Password Security

This is a topic that’s important for everyone who uses a computer. Computer security has been in the news a lot in recent years, with high-profile hacks of user login data at companies like Yahoo!, LinkedIn, Apple, and Adobe. Hackers are getting increasingly aggressive and sophisticated in their attacks, and everyone is at risk. I worked in the Information Security industry for 8 years, so this is a topic with which I am all too familiar.

One of the most common ways that individuals become victims of a hacker is poor password security practices. While you may not feel like you are a very interesting target, hackers don’t care who you are. If they get access to a password database containing your login and they can crack your password, they have automated programs that will try to use that password on a slew of other web sites, trying to access your bank, credit cards, email account, web site, and anything else that they can.

This isn’t just paranoia from a former IT security geek. With so many different web sites where people manage every aspect of their lives online, we are more vulnerable than ever, and the hackers are incredibly determined to access accounts, many times with dire results. Often times, these hacks result in identity theft and bank or credit card fraud. Other times, web sites and email accounts are used for sending out spam and viruses. Either way, you don’t want to fall victim to an attack.

Three Rules of Password Security

1. Use a unique password for every site.

One of the biggest mistakes people make is using a single password for many different sites. Even if you have a good password, if it gets compromised, it can easily be used to get into all your other sites. You’d be surprised how many password lists are floating around on the Internet, containing usernames, email addresses, and passwords from hacked sites. The best way to reduce your risk is to use completely different passwords for every site. While it may be tempting to use a single password for some or all of your logins, password re-use makes it simple for a hacker to get into many of your accounts instead of just one.

2. Use a strong password for every site.

If you’re not using a strong password, it’s ridiculously easy for an attacker to hack into your account. Tools allow them to automate login attempts, and information they obtain from large web site hacks gives them plenty of data they can use to make the job even easier.

Key Elements of a Strong Password:

  • Long (12 characters or more)
  • Combines uppercase letters, lowercase letters, numbers, and special characters
  • Doesn’t include dictionary words or personal information

Common replacements for letters used to be an adequate suggestion, but I don’t even recommend that anymore, as hackers know about these simple substitutions and can try those variants in their attacks. The best way to make a strong password is to use a password generator to create a completely random one. While a password like B1g-R3d-H0u$3 may seem secure, a password like 4y7Hm9#be7!oB9%r provides far more protection from hackers.

3. Change your password regularly.

Using strong and unique passwords goes a long way to improve your password security, but the last piece of protecting yourself from a compromised password is to regularly change your passwords. Last year, LinkedIn made headlines because a hacker was selling their password data from an earlier breach of the company. However, the breach took place in 2012, so if you were no longer using the compromised password from four years prior (on ANY sites), your compromised password data would be worthless to a hacker. Note that changing the number at the end of the password doesn’t really count as changing your password. If your password is Georgia2016, and it gets compromised, changing it to Georgia2017 won’t help at all. Hackers are sophisticated enough to try different endings to see if that’s the only change you made.

How can anyone remember all these passwords?

Obviously, you can’t create long, unique, random passwords for every web site and then remember them all in your head. The only practical way to do this is to use a password manager. While some people are leery of storing their passwords this way, password managers are very secure, and their benefit far outweighs the risk of using and re-using a weak password. In addition to storing your passwords, most password managers include random password generators to create strong password for you, and they can remind you when you need to change your password.

There are several different options for password managers, but there are two main categories – ones that store your data in the cloud and others that store your data locally. Web sites like the popular LastPass (free, $12/year for premium) and 1Password ($36-60/year) store your passwords in the cloud, while password management programs like KeePass and AnyPassword for Windows, or EnPass for Mac, store your data locally on your system.

In 2017, a cloud-based password manager is probably the way to go for most everyone. If you prefer to keep your passwords locally on your computer, syncing your passwords between your computer and your mobile devices is more complex, and some of the functionality is limited compared to cloud-based password managers, which can auto-fill your passwords into web sites and apps, and can even use fingerprint scanners on your phone or computer to authenticate.

Bottom line, if you aren’t already using a password manager, you should be. It’s simple to setup and provides so much security against a common threat facing computer users today, because it’s the only practical way to keep track of all the strong passwords you will have once you stop re-using easy passwords. You’ll be more secure, and it will save you the time and frustration of forgetting your passwords.

For even better security on your accounts, I recommend enabling two-factor authentication, which gives a second layer of protection beyond just your password. For more information, see my article on two-factor authentication.