Written by Nicholas Borgerson, Knowledge Manager & Level II Supervisor
If you try to use the same few passwords for most of your accounts, then you're like most people, and exactly what a hacker hopes to find. In this article I'll be talking about some tips on how to make good password, the need for a password manager, and what you should be doing to keep your passwords safe.1 – Understand what makes the best passwords
There are many opinions about how to make a good password that can be remember, however if we use a password manager we can create stronger than normal passwords because we don't need to remember them.
To get an understanding of what truly makes a good password let's take a look at how hackers attack passwords.
Hackers don't usually try to sign into accounts manually over and over again, that would set off alarms and probably lock the account so more attempts can't be made.
Instead, hackers will try to get something called a password hash - a large string of encrypted text that contains the password. When a correct password is guessed, the hash will confirm. With a hash, thousands (or even millions depending on processor power) of guesses can be made per minute without any alarms being set off.
Calculating these guesses with hashes can take a lot of processing power and time. To speed things up, hackers can use something called a rainbow table - a large list of pre-calculated hashes - allowing dramatically more guesses per minute.
Dictionary files are also frequently used, so if your passwords are made up of words, the right combination can be guessed much faster than just guessing every possible letter combination.
The good news is there is defense against dictionary files and rainbow tables - Salt. Salt is the random addition of characters into the password hash, which doesn't effect our ability to use the password, but does make it much harder for hackers to crack it.
Our other defense against a hacker cracking our password is length and complexity. The longer and more complex the password, the more time it will take to crack. Check out this interesting site and experiment with trying out different kinds of passwords and look at how long it may take a hacker to crack it. You may find a complex password of 8 characters would only take a day to crack, but a password of 16 charters would take centuries. Using dictionary words will make it dramatically easier to crack.
So, passwords we choose need to be random, long, complex, and we need to make sure the software we're using to manage these passwords uses salt in it's hash (an Excel spreadsheet probably isn't going cut it).
"Passwords we choose need to be random, long, complex, and we need to make sure the software we're using to manage these passwords uses salt in it's hash..."
2 – Choose a password manager wisely
Now that we've established what kinds of passwords we need, you may be wondering how exactly you're going to remember these long, complex passwords. The good news is you won't need to remember all of them, you can use an app to generate, manage, and copy/paste them for you.
There are many password manager apps out there and they're all a little different. Here are a few things to consider when choosing one:
Are they trustworthy? Where are they based from (hopefully from a friendly country)? Where is the data being stored? Have they been audited for security (SOC 2 and PCI compliance are good indicators they are audited)?
Are there apps available on Mac/PC and your mobile device?
Is the password database being stored locally in your devices or on the cloud?
What kind of encryption is being used to store the passwords (should be AES 256 or better - "industry standard" or "military grade" is not good enough and doesn't actually mean anything)
Do the password hashes have salt? Don't be shy to reach out to their support to ask!
Is there a browser extension needed to work on Mac/PC? Browser extensions that automatically populate username and password when the page loads are susceptible to malicious web page attacks
If you're not sure where to start, here is a list of suggestions to get started with.
3 Use different passwords for everything
So, now that you've created a great password with your password manager you just need to use that for all your accounts right? You can probably guess that would be a no, but why?
Hackers commonly use programs that allow them to check a username and password combination against more than 1000 sites and services. If you use the same username/email and password for your accounts and one accounts get breached, all your other accounts that use the same password are also breached.
You can work to limit the damage done by data breaches by using different passwords for each account, that way if your password gets leaked only that one account needs to be reset.4 – Understand the risks and have a backup
Using a password manager is not without its risks. What happens if you forget your master password? What if the company you selected gets breached? What if you're phone or computer dies?
Research your password manager carefully and get answers to these questions. You will probably need to commit a few passwords to memory no matter what manager you're using such as the password to login to your computer, the pin to unlock your phone, the master password to your password manager, and the password to your primary email address.
Test your backup plan regularly to make sure you're ready in case something happens.
5 – Change your passwords regularly
Earlier in this article we talked about how length and complexity of your password can effect the time it takes to crack a password. Here are two additional things to consider:
Processing power is increasing exponentially every few years. What takes centuries to crack today may only take months a few years from now.
Most of the time usernames and passwords aren't cracked, they're breached. Usernames and passwords are leaked every year from companies like MySpace (remember them? How many of you're other accounts used the same password?)
Changing your passwords regularly, maybe once a year, will essentially reset the timer for anyone to crack your password hash, and will also stop hackers who may have found your password in a data beach.
Bonus item: Layer 2 factor with your passwords
Remember those few passwords I mentioned earlier that you're probably going to need to commit to memory? Even when using a password manager? Consider adding another layer of protection on those accounts - commonly called 2 factor authentication - since the passwords on those accounts are probably going to be weaker.
For example, you can configure your Google account to text you a code when signing in from a new device. After entering your password you'll be asked to enter the code in the text message as well.
2 factor authentication can help protect your most sensitive accounts so even if a hacker does get your password they still won't be able to sign in because only you will be receiving the needed codes.
Finally: Roll out your new password strategy
Now that we know what good passwords look like, and we have selected and configured a password manager, it's time to get started using it.
You might be surprised and a bit overwhelmed at the number of accounts you may have between email, social media, productivity apps, and work. Don't panic, you don't need to enter in all of them at the same time (well, unless you think the one password you've been using has been breached).
Instead, whenever you open a website that has a username and password, reset the password and enter it into your password vault. Over time you'll get all the accounts you use.
Be sure to set your web browser to not save passwords. Once the password has been entered into you password manager, delete it from the web browser's saved password. Your web browser is not a password manager and does not meet our requirements needed for encryption or security.
Thanks for giving this a read and I truly hope it helps you manage your passwords, letting you live better and more securely. For me using a password manager had been a game changer, taking something dreadful and making it trivial.