Posted by on January 11, 2018

Your Passwords

login-username-and-password-image-from-shutterstockYour Passwords: a reader asks…

So what’s your current guidance on passwords?

It’s a simple 3-prong strategy. First, make your passwords long (the more characters the better, even more than 20). Second, make them unique (don’t use the same password in multiple places), third, use a password manager (software program to help you manage your passwords).

The only thing left to account for is any password requirements that specific online destinations have. Some websites require old-fashioned password complexity – meaning that you have to use at least one from each type of character: capital letter, lower-case letter, number, special character. The websites that still require this simply haven’t kept up with the times, that’s no longer good enough – password length is all that matters. By the same token, some websites will only let you use a password of so many (range of) characters, such as 8-15 characters. Again, this is now overcome by the advancement in hacker password-breaking abilities. My 3-pront strategy really is simple, but let’s break this down for you:

KeepCalmLongPasswords

Long passwords:  It used to be 8 characters was good enough, and then 13 characters. Nowadays though, I think 20 characters is the minimum you should consider (assuming the website allows a really long password). This is because hackers have harnessed the power of modern computers and graphics adapters with their math-ey super-brain GPUs that can go through millions of password attempts in minutes. This used to take days, then hours. Soon it’ll be seconds. So short passwords of any character combination are nearly useless.

While it’s fine to use different character types (and required on some websites), this is a very minor improvement compared to maximizing the total number of characters used in a password. Capital letters, lower-case letters, numbers and any other type-able characters (on your keyboard) are all fine to use however you like. Some folks use common substitutions such as using the number 2 for the words to, too or two, using a 3 instead of a B, etc. Don’t think for a moment that hackers don’t know this also. Hackers have some pretty sophisticated algorithms they use to crack passwords.

And of course, don’t use the most common passwords. Our friends at Gizmodo put out a new list every year of the 25 most common passwords. The absolutely most-common are (and have been for years) “Password” and “123456”. Despite all the news and brouhaha, many people still use easy-to-guess passwords. Our friends at InfoSecIsland list the top 10 password cracking methods, and the top two remain “Dictionary” and “Brute Force” attacks. The former uses lists of words commonly used for passwords, trying each one of them out on your online accounts hoping for one that works. The latter builds on a dictionary attack by adding variants with substituted characters (capital letters, numbers and special characters) commonly used by consumers.

hand-holding-tweezers-pulling-password-from-data-image-from-shutterstockUnique passwords: I think it’s safe to say that even in 2018 most people use the same password in multiple locations. Without help, it’s impossible for near any human to remember long and complicated passwords for all the online destinations and accounts they use. The problem with this is that if one of your accounts is hacked, a hacker can easily gain access to all of your accounts.

Advertisement

Given the ‘forgotten password’ feature of many/most websites, your email account password is probably the most critical one to keep unique. If a hacker gains access to your email account, they can easily use that to gain access to all your accounts by resetting passwords. This forgotten password feature usually sends you (via email) a password reset link or a new, temporary password. The hacker who gains access to your email account can then use this information and lock you out of all your accounts easily.

But every one of your online accounts is important, so it’s vital to the health of your digital life for you to adopt a 100% unique-ness to your online passwords. Of course this isn’t possible for you to keep all those passwords in your head, hence the 3rd prong of our strategy:

password-manager-logosUse a Password Manager: There are plenty of services out there, my favorites are LastPass and 1Password. But it’s less important which one you use (within reason) than that you use one. You could even write down all the passwords that you use, or save them in a spreadsheet or other file, although that can be cumbersome to use on a daily basis. And yes, these password managers are subject to being hacked themselves, they are attacked daily. But their benefits to you far outweigh the minimal risk.

For example, LastPass keeps your vault of passwords locked in an encrypted file on a secure server in the cloud. That file is encrypted with a key that only you have, which is based on a single master password that you commit to memory. Of course, if your master password is “123456” you’ll have essentially negated the benefit, so make that master password really long and impossible to guess. Don’t write it down, spend the time to commit it to memory.

LastPass uses web browser extensions to make it convenient to use, so the password manager can fill in the username and password for websites you visit easily and quickly. LastPass also makes it easy to change passwords and record those new passwords in your vault. All without seriously compromising your security.

My recommendation is to NOT use the password remembering feature built into your web browser. All mainstream web browsers have this handy yet unsecure feature built in – visit the settings of your browser and turn it off immediately after you’ve migrated the store of passwords to your password manager.

Following this three-prong strategy will help protect you and your digital life from being hacked, but it’s not foolproof. You also need to practice safe computing. I have lots of tips in these articles:

The sad fact is that hackers are well-funded, motivated and highly creative in the ways they work. You have to be on your guard constantly, and adjust your actions as the threat changes (and it changes often). Hackers are always coming up with new ways to counter tried-and-true security practices, so you have to be flexible and responsive to the threats.

 

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek (send to @PosiTek), Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to support@positek.net (send to Support@PosiTek.net), Click or tap to open a new browser tab or your Paypal app to send money using your credit card to support@positek.net (no Paypal account required) using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thank you!

Go to Top of Page

Share This

Author: Your Tech Coach at PosiTek.net
There are currently 1277 reader comments on published articles, care to join in? Use the Leave a Comment form below/at the bottom of any existing comments. This is a good place to ask follow-on questions on this subject.

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.