Passwords: A constant but necessary annoyance. What are they? Why are they so bad at securing accounts? How do you create and store the best ones possible? Is there any hope for a future without them? I will show you some common pitfalls and how to use them more securely.

Passwords are the ways we *currently* secure most of our online accounts. However, they are inherently insecure since they rely on people. People usually take the the path of least resistance, i.e. reusing a password from another website. We naturally prefer convenience to complexity.

91% of people say they know they aren’t supposed to reuse passwords and that they know why they aren’t supposed to reuse passwords, but 66% say they do it anyway. And why wouldn’t they? The average person has 191 passwords, and it’s nearly impossible to remember more than about 20.

Digital Information World- May 18, 2020

We humans are also susceptible to being socially engineered, which basically means when someone tricks us into revealing personal details or taking some action. Phishing emails can be cleverly designed to mimic legitimate companies while additional creating psychological pressure on you to click a button or provide your username and password.

Password Security Recommendations: What and Why

Borrowing from security.org, here are some security best practices:

• A password should be 16 characters or more.
• A password should include a combination of letters, numbers, and characters.
• A password shouldn’t be shared with any other account.
• A password shouldn’t include any of the user’s personal information like their address or phone number. It’s also best not to include any information that can be accessed on social media like kids’ or pets’ names.
• A password shouldn’t contain any consecutive letters or numbers.
• A password shouldn’t be the word “password” or the same letter or number repeated.

You’ve probably heard some of this advice before, but has anyone ever told you why?

The length and complexity (combination of letters/numbers/characters) of passwords makes them harder to “crack”. Cyber criminals can test lists of passwords generated from common words in a so-called dictionary attack against a login portal. They can also combine this with a program to try every possible combination in what’s known as a brute force attack. The longer and more complex your password is, the more computing power is required in order to figure it out. If you’re curious how long your password would take to crack, you can try it here.

Furthermore, a unique password for every account is crucial because criminals often use credential stuffing attacks. This is when a fraudster takes lists of usernames and passwords from previous breaches and then tries them against accounts at other companies.

When to Change Your Passwords

Change passwords only when necessary. The advice to change your password every 90 days is now outdated according to the National Institute of Standards and Technology. The current advice is to only change your password if you know that it has been compromised. Most companies will notify their customers if they believe that their passwords have been breached. (It should probably make you reconsider your account with someone if you find out about a breach from someone else, but I digress…)

The exception to this is if you have been using a very simple or common password. Nordpass just released its list of the most common passwords observed in data breaches in 2021. If your password is on this list, change it immediately. I’m looking at you “QWERTY”, “123456” or “password” users.

Additionally, you can check to see if your email or phone is listed in a data breach by searching at haveibeenpwned.com. Change the passwords for any accounts you see listed here if you haven’t already. Even more importantly, remember to change the passwords for any accounts where you used the same password as the one in the breach. See credential stuffing attacks above.

How to Store Your Passwords

Here are some options for storing your passwords, including pros and cons for all. There isn’t really a “right” or “wrong” way but consider what is the most secure that you can stick with.

• Password Manager: a third-party application like LastPass or 1Password
  • Pros: Can sync across multiple devices, prompts you to increase complexity or change if reused from another site, can randomly generate passwords for you, can share with others via family plans, encrypted
  • Cons: Requires a tiny bit more tech savvy to set up and use, some features cost extra, some companies prohibit on corporate machines
• Browser: all major browsers like Chrome, Firefox, Safari, and Edge offer to store your passwords for you
  • Pros: Free, easy to start using, syncs across devices
  • Cons: Doesn’t work across different browsers, passwords can be scraped by malware, limited features
• Your Computer: Document or spreadsheet, some choose to password-protect
  • Pros: Free
  • Cons: Not accessible unless you have your computer, doesn’t protect from keystroke loggers or other malware
• Notes app on phone:
  • Pros: Free, usually there is an option to back up the data via the internet
  • Cons: No features, may not be encrypted by default
• Paper: I think you know how this works
  • Pros: Unhackable, free
  • Cons: Can be seen or stolen by anyone with physical access, don’t always have it with you

In general, unless you are storing something “in the cloud” (i.e. on the internet) rather than on your device or in your home, you are vulnerable to any kind of accident, loss, or theft destroying access to all of your online accounts. For anything accessed via a computer or website, there is always the threat of malware which can log your keystrokes or scan your device for files with important-sounding names.

A caveat: having the most complex password in the world won’t protect you if a cyber criminal is stealing it with malware or phishing. This isn’t intended to scare you, but rather to make you aware of inherent risks. Improving your security requires a multi-layered approach. Reducing your risk by having strong, unique passwords for all of your accounts is part of the puzzle. You should always set up two-factor authentication (aka multi-factor authentication) on any account that accepts it, but that will be a topic for another day’s post.

Never Share Your Password…

No legitimate company will EVER ask you for your password to assist you with your account. Period.

I understand that there could be a need to make sure that someone you trust can access your accounts in case something happens to you. This is where a family plan on a password manager could come in handy, though you could of course just make sure your loved ones know where your passwords are stored in case of emergency.

A Passwordless Future?

Like many of you, I cannot wait for a passwordless future. You may already be enjoying it without realizing it. Do you have your phone set to unlock with a fingerprint or use Windows Hello to unlock your laptop? These are examples of biometric authentication, which are in many ways more secure than passwords, but come with their own set of drawbacks.

I recently learned about the concept of graphical passwords. This type of authentication requires users to pick a series of points on an image or a group of images. While this method is more difficult to hack than text passwords, the jury is still out on how well people remember them and the practicality of using them.

Companies are also exploring ways of using certificates and risk-based authentication to eliminate the need for passwords. A simple way to think of this is a website checking if you are coming from the same device and IP address that you normally do.

In summary, we are stuck with mainly passwords for now, but there are multiple alternatives being explored. Hopefully you’ve gained some valuable knowledge on how to use your passwords more securely.

Be More Secure Tips >

• Use complex passwords with a combination of letters and numbers.
• Use a unique password for every online account.
• Store them securely.
• Don’t share them with anyone you wouldn’t trust with your life.
• Set up some kind of basic authentication on your mobile device, even if just a pin or fingerprint.

Stay tuned for a future post on multi-factor authentication to make your online accounts even more secure!