. We tend to write passwords that are way too easy to guess. And we reuse passwords on multiple websites, so if a hacker has one of our passwords, they’ve got access to other accounts, too.

To be clear, there’s really no such thing as an unbreakable password. Hackers who are persistent enough and are using sufficiently powerful hardware will always be able to figure out your credentials. But if you fellow a few of these tips to creating a strong password, you’ll be much harder to hack — and therefore much safer.

Use lots of quirky character types. One way hackers crack passwords is by using sophisticated password-cracking software to test combinations of numbers, letters and symbols for your credentials. It can require a lot of computing power to do, but for shorter passwords, it’s a pretty reliable hacking method.

The more types of weird symbols—like [email protected]$%—that your password has, the greater number of tries a computer has to take to guess your credentials. And some sites have features that block multiple password attempts, meaning the more complex your password is, the more likely a hacker will get locked out before their software guesses the right code.

Don’t use dictionary words. Passwords with common words or phrases ones are the first to fall to increasingly adept password-cracking software. Passwords like “Iloveyou” and “password” are not a dependable line of defense.

Use different passwords on different accounts. If you use the same password twice, it’s an invitation for hackers to double-dip into your data. Mix things up to stay safe.

Use two-factor authentication. Even hackers that have stolen your passwords aren’t going to easily access your accounts if you follow this tip. Two-factor authentication requires you to know something (your password), and to have something (a phone with a code, for instance).

Gmail’s two-factor authentication is a good example of how this works: after entering your password, Gmail sends a code to your phone, which you then enter for access to your email. Unless hackers have both your password and have stolen your phone, this is a major roadblock.

Use a password manager. A password manager creates a random, different password for every site you visit, and then saves them for you. Dashlane and LastPass are good examples of password managers.

Create a passphrase. Think of a sentence, then codify it. As an example, “I love skateboarding and reading” becomes “I TIME

Maybe not hack-proof, but at least hack-resistant

How to make a killer password that can't be hacked

How to make a killer password that can't be hacked

  • Tweet
  • Share
  • Email

There’s no such thing as hack-proof or hacker-proof, just like there is nothing out there that is completely waterproof. Therefore, in this article, we’ll show you how to make your wireless router as hacker-resistant as possible. Your wireless router is a prime target for hackers who want to infiltrate your network or just freeload off of your Wi-Fi connection. Here are some things you can do to make your wireless router harder to hack.

Enable WPA2 or WPA3 Wireless Encryption

If you aren’t using a minimum of Wi-Fi Protected Access 2 (WPA2) encryption to protect your wireless network, this leaves your network wide open because hackers can virtually walk into your network.

If you use outdated Wired Equivalent Privacy (WEP) security, which can be cracked in seconds by most hackers, upgrade to WPA2 or preferably WPA3, which is backward compatible with WPA2. Older routers may need a firmware upgrade to add WPA2 or WPA3 functionality. Check your router manufacturer’s manual to learn how to enable WPA2\WPA3 wireless encryption on your router.

How to make a killer password that can't be hacked

Create a Strong SSID Network Name and Pre-Shared Key

You will also need to make a strong SSID (wireless network name). If you use the router’s default network name (for example, Linksys, Netgear, or DLINK), then you make it easier for hackers to hack your network. Using a default SSID or a common one helps hackers crack your encryption because they can use prebuilt rainbow tables associated with common SSID names to crack your wireless encryption.

Create a lengthy and random SSID name even though it might be hard to remember. You should also use a strong password for your pre-shared key to further discourage hacking attempts.

Turn on Your Wireless Router’s Firewall

If you haven’t done so, enable your wireless router’s built-in firewall. Enabling the firewall can make your network less visible to hackers looking for targets on the internet. Many router-based firewalls have a stealth mode that you can enable to reduce your network’s visibility. Also, test your firewall to ensure that you have configured it correctly.

Use an Encrypted Personal VPN Service at the Router Level

Virtual private networks used to be a luxury that only large corporations could afford. Now you can buy a personal VPN service for a small monthly fee. A personal VPN is one of the biggest roadblocks you can throw at a hacker.

A personal VPN anonymizes your true location with a proxied IP address and puts up a wall of strong encryption to protect your network traffic. You can purchase a personal VPN service from vendors such as WiTopia, StrongVPN, and others for as little as $10 a month or less.

If your router supports personal VPN service at the router level, this is the best way to implement a personal VPN. It allows you to encrypt all traffic entering and leaving your network without the hassle of setting up VPN client software on your computers. Using a personal VPN service at the router level also takes the encryption process burden off of your client PCs and other devices. If you want to use a personal VPN at the router level, check to see if your router is VPN-capable. Many manufacturers have several models of routers with this capability.

Disable the Admin via Wireless Feature on Your Router

Another way to prevent hackers from messing with your wireless router is to disable the admin via wireless setting. When you disable the admin via wireless feature on your router, it makes it so that only someone who is physically connected to your router with an Ethernet cable can access the admin features of your wireless router. This prevents someone from driving by your house and accessing the administrative functions of your router if they compromised your Wi-Fi encryption.

Given enough time and resources, a hacker might be able to hack into your network. However, taking the steps above will make your network a harder target, hopefully frustrating hackers and causing them to move on to an easier target.

Of the many ‘silver bullets’ out there looking to finally slay the password, none have been able to succeed. What this means is that passwords are here to stay, at least for the time being, and your best shot at both generating unique and cryptographically secure passwords and retrieving them whenever they’re needed is with a password manager.

This is what security experts have been advocating for years because these tools create a safe environment in which users can store all of their credentials and financial data without the hassle of remembering each and every username and password. But how do you pick the best password management service?

One of the key pieces of advice that security experts (ourselves included) give is to take a look at whether the password management service has been hacked before or not, as well as whether it ‘features’ any security vulnerabilities that white-hat hackers have shared with the service providers. If the password management service has patched any vulnerabilities, then it could be a good choice.

Use our special promotional code below and if you haven’t used RoboForm before you can enjoy RoboForm Everywhere or Family for as low as $1.16 per month, saving 30% on the subscription fees.

To help make that decision a little easier, let’s take a look at the hacking history of some password managers. The aim isn’t a complete list, as you’ll see, but we have instead explored the most important hacks and the security vulnerabilities over years.

  • LastPass, My1Login, NeedMyPassword, PasswordBox, and RoboForm: Researchers at the University of California Berkeley discovered a number of vulnerabilities in a handful of password managers. “In four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in their paper.
  • RoboForm: IT security consultant and tech enthusiast Paul Moore discovered one critical vulnerability in and a privacy loophole in the password management service that could allow attackers and prying eyes to obtain users’ personal data, including stored login credentials of various websites and even card payment details.
  • KeePass: When this program runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce (a hacking tool)decrypts the entire database and writes it to a file that the hacker can easily access. In theory this kind of hack makes all password managers vulnerable.
  • LastPass: An intrusion to the company’s servers was detected. While encrypted user data wasn’t stolen, cyber criminals stole LastPass account email addresses, password reminders, server per-user salts, and authentication hashes.
  • MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Keepsafe, Avast Passwords, and 1Password: This was a busy year in terms of password management vulnerabilities. TeamSIK (Security Is Key), a group of people interested in IT security from the Fraunhofer Institute for Secure Information Technology, discovered serious security flaws in the most popular password management apps developed for the Android platform.
  • LastPass: Google Project Zero Hacker Tavis Ormandy discovered a critical zero-day flaw that allowed any remote attacker to compromise accounts completely.
  • LastPass: Tavis Ormandy discovered a vulnerability in its browser plugins, which LastPass called a “major architectural problem“. The password management service advised users to avoid using its browser plugins while it dealt with the issue.
  • OneLogin: An attacker had “obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S.”
  • Keeper: Tavis Ormandy discovered that the service was exposing passwords to unreliable web pages.

Does This Mean We Should Stop Using Password Managers?

No, not at all. The recent hacks and security vulnerabilities found in these services underscore one important aspect in security: no piece of software is able to truly offer more than 99% security. Reaching 100% security is impossible with any kind of software because every piece of code will have an Achilles heel somewhere that makes it vulnerable.

The question is different in this case: what does the team of developers do to protect user data, and what attack scenarios did they have in mind when they coded the software? Of course, if a service is static and the developers don’t keep their security up to date, then it can easily be hacked.

How to make a killer password that can't be hacked

How user data is protected should be the main consideration when picking a password manager. Other features have their importance, but this is something you should always consider before making the final decision. For example, how do the developers communicate the bad news to their users? Transparency in communication is also another important aspect.

Free password managers are great utilities to start with, just be sure to keep an eye on the updates. Check the update history of the software and if there isn’t much to check on, then it can be considered a sign to move on to the next one. A lot can happen in just a few weeks in the security industry, so the bare minimum on your list of expectations should be up-to-date software and a quick response time to any security breaches or attacks. Otherwise, you could end up vulnerable to cyber attacks, which isn’t the opposite of what you wanted in the first place.

Key Details of Password Cracker

  • Uncover hidden passwords in Windows applications, including Internet Explorer
  • Last updated on 04/07/20
  • There has been 1 update within the past 6 months
  • The current version has 0 flags on VirusTotal

Editors’ Review

Password Cracker by G&G Software is a tiny, free, totally portable utility that can recover lost passwords from applications. Passwords are perhaps the weakest links in the cyber-security chain; if they’re complex enough to be secure, you probably won’t be able to remember them. Add the fact that every other site seems to require a password, and it’s easy to see why far too many people end up using one or two simple passwords that are easy to remember, and easy to crack, too. You can write your passwords down on a piece of paper that you can look for and fail to find when you need it, or you can download and install this program.

Password Cracker downloads as a compressed file but runs as soon as you click the unzipped program file. The tool’s interface is a tiny dialog, about the size of the average error message, with two text fields, labeled Test and View, and four buttons: Enable, Options, About, and Help. Other than some links to the program’s Web site and some of the developer’s other wares, that’s it. However, the button’s labels describe their functions clearly enough, so we started by checking the options, which are minimal, with check boxes to recover passwords in Internet Express or all of Windows. We checked the latter, opened a browser window, and navigated to a site that required a password log-in. We clicked Enable, hovered the mouse cursor over the password field (as delineated by asterisks), and Password Cracker displayed the alphanumeric password in the View field. We repeated the process with a Windows program that requires a log-on to open, with the similar success. The always-on-top option is handy since it keeps the little dialog from getting lost in a stack of open windows.

We installed Password Cracker 3.88, the latest version, in machines running Windows XP and Windows 7. The program performed its function in XP but not in Windows 7. Since the Windows 7 update is a recent release, it may be buggy, and we can’t recommend Password Cracker to Windows 7 users until it performs reliably. Other Windows users can certainly benefit from it, especially the forgetful ones.

  • 4.8
  • 969 User reviews

If you’re using WiFi at home to connect to the Internet from your computer or mobile devices, you could become the victim of a WiFi hacker unless you follow our WiFi security tips.

How Can Hackers Hack WiFi Networks?

To hack WiFi passwords, hackers take two vastly different approaches. Some hackers rely on low-skill attacks that exploit weak passwords and naïve users, while others can execute highly technical attacks using cutting-edge exploits and sophisticated, custom-made tools.

Without encryption, the traffic on a WiFi network can be captured and analyzed by everyone within the range of the network. If you’re curious how far can a hacker be from your home router and still have a strong-enough signal to hack your WiFi, you can download NetSpot, an easy-to-use WiFi analysis tool. With NetSpot, you can instantly see whether your WiFi network is sufficiently encrypted to withstand a targeted attack.

Strong WiFi encryption, such as WPA2, has become an absolute necessity, but even the strongest encryption protocol can be undermined by a weak password. Yes, it can be a drag to remember a ten-digit alphanumerical string of gibberish, but the consequences of a successful WiFi hack can be devastating.

Why Would Someone Learn How to Hack WiFi?

WiFi hackers have various motivations. The best-case scenario is someone hacking your WiFi to steal your bandwidth. The worst-case scenario is someone hacking your WiFi to steal your identity or money. This is something you absolutely don’t want to happen, and our WiFi security tips will help you protect your wireless network against attackers.

How to make a killer password that can't be hacked

How to open a laptop with windows 8.1 without resetting the unknown password?

For laptop users, you’ll find quite difficulty to crack laptop password than desktop computer when forgot laptop password. This may due to the following reasons:

1. Some laptops aren’t equipped with CD/DVD drive, so the password crack disk won’t be help.

2. The laptop BIOS password is different from the desktop computers’ to operate.

Right here we’re going to deal with as one of our common annoyances for some time to come, cracking laptop password based on any Windows including Windows 10/8.1/8/7/XP/Vista, and Windows Sever 2012(R2)/2008(R2)/2003(R2). These methods supports all popular laptop brands, like HP, Dell, Lenovo, Acer, Asus, Toshiba, Samsung, etc.

1. Crack laptop password with a USB flash drive

With no DVD drive on your laptop, don’t worry; there are ways for laptop password breaking with USB flash drive (pendrive).

A: Windows Built-in USB password reset disk

If you have created a USB windows password crack disk before, just use the following tip to crack your laptop password.

Step 1: When entering a wrong password, it will show you the Password hint and you can reset password. Click “Reset password”, it will show you the “Password Reset Wizard”.

Step 2: Click “NEXT” and select your USB password key disk drive to reset the password with a new one.

How to make a killer password that can't be hacked

Step 3: Then you can use the new password enter your computer.

Note: The USB password reset disk only used in a certain account which you have created before.

B: Burning a bootable USB Windows Password Key

If you don’t have a password reset disk, you can create one with professional laptop password cracker like Windows Password Key.

Step 1: Prepare a 2GB USB flash drive and a computer which you can access to.

Step 2: Download Windows Password Key and install it.

Step 3: Run the program and burn the ISO image to the external USB flash drive to create laptop password reset disk.

How to make a killer password that can't be hacked

Step 4: Use the USB to reset laptop password. But in this step, make sure your computer is boot from USB drive, you can set a BIOS if necessary. Then follow the wizard to crack forgotten laptop password.

How to make a killer password that can't be hacked

2. Crack laptop password from safe mode (For Windows 7)

You may learn that Windows OS has a default administrator account created during Windows installation. By default, the built-in administrator account is named Administrator and has no password in it. But Windows 7 usually has this account disable, you need to enable the account before. If forgot laptop password, try to follow this tip.

Step 1: Start your computer and press “F8” while the computer boots up. The Advanced Boot Options screen appears.

Step 2. Scroll down to “Safe Mode” and press “Enter.” Your computer starts in Safe Mode.

How to make a killer password that can't be hacked

Step 3. Click on the “Administrator” account that appears on the Windows logon screen. After entering system, click on “Start” and “Control Panel” to change your other account password.

How to make a killer password that can't be hacked

If you’ve reset the default administrator account or you didn’t enable it if you’re on the Windows 7 system, this tip won’t help. Anyway, the best and quick way is burning a bootable Windows Password Key to reset forgotten laptop password.

3. Crack Laptop Password Online (For Windows 10/8.1/8)

If you are using Microsoft account to login your laptop, then cracking laptop password will be easy. You can follow steps below to reset laptop password online easily.

Step 1: Open Microsoft’s password reset website on any browser on any computer or device.

Step 2: Type your Microsoft account in the account filed and then the verification code. Click “Next” to move on.

Step 3: You can either select to email you a reset link or send a code to you phone to reset your password.

How to make a killer password that can't be hacked

To sum up. We have shown you how to crack Windows 10/8/7 password on laptop with password reset USB, from safe mode and online. If you have any other questions, please leave a message at the comment area and we will see what we can do for you.

There are over 2.32 billion monthly active users on Facebook, and It gets scary when someone can hack your account just by sharing a constructed link. A recent Facebook hack can do the very same, just one click by the victim and the hacker could gain access to complete Facebook user account.

How Facebook Hack was Discovered

A critical cross-site request forgery (CSRF) vulnerability was discovered in Facebook that allows an attacker to take control of another Facebook account by fooling victim to click on a link. The fooling of victim and making them click the link is known as Social Engineering , when you just have to get a click it is the most easiest of things to do.

Although, the attacker must trick the victim into clicking a special link for the attack to be successful. An attacker could have been gaining full access to a Facebook account or posting anything on their timeline, changing or deleting their profile picture, and even trick users into deleting their entire Facebook accounts.

Proof of Concept

A vulnerable Facebook endpoint along with parameters and a POST request to that endpoint and adding the fb_dtsg parameter exploit to gain access to victim’s account. As endpoint resides on Facbook.com domain, it is easier to trick the victim to click on the link.

The vulnerable endpoint

where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body). The same attack vector can be further modified to perform a number of other actions on victim’s Facebook profile, which will be explained below.

Making a post on the timeline

When the victim clicks on the link , a post defined by the hacker will be made on victims Facebook Wall

Deleting Profile Picture

This is self explanatory , this link once executed will simply delete the profile picture set by victim on Facebook.

Deleting Account

Hacker can also delete complete Facebook profile by using this URL, “locale” parameter could have been used to change language.

A password confirmation will be required; if the victim enters his password, then his account will be deleted.

Gaining full access of Facebook account

Full access of Facebook account could have been obtained by adding an email address or phone to victim’s account. It requires two separate links to be sent to the victim, one to add email or phone and one to confirm it to redirect the user after a successful request. You might think that 2 links seems alot , but keep in mind that these 2 links will be having www.facebook.com as domain , thus the chances of success are really high and this time they are not punycode domains but actual domain.

However, Samm0uda managed to create a single link by using the endpoints which have “next” parameter. He shared four steps to create a unique link for hacking into a Facebook account.

STEP 1

Authorizing an app on behalf of victims to obtaining Facebook access token

https://www.facebook.com/comet/dialog_DONOTUSE/?url=/ajax/appcenter/redirect_to_app%3fapp_id=%26ref=appcenter_top_grossing%26redirect_uri=https%3a//www.facebook.com/v3.2/dialog/oauth%3fresponse_type%3dtoken%26client_id%3d%26redirect_uri%3d%26scope%3d&preview=0&fbs=125&sentence_id&gift_game=0&scopes[0]=email&gdpv4_source=dialog
This step use the endpoint /v3.2/dialog/oauth to bypass Facebook redirect protection in the “next” parameter which blocks redirecting attempts to external websites even if they are made using Link Shim.

Second to identify each victim using the token received which will help later to extract the confirmation code for that specific user.

Step 2.

The attacker website receives the access token of the user , creates an email for him under that domain and redirect the user to :

It links an email to the user account using the endpoint /add_contactpoint/dialog/submit/ (no password confirmation is required).

After the linking, it redirects to the selected endpoint in “next” parameter:

which will redirect to the “ATTACKER_DOMAIN” again with the user access_token.

Step 3

The attacker website receives the “access_token”, extract the user ID then search for the email received for that user and gets the confirmation link then redirects again to :

(CODE and HASH are in the email received from Facebook)

This method is simpler for the attacker but after the linking the endpoint redirects the victim to https://www.facebook.com/settings?section=email which expose the newly added email so the confirmation could be done using the /confirm_code/dialog/submit/ endpoint which have a “next” parameter that could redirect the victim to the home page after the confirmation is made.

Step 4

The email is now added to the victim account, the attacker could reset the password and takeover the account. The attack seems long but it’s done in a blink of an eye and it’s dangerous because it doesn’t target a specific user but anyone who visits the link in step 1

Conclusion

Two-factor authentication can prevent from full account takeover because it requires verification of passcode sent to users mobile but some actions such as posting something on the timeline, deleting and changing profile picture or deleting Facebook account cannot be prevented.

Facebook has fixed the vulnerability on 31 st January 2019 and paid out $25,000 to the researcher for reporting this particular bug bounty, which is still not the highest bounty paid by Facebook but a great find indeed.

A Remote Access Trojan (RAT) is a type of malware that allows hackers to monitor and control your computer or network. But how does a RAT work, why do hackers use them, and how do you avoid them?

RATs Give Hackers Remote Access to Your Computer

If you’ve ever had to call tech support for a PC, then you’re probably familiar with the magic of remote access. When remote access is enabled, authorized computers and servers can control everything that happens on your PC. They can open documents, download software, and even move the cursor around your screen in real time.

A RAT is a type of malware that’s very similar to legitimate remote access programs. The main difference, of course, is that RATs are installed on a computer without a user’s knowledge. Most legitimate remote access programs are made for tech support and file sharing purposes, while RATs are made for spying on, hijacking, or destroying computers.

Like most malware, RATs piggyback on legitimate-looking files. Hackers can attach a RAT to a document in an email, or within a large software package, like a video game. Advertisements and nefarious webpages can also contain RATs, but most browsers prevent automatic downloads from websites or notify you when a site is unsafe.

Unlike some malware and viruses, it can be difficult to tell when you’ve downloaded a RAT. Generally speaking, a RAT won’t slow down your computer, and hackers won’t always give themselves away by deleting your files or rolling your cursor around the screen. In some cases, users are infected by a RAT for years without noticing anything wrong. But why are RATs so secretive? And how are they useful to hackers?

RATs Work Best When They Go Unnoticed

Most computer viruses are made for a singular purpose. Keyloggers automatically record everything that you type, ransomware restricts access to your computer or its files until you pay a fee, and adware dumps dubious ads onto your computer for profit.

But RATs are special. They give hackers complete, anonymous control over infected computers. As you can imagine, a hacker with a RAT can do just about anything—as long as their target doesn’t smell a RAT.

How to make a killer password that can't be hackedMaxim Apryatin/Shutterstock

In most cases, RATs are used like spyware. A money-hungry (or downright creepy) hacker can use a RAT to obtain keystrokes and files from an infected computer. These keystrokes and files could contain bank information, passwords, sensitive photos, or private conversations. Additionally, hackers can use RATs to activate a computer’s webcam or microphone discreetly. The idea of being spied on by some anonymous nerd is pretty upsetting, but it’s a mild offense compared to what some hackers do with RATs.

Since RATs give hackers administrative access to infected computers, they’re free to alter or download any files on a whim. That means a hacker with a RAT can wipe your hard drive, download illegal content from the internet through your computer, or place additional malware onto your computer. Hackers can also control your computer remotely to perform embarrassing or illegal actions online in your name or use your home network as a proxy server to commit crimes anonymously.

A hacker can also use a RAT to take control of a home network and create a botnet. Essentially, a botnet allows a hacker to utilize your computer resources for super nerdy (and often illegal) tasks, like DDOS attacks, Bitcoin mining, file hosting, and torrenting. Sometimes, this technique is utilized by hacker groups for the sake of cyber crime and cyber warfare. A botnet that’s comprised of thousands of computers can produce a lot of Bitcoin, or take down large networks (or even an entire country) through DDOS attacks.

Don’t Worry; RATs are Easy to Avoid

If you want to avoid RATs, then don’t download files from sources that you can’t trust. You shouldn’t open email attachments from strangers (or potential employers), you shouldn’t download games or software from funky websites, and you shouldn’t torrent files unless they’re from a reliable source. Keep your browser and operating system up-to-date with security patches, too.

How to make a killer password that can't be hackedElnur/Shutterstock

Of course, you should also enable your anti-virus software. Windows Defender is included with your PC (and it’s honestly a great anti-virus software), but if you feel the need for some extra security, then you can download a commercial anti-virus software like Kaspersky or Malwarebytes.

Use Anti-Virus to Find and Exterminate RATs

There’s an overwhelmingly good chance that your computer isn’t infected by a RAT. If you haven’t noticed any weird activity on your computer or had your identity stolen recently, then you’re probably safe. That being said, it doesn’t hurt to check your computer for RATs every once and awhile.

Since most hackers use well-known RATs (instead of developing their own), anti-virus software is the best (and easiest) way to find and remove RATs from your computer. Kaspersky or Malwarebytes have an extensive, ever-expanding database of RATs, so you don’t have to worry about your anti-virus software being out of date or half baked.

If you’ve run anti-virus, but you’re still paranoid that there’s a RAT on your PC, then you could always format your computer. This is a drastic measure but has a 100% success rate—outside of exotic, highly specialized malware that can burrow into your computer’s UEFI firmware. New RATs that can’t be detected by anti-virus software take a lot of time to create, and they’re usually reserved for use on large corporations, famous people, government officials, and millionaires. If anti-virus software doesn’t find any RATs, then you probably don’t have any RATs.

These tips can help keep your Microsoft account safe, make it easier to recover if it’s compromised, and strengthen it against attacks.

Notes: If you’re having password or security code issues, try these links:

It’s especially important to have a strong password if you use a Microsoft email address (like Outlook.com or Hotmail). This is because many services now use your email address to check your identity. If someone gets access to your Microsoft account, they may be able to use your email to reset the passwords for your other accounts, like banking and online shopping.

You can change your password on the Security basics page at any time.

Do make the new password significantly different from previous passwords.

Don’t use the same password for different accounts.

Do use a sentence or phrase converted into a string of initials, numbers, and symbols.

Don’t use a single word for your password like “password,” “monkey,” or “sunshine.”

Do make your password hard to guess even if someone knows a lot about you (avoid names and birthdays of your family or your favorite band).

Don’t use common passwords like “password,” “iloveyou,” or “12345678.”

The Microsoft Authenticator phone app not only adds another security layer to your Microsoft account, but it also lets you sign in to your account from your phone without a password.

Download the phone app and then learn how to use it in the How to use the Microsoft Authenticator app videos and article.

Add security info to your account to make it easier to recover your account if it’s hacked. Because this info can help keep your account safe, it’s important to keep it up to date. Add or update your security info on the Security basics page. Or, learn more about Security info & security codes and get steps to help protect your account today.

Most operating systems have free software updates to enhance security and performance. Because updates help keep your PC safer, we strongly recommend that you set up your PC to get these updates automatically. You can set up your PC to get the latest updates automatically for Windows 10.

Microsoft will never ask for your password in email, so never reply to any email asking for any personal information, even if it claims to be from Outlook.com or Microsoft.

Read about Outlook security for more information on email safety.

If you receive an email notifying you of unusual activity, you can see when and where your account has been accessed—including successful sign-ins and security challenges—on the Recent activity page. Microsoft learns how you usually sign in to your account and flags events that are suspicious.

If you lose or give away a device that you use to sign in to your Microsoft account, or if you know that someone else has access to your devices for whatever reason, be proactive and remove the trusted status from your devices. To remove trusted devices, go to the Security basics page, select more security options, scroll down to Trusted Devices, and then select Remove all the trusted devices associated with my account. For more information, see how to add a trusted device to your Microsoft account.