Passwords: The Real Key Words
Disclosure: Hello people! Just so you know, this post includes affiliate links, which earn us a commission (no extra cost to you). This is one of the things that helps us run this little shindig. You can read our full disclosure here. Now, enjoy the read!
Tired of having to remember passwords? Yeah, so was I. That’s why I use a password manager, and in this round of IAWWW, we’re going over these handy dandy doodads.
We’ve gone over setting yourself up for better online privacy in our piece on browsers (check that out, here) but this is all about that coveted security. Believe me, you don’t need to be a tech wizard to start yourself on the path to more fortified online security. It just takes some simple shifts in thinking.
First though, let’s start off with some basics of passwords, themselves.
“Bad passwords are one of the easiest ways to compromise a system.” - Edward Snowden
Passphrases, Not Passwords
As Snowden has stated, “Bad passwords are one of the easiest ways to compromise a system.”(1) Passwords can be a real pain and many people don’t want to bother remembering them or putting thought into their creation and management, so they do the minimum and move on. Unfortunately, bad actors can crack a minimal password within a second.
Yes, I said less than a single second!
To mitigate this, you can do one simple thing: try using a whole phrase, instead of just pass words. A long phrase is much better than a word or two and is, in my experience, easier to remember. A short password, especially something that only uses the minimum amount of characters, is a bad move. Like, doing the cabbage patch backwards, bad.
Computer algorithms are able to calculate different combinations of character strings at an astronomical rate, so using a sparse six to eight characters is not going to help. Not only that, but using a truly weak password might just be guessed by some malicious party, not even requiring the help of a computer.
Using something like, “My0ldGrandma1/2edASandwich” is way better than, “Hulu123!”, and arguably funnier (I’d argue it...). In all seriousness, using a long phrase that you come up with on your own (not a well known idiom) is a good start to creating a solid password.
“How long should I make a password?” The ideal answer to this would be, as long as it will allow you to make it. If the account you’re making a password for will allow 32 characters, do it. If it allows 15, do it. Make use of what they give you. This goes for the types of characters they allow, as well. Use letters, numbers, special characters, upper, lower, all of it. This is especially worthwhile if it’s an important account, such as bank accounts, a government account, or anything with those things attached or related.
One suggestion I’ve seen multiple times is to misspell words in your password. This can be helpful in sidestepping password dictionaries that hackers may utilize, but it’s not enough on its own. Using something like, “Cadillak” instead of, “Cadillac” is really not much of an improvement.
Step up yo game, man!
Come up with a sentence that you can easily recall and put some numbers and other characters in there. Misspellings or L33T can be used to supplement a nonsensical phrase to create a solid passphrase.
Password Generators
You can also make use of password generators, if you’re not in the mood to come up with something yourself.
There are a couple caveats with these, however.
One: Make sure the generator you’re using is secure. If it’s a browser-based generator, make sure the site has proper certificates and is properly secured (https). If it’s an app, just know whether or not it’s safe and secure to use. Don’t use random software or websites for this. We’ll cite a few to use that are safe and reliable, below.
Generally, a password generator will have various options to use in creating a password. Things such as length and whether or not to use letters and special characters are prevalent options. You’ll want both.
This leads to caveat number two: Passwords made with these are randomly generated strings and are not quite as easy to remember.
Trying to recall a random 20-strong string of characters is going to be tough, especially as you make more and more for different things. But, for me, using a password generator to create a strong password is my go-to method. However, I generally only use them for passwords within my vault, because I won’t have to remember those.
I know how tempting it can be to just use the same password for virtually all your logins, but that’s a good way to get yourself in a bad situation, because if just one of those is hacked or leaked (which happens far too often), everything else that uses that same password is now at risk. On that note, let’s talk about updating passwords.
A few generators to consider:
LastPass Password Generator – Runs locally (passwords aren’t sent over the web)
Your password manager may have one built in, as well
Manual methods, like dice
Update Your Passwords
Even if you’ve got the most ironclad passphrase anyone could ask for, leaving it unchanged for a long time can lead to risk. Databases are hacked and leaked on a near constant basis. The instances you generally hear about are only a portion of the amount that occurred. Keeping up with all of the breaches is difficult. Updating your passwords can help keep you protected, even if you never got news of a breach.
I often hear rhetoric enticing people not to do this because it’s difficult… Thankfully, using something like a password vault alleviates the need for perfect recollection of all your passwords.
There’s no excuse, now!
Yes, without one, changing your passwords constantly makes it that much more difficult to remember all of them, but when using one, it’s only a matter of spending the time to go into your accounts and update them. Time well spent, if you ask me.
Make it a habit to update them regularly and you’ll be doing yourself a favor. Every six months, to a year is definitely worth it, and absolutely change them in the wake of a breach.
Password Managers
Thankfully, there’s a solution to most of your problems if you’re not someone who wants to mess with creating/generating and remembering all these passwords. If this sounds like you, then rejoice in the concept of a password manager!
What is a Password Manager? A password manager, or password vault, is software that stores and encrypts your passwords so you don’t have to remember them all.
Most vaults will not only store your passwords for you, they’ll also generate secure passwords, store URLs and usernames, provide auto-fill, and some even give security grades and analysis of your security habits.
With all of your myriad passwords accounted for, all you have to remember is the master password to access the vault. Cutting potentially dozens of passwords down to one? Sounds pretty nice, right?
Here’s a quick word on saving passwords: Allowing your browser to remember your passwords can be a security risk, but a lot of people do this anyway. Why? One word: convenience. Most people will simply take the easiest route. However, using a password manager will allow you to stop this bad practice.
Again, using auto-fill, you won’t have to allow the browser to remember passwords. Your manager will fetch and fill the usernames and passwords for you. Seems like a no-brainer, to me.
One thing to take note of when using a password manager is that it creates a single point of failure. This means that all of your passwords and anything else kept within your vault is all at risk if your vault is compromised.
One thing to take note of when using a password manager is that it creates a single point of failure. This means that all of your passwords and anything else kept within your vault is all at risk if your vault is compromised.
Just make sure your system is well protected and your habits are on point, and you’ll be set. Another precaution you can take to help thwart things like this is using two-factor authentication. We’ll touch on that next.
A few points to consider when choosing: ease of use/syncing, platforms/availability, cost, features, encryption, track record and response in the face of exploits
A few managers to consider:
LastPass – Free & paid, closed source Platform: Windows / macOS / Linux / iOS / Android
KeePassXC – Free, open source Platform: Windows / macOS / Linux
1Password – Free & paid, closed source Platform: Windows / macOS / iOS / Android
Dashlane – Free & paid, closed source Platform: Windows / macOS / iOS / Android
Two-factor Authentication
Two-factor (or multi-factor) authentication is a security measure that entails the user entering, not just one, but two or more forms of authentication.
Using 2FA, the user will enter their password and then a second form of identification, like a one-time use PIN or code. This adds an extra layer of security to your accounts, so that even if your password is somehow compromised and someone tries to use it, your account isn’t accessible without that second factor.
These are done with two main methods: text message and authentication apps.
To keep it short, an authentication app is the preferable method. The reason is that it’s not nearly hard enough to intercept a person’s text messages, whereas, with an app, the nefarious party would need your phone as well (and most of the apps have security measures of their own).
Using 2FA is a good move and you should really be using it wherever it’s offered. Thing is… it breaks the rule of convenience. I get it, I do. It’s one extra step for you to get into your account; but so it is for a hacker, as well. Yes, it digs into the convenience factor but it’s absolutely worth it if you value the security of the account in question.
Companies like Facebook have done things to somewhat sully the image of 2FA by using the information you give them to secure your account (in their case, your phone number) to sell ads. This irresponsible and shady use of information is unfortunate, but it shouldn’t deter you from using it when it matters.
You can also use tools like the Yubikey to provide extra authentication. This is a USB authentication device that supports several multi-factor authentication protocols. Using this small device can help simplify the process of authentication. Once your Yubikey is registered and set up, you just plug it in and touch the device to verify. Several managers support it; some fully and others partially.
Tips
Use a passphrase, instead of passwords (particularly handy for a master password)
Use long passwords, at least 15 characters in length (longer, if possible)
Don’t use an online password generator for sensitive accounts, such as banks (use a local generator or make it yourself)
Don’t allow your browser to remember passwords
Don’t reuse passwords
Use multi-factor authentication
Utilize a password manager to store and recall super strong passwords
Make sure your antivirus and anti-malware is solid and up to date
Conclusion
Keeping up with your online security can be an exhausting endeavor. The amount of facets, the protocols, the habits, the breaches and hacks, the countless unknowns… it’s a lot to think about. But when it comes to passwords, it’s worth applying the effort to do all you can.
There’s so much out there that we just can’t control. Doing what you can with the things you can control is worth all the hassle and inconvenience it may cause. Adding some things to your arsenal that alleviate some of that can make the whole battle go much smoother.
In my experience, the easier it is to accomplish, the more likely I am to consistently follow through on it. That’s what pushed me in the direction of password managers in the first place. The piece of mind I get, on top of the added convenience, is what made me stick to it.
As with most everything in the digital landscape, there’s no absolute solutions to the infinite number of threats you could come across. In fact, breaches have occurred with these services and the very nature of what they are makes them a target. However, doing your part to fortify the services on top of their security measures is what really sets your personal experience apart.
As always, do your research and don’t blindly follow trends you may come across. Knowledge is the best weapon out there. Stay safe!
References
(1): (Snowden, Edward. Interview with John Oliver. Last Week Tonight with John Oliver. HBO. April 2015.)