Passwords are something we all have to live with. There are other authentication methods slowly coming into use (i.e. two-factor) but it's hard to see passwords going away anytime soon.
I assume everyone knows the basics - use "good" passwords, don't share them between sites, don't write them on a sticky note on your desk, don't save them in a file named "passwords.txt" on your computer, etc etc.
That's all well and good, but there's so much more you can do!
Good Passwords
A "good" password is hard to guess, is what we're told. I think most people are unclear about what exactly "guess" means. These days, it means that it needs to be resistant to password cracking attacks that are getting ever more fast and sophisticated. Just making sure that you have numbers, characters, upper/lower case, etc isn't enough.
The gold standard most important thing about a password is that it is long. The longer the better. This isn't a post about password cracking, but believe me the math shows that a long password with no special characters or even numbers is still way better than a short one that has them. This is crucial.
So, think in terms of passphrases, not passwords. The human brain can remember a more or less nonsense list of several words as easily as a nonsense string of letters/numbers/punctuation. And it ends up being way, way longer. One passphrase I use a lot has 30 characters - from 5 words plus a number.
There are sites out there that will generate nice random passphrases for you. I'd recommend using one!
Password Managers
And where will you keep all those passwords? No, not in that "passwords.txt" file. Use a password manager. There are many out there, like LastPass. You can also save them in your browser. All these are better than using the same password on more than one site. If you use the same password on crappy sites as on your email or bank site... you're in trouble.
Personally, I prefer to use a local password manager that saves the passwords encrypted on my computer. By not using a service, I'm not vulnerable if the service gets hacked. And it works even without internet. I just throw the file in dropbox to make sure I have it backed up well (in addition to the usual computer backup). It also runs on just about any platform you can imagine. Because the file is saved in dropbox, I can share it with other people if desired.
Two Factor Authentication (2FA)
I'm sure most of you have heard of it, if not google it. But I recommend turning on 2FA anywhere you can - at least the kind that verifies via SMS.
Security Questions
In my opinion, security questions are a disaster. Sometimes you'll be forced to use them - don't use real questions and answers! Anything that can be researched or guessed is a possible way for someone to take over your account. I save the question and gibberish answers in my password manager. Treat them like a password.
Your Email is Critical
Now, more than ever the security of your email is paramount. Most websites have a 'forgot password' system tied to an email address. If someone gets access to your email, it's a simple step from there to taking over your other accounts. If you protect nothing else, protect the email account!
I assume everyone knows the basics - use "good" passwords, don't share them between sites, don't write them on a sticky note on your desk, don't save them in a file named "passwords.txt" on your computer, etc etc.
That's all well and good, but there's so much more you can do!
Good Passwords
A "good" password is hard to guess, is what we're told. I think most people are unclear about what exactly "guess" means. These days, it means that it needs to be resistant to password cracking attacks that are getting ever more fast and sophisticated. Just making sure that you have numbers, characters, upper/lower case, etc isn't enough.
The gold standard most important thing about a password is that it is long. The longer the better. This isn't a post about password cracking, but believe me the math shows that a long password with no special characters or even numbers is still way better than a short one that has them. This is crucial.
So, think in terms of passphrases, not passwords. The human brain can remember a more or less nonsense list of several words as easily as a nonsense string of letters/numbers/punctuation. And it ends up being way, way longer. One passphrase I use a lot has 30 characters - from 5 words plus a number.
There are sites out there that will generate nice random passphrases for you. I'd recommend using one!
Password Managers
And where will you keep all those passwords? No, not in that "passwords.txt" file. Use a password manager. There are many out there, like LastPass. You can also save them in your browser. All these are better than using the same password on more than one site. If you use the same password on crappy sites as on your email or bank site... you're in trouble.
Personally, I prefer to use a local password manager that saves the passwords encrypted on my computer. By not using a service, I'm not vulnerable if the service gets hacked. And it works even without internet. I just throw the file in dropbox to make sure I have it backed up well (in addition to the usual computer backup). It also runs on just about any platform you can imagine. Because the file is saved in dropbox, I can share it with other people if desired.
Two Factor Authentication (2FA)
I'm sure most of you have heard of it, if not google it. But I recommend turning on 2FA anywhere you can - at least the kind that verifies via SMS.
Security Questions
In my opinion, security questions are a disaster. Sometimes you'll be forced to use them - don't use real questions and answers! Anything that can be researched or guessed is a possible way for someone to take over your account. I save the question and gibberish answers in my password manager. Treat them like a password.
Your Email is Critical
Now, more than ever the security of your email is paramount. Most websites have a 'forgot password' system tied to an email address. If someone gets access to your email, it's a simple step from there to taking over your other accounts. If you protect nothing else, protect the email account!
Comments