6 Crucial password security tips for everyone

This blog was written by an independent guest blogger.

These days, everyone has passwords. Lots and lots of passwords! When I think of how many user accounts with passwords that I have, I probably have dozens. A few for social media platforms like Twitter and LinkedIn, a few for my favorite media streaming services, one for Nintendo Switch and another for the PlayStation Network, a few for my utilities including electricity and my ISP, a few with Amazon and other online retailers, one with the government to file my personal income taxes, my home WiFi password, a Gmail account for all of my Google and YouTube stuff, accounts to authenticate into a couple of different web browsers, an account for my bank’s website, and there are probably at least a dozen more. And I’m a pretty typical technology user. So chances are, you have many similar online accounts as well.

Our 21^st century reality where we each need lots of user accounts in order to fully participate in society makes us all susceptible to being harmed in data breaches. And the scary thing is, data breaches happen constantly. All the time. For every data breach you read about in the news, there are lots more that people don’t know about. Passwords are an imperfect method of authentication. Many people in the cybersecurity industry would love to see passwords be completely replaced. We do have other means of authentication, such as the biometrics you may sometimes use to unlock your phone with your face. But we haven’t been able to completely get rid of passwords yet. So in the meantime, it’s up to all of us to be conscientious about how we use them. Here are some things you need to know about passwords so you can improve the security of your digital life.

1.  The most important factor in creating passwords that are difficult to crack is to use as many characters as possible. The days of eight character passwords are hopefully over. There are mathematics involved in password cracking, so each additional character in your password multiplies the time it would take a cyber attacker’s software to crack it. When you create a password, use as many characters as the application will allow. If an online service allows passwords of up to 20 characters, make a 20 character password. If you’re allowed to make a 50 character password, do it! If you have to remember a really long password, try making a sentence with multiple words you can remember. Maybe try a line in a favorite poem or song lyric. Be sure to throw some numbers and special characters in there and “YouCanCreateAVeryStrongPasswordLikeThisOne_2BSure!”
2. Use a password manager, both in your desktop web browser and on your phone. Password managers have two very useful features. The first is obvious, being able to store the usernames and passwords you use with dozens or even hundreds of different online services and applications. The second really useful feature that pretty much all password managers have is the ability to create very secure randomly generated passwords for you. They can create really long passwords with random combinations of upper case and lower case letters, numbers, and special characters-- the kind that are very difficult for human beings to remember. When you use a password manager, difficult to remember passwords are fine because you don’t have to remember them! The password manager will remember them for you. Most major web browsers have password managers built-in, but many people prefer third party password managers and find that they’re well worth the monthly or annual fee that they pay for the service. They can be installed as both web browser plug-ins and as an app on your phone. Research online and see which password managers people recommend.
3. Your password for your main email account is probably one of the most important passwords that you have, other than perhaps the master password for your password manager or the password for your home WiFi. That’s because if you forget a password for one of your other services, you can often request a password reset link to be sent to the email address they have on file. Therefore your main email account plays a key role in your password management. If you have privacy in your home, you could write the most important passwords that you can’t keep in a password manager on a piece of paper in a safe place. I personally keep a note with my WiFi and router management passwords on a piece of paper that I keep on top of my refrigerator. That’s pretty safe because I live alone. If there’s a place at home that only you have physical access to, then that’s an effective strategy. Keep in mind that I only write down passwords that can’t be stored in my password manager! And if I ever move, that paper note is either going to be packed in my suitcase or put through a paper shredder. I’m conscientious that allowing other people physical access to that note would be a terrible idea for my personal security.
4. Enable two-factor authentication wherever possible. It’s an online service’s responsibility to make two-factor authentication (2FA) available, and it’s your responsibility to use it if it’s an option. If a password to your account gets breached, that second factor is what could stop a cyber attacker from accessing your account. Most of the time, 2FA is deployed as a six or seven digit number that will expire less than an hour after you request it. Often the temporary code is sent by text message. If it’s possible to use a dedicated app like Google Authenticator, choose the app instead because text messages are easier for cyber attackers to intercept. But if text messages are the only option for 2FA, using that is much better than having no 2FA at all.
5. Although we don’t know about all data breaches, it is possible for you to be notified of known data breaches which affect your accounts. I strongly recommend signing up for a free data breach notification service like Have I Been Pwned or Firefox Monitor. If and when you’re emailed about a data breach affecting one of your accounts, this will give you the opportunity to change your password as soon as possible so the possible damage that the breach could do to you is mitigated.
6. Never reuse passwords ever! You could have the strongest password imaginable. But if that password is exposed in a data breach, it’s likely that cyber attackers will sell your password in a database through an illicit market on the dark web. Attackers will often use the passwords they find through data breaches and try to use the same password with your other accounts. It’s a type of cyber attack we call credential stuffing, and it’s alarmingly common.

If you let these tips guide your everyday digital life, your online identities can be better protected from the data breaches and cyber incidents that affect people every single day. Nothing is 100% secure, but you can improve your security. It’s much like driving a car. You can’t eliminate the risk of car accidents and they’re not always your fault. But if you obey the rules of the road, you likelihood of getting into a car accident will decrease.