1) Use each password only ONCE.

Anytime, one of your accounts can be compromised. It is not even up to you: Often times databases of web portals or smartphone apps get hacked.
The attacker will likely try to use your account data on different web sites.
Let’s assume for example, that the credentials for your account of the local newspaper get compromised. It might not be too big of a damage: Someone is now able to illegally read the newspaper for free.
But the damage gets much bigger if that person is able to now also read your emails (using the same credentials as in the newspaper account). Probably that person will find personal data, addresses of friends and is also able to gain access to multiple other accounts by using the “Forgot password”-option.

2) Do not use a dictionary.

If an attacker tries to guess a password, he or she will likely use the “dictionary method”.
Words from a dictionary will be used to guess an eventual password. This also includes first names, car models, sport clubs and much more. Adding a number or replacing a letter with a number won’t fool the attacker’s program.
So please avoid passwords like Chris123, D0n4ld or BMW323.

3) Do not use logic.

Often times passwords contain logic patterns. Attackers know this and take advantage of it. Even if it helps you remembering, try to avoid logic in your passwords.
Using letters in alphabetic or keyboard-layout order or using easy number sequences is generally a bad idea.
Therefore, passwords like abc123, qwert987 or 24681012 are easy to guess and should not be used.

4) Size does matter!

We knew it: Size does matter. Using a one-digit password with only numbers will give us 10 combinations of possible passwords. (0, 1, 2, 3…9) If we use two digits, we could have 100 possible combinations. (00 up to 99)
With each digit that we add to our password, the strength increases exponentially. If you use 5 instead of 4 digits, then the safety of a password didn’t only increase by a quarter or a factor one. It increased 10-fold. When we use other digits besides numbers, this effect will increase.
More possible combinations will make a password harder to guess.

5) Numbers, upper-case letters, lower-case letters and special characters

There are 26 upper-case and 26 lower-case letters and 10 numbers. This equals 62 possibilities.
Special characters can increase this even further. The hindsight is, that some web portals do not allow all special characters. Therefore it makes sense to check if special characters are allowed in each password you create.
Generally speaking, the more types of characters you are using, the safer your password becomes.

6) Store your passwords in a safe place.

All our carefulness can be worthless if we write down our passwords on a piece of paper that is right on the desk where any guest or colleague has access to.
If it has to be written down to paper, then store the paper in a safe location.
Storing passwords in an encrypted database on your computer is even safer. Free software like Passwordsafe, Revelation or KeePass will allow this. Most of this software will run on Windows, Linux and even on smartphones with Android or iOS.

Practical hint: Use a password generator.

The internet offers a good number of password generators. Some of them can be used in the browser directly. They will create a secure password automatically.
Previously mentioned password managers will most-likely have a password creation function included.

Examples

Here are some examples for good passwords:
9rZb#7LU6Es#UxEU
!pQEqfXaAXDa%6-n&@M&S$Z
ns6cs34fjRWWL7xhNq3c6Dnc6MkNcXme

Please be aware, that all of this informations and/or tutorials come without any type of warranty.

In order to defend against that, it is possible to encrypt the whole email message instead of only encrypting the transfer. The standard PGP (“pretty good privacy”) allows it. Other than the name may suggest, this system is actually really safe instead of being “pretty good”. And thanks to OpenPGP it is also open-source and freely available.

Please feel free to skip the following paragraph if you don’t like things to be too technical. For our email encryption, PGP uses asymmetric key algorithms. The recipient (person A) of a message has a private key. It is needed to decrypt a message. The sender (person B) needs the public key of person A for the encryption of the message. Person A, the recipient, needs to transmit this public key to person B before encryption can happen. After that, person B will be able to encrypt and send a message with the public key of person A. As long as person A keeps its private key safely on its PC, only person A will be able to read its messages.
In order to send a message from person A to person B, person A needs the public key of person B.
If there are any doubts about a person really being who the person claims to be, a so called “handshake” can be performed. In practice, this means the exchange of security words away from keyboard. The security words can be transmitted on the phone or in real live. This makes the email conversation not only secure, but also reliable.

Honestly, this sounded complicated. And it actually used to be complicated for a long time. Thanks to a project called PEP (“Pretty Easy Privacy”) it got really easy now. PEP can be installed as an add-on for some email client programs and will take care of everything regarding encryption. This includes generating, attaching and importing of public keys and also generating a private key and decrypting incoming encrypted messages. If the conversational partners are using OpenPGP without PEP, it is still possible to communicate encrypted. Add-Ons with PEP like Enigmail are freely available for email clients like Thunderbird. There are also commercial extensions, for example for Outlook.

The following lines are supposed to show how you can encrypt your email conversations -completely free- with Thunderbird and the Add-On Enigmail with PEP. The following pictures have been made on a GNU/Linux-based operating system with Thunderbird 60.7.0 (64-bit). The operation can be different with other operating systems and software versions.

Step 1: Open Menu (1) in Thunderbird and click on Add-Ons twice (2).

Step 2: Search for the Add-On “Enigmail”.

Step 3: Install Enigmail (self-explaining)

Enigmail automatically creates a private and a public key in the background. There is nothing to do for you. The picture just illustrates that a new key has been created.

Step 4: Importing the first key

We receive an email from someone who is also using PGP-based encryption. Enigmail automatically recognizes that a public key is attached to the email. If we want to answer or send a regular email to this participant, it will be automatically encrypted.

Step 5: Sending the first encrypted email and eventually performing a handshake

PEP shows, that this message is secure. This means, that right now we are sending this message encrypted. Our own public key will be automatically attached. Therefore the recipient will be able to encrypt its answer message.
Eventually we also want to secure the trust between us and the recipient of this email by performing a handshake. This is not mandatory, though.

By clicking on the yellow-marked area “Secure” the handshake can be arranged. PEP will give self-explaining instructions about this. If you want to perform a handshake, it has to be re-done for each participant you are communicating with.

Done. We have just massively increased the security of our email conversations.

Hints:

• Even if the email itself is encrypted, the transmission should still be secured with SSL. Only by encrypting the transmission it can be assured that meta data and passwords are also transferred encrypted.
• If our interlocutor does not use any type of PGP/PEP/OpenPGP-encryption, we won’t be able to communicate encrypted with that person. It always takes two! Enigmail with PEP will always show you if a message will actually be sent encrypted.
• Whenever we receive an encrypted message, it can only be decrypted with our private key. Therefore it makes sense to have backup of our key that is stored secure and privately, fe. on an encrypted USB flash drive.
• Reading encrypted messages is generally only possible with an email client program like Thunderbird. Reading encrypted messages on the web, fe. at GMail or Hotmail is only possible with a few providers with browser add-ons. Not every provider allows reading encrypted messages and some do only with limitations.

Please be aware, that all of this informations and/or tutorials come without any type of warranty.