Password advice

Recent studies have shown that the conventional wisdom on passwords is wrong, so you need to rethink your password strategies.

How to Create Better Passwords


Don't Reuse Passwords

Even if your organization has not been breached, password reuse puts it at risk.  The cyber criminals know that if a password was ever used before, it’s likely to be found again.  With a solid cracking dictionary, the cyber criminal never needs to resort to brute force guessing, and hashed passwords become only an inconvenience.  Cracking dictionaries and rainbow tables are commonly shared among cyber criminals.

Don't Use Complex Passwords

Experts recommend removing all password complexity rules since they just create a false sense of security.  A big problem for all users is remembering their passwords, so they try to make them simple and use them over and over again. 

  • Periodic password change requirements:  There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security.
  • Algorithmic complexity:  Mixing upper case letters, symbols and numbers, like frequent password changes, has been shown to result in worse passwords.  Conventional wisdom says that password complexity can only be a good thing. But in reality, complex password requirements can do more harm than good. Making users' lives easier, not harder, is the way to ensure stronger passwords.
Don't use password hints or knowledge-based authentication

Allowing you to leave a hint to your password or answer a personal question like “What street did you grow up on?” to reset passwords is also now not recommended by experts. With the constant dissemination of personal information on social media or through social engineering, the answers to such questions or hint prompts are easy to find.

Don't use commonly used passwords

Require every new password to be checked against a “blacklist” that can include repetitive or sequential strings, variations on the site name and the passwords hackers are most likely to guess.

Don't use compromised passwords

Make sure that your online accounts checks your user account against compromised credentials to ensure that you are not using or creating a password that is already known by cyber criminals.  Screening passwords against lists of commonly used or compromised passwords is of the best ways to ratchet up the strength of your passwords.  No site should be allowing the use of known, compromised credentials.

There are two benefits of this simple policy:

  1. It closes a glaring gap which otherwise leaves your password layer completely open to credentials exposed in third-party breaches.
  2. It ensures that your passwords are unique enough to not be reversible using cyber criminal cracking dictionaries.
Increase password length & simplicity

Keep passwords simple, long and memorable since longer passwords that are harder for hackers to break.  We are really bad at random passwords, so the longer the better. Length matters a lot more, which is why new guidelines call for a strict 8-character minimum and even suggested moving character maximums to at least 64. 

  • Phrases, lowercase letters and typical English words work well. Experts no longer suggest special characters and a mix of lower and uppercase letters. If you can picture it in your head, and no one else could, that's a good password.
  • Longer passwords that are harder for hackers to break. 
No need  for periodic password resets

Having to reset your password every few months doesn't actually work. When most people have to create new passwords regularly, they tend to make them weaker from the start.  This makes people change their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S). So, if a hacker already knows your previous password, it won't be difficult for them to crack the new one.  

Enable "Show password while typing"

Typos are common when entering passwords, and when characters turn into dots as soon as they're typed, it's difficult to tell where you went wrong. This can motivate you to pick shorter passwords that you're less likely to mess up, especially on sites which only allow a low number of login attempts.  Choose, when alone, to have the password displayed during typing, you'll have a much better shot at putting lengthy passwords in correctly on the first try.

Cut & Paste in password fields

“Paste” functionality is now advantageous due to the widespread use of password managers. Password managers generate and store long, complex passwords that you can access through a single master password. If these lengthy, machine-generated passwords can be copied and pasted into a password field, they're not a problem for you. However, if you're faced with the prospect of memorizing and manually typing in such passwords, you may be tempted to stick with short passwords.

MFA - Multi-factor Authentication

For some accounts, passwords are not enough. To make sure you are properly protected, multi-factor authentication is the way to go.  A verification that requires you to demonstrate at least two of “something you know” (like a password), “something you have” (like a phone), and “something you are” (like a fingerprint) drastically decreases the probability of a successful hack.

More Tips for Making Your Password Safer

  • Use different passwords for every account that you have. Don't use the same password or user name again.  Many online stores and even some information based web sites require that you register to use their service, and that requires having a user name and password. No matter how easy it seems to have one user name and password for all your Internet accounts, don't do it. If you desire convenience, create one password and user name combination that you use for all your non-bank accounts. If an online store, or any web site, sends you an email confirmation that contains a new password, login again and change your password immediately.  
  • Create a different password for your financial institution. Remember, many web sites don't have the security your online financial institution does. Don't allow your password to inadvertently be revealed or misused.
  • Log off each time if using a public device or if people are around who can see your password.
  • Make sure that no one is watching you enter a password.
  • Try not to enter passwords into public computers, such as at the library. These often have malware on them that steal passwords.
  • Use security software and update it regularly.
  • Do not give your password to anyone. Though you might trust them now, there is no guarantee that they will always have your best interest in mind.
  • Avoid entering any password into a device when connected to an unsecured Wi-Fi connection, such as at a coffee shop or airport.
  • Use a minimum of eight characters and mix up numbers, letters, and symbols in the password.
  • Don't save the password on your computer.  Many modern browsers allow you to save passwords on the computer's hard drive and have them come up as you type in your username. It may be convenient, but you allow anyone with access to your computer, whether for a couple of minutes or hours, the ability to access your account. It may never happen, but don't make it easy for your account to be accessed.
  • Choosing a good password is an important part of lowering the risk of becoming a victim of cybercrime. The following guidelines should help you when choosing passwords for your online accounts.

Add extra security with 2-Factor-Authentication: Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. Learn How

This site, HowSecureIsMyPassword.net, will tell you how strong your passwords are.

  • Feel free to write down your passwords, but make sure they are not near your computer. Instead, put them in a secure location.
  • Write down clues to help you remember your password. 

What Is Social Registration?

With the growth of social media, social networking sites, such as Twitter and Facebook, want you to use the name and password you use on their sites to log into other sites. The idea behind the concept of social registration is that all users have an established identity that they use online. As the months and years pass, the user’s identities in each platform or community begin to merge, which allows us to shop, communicate, and connect to another device. This also allows you to move from one website to another when logging in only once.

Here's the problem. If even one of these accounts is compromised, and it links to others, then the hacker has access to a number of accounts with only one hack. So, whenever possible, try to create new usernames and passwords for all accounts instead of using your Google and Facebook credentials to log in.

What You Should Know About Password Managers?

The best way to deal with password management is to make the small investment into purchasing a password management service that will store your passwords in both the cloud and your computer. The best thing about these is that you will only have to remember one master password, and that will give you access to the rest of your passwords. A password generator tool that allows you to make passwords that can’t be cracked. You also won’t have to remember these passwords because they are all stored in the manager.

Using these password management tools is extremely easy, and you will never take the chance that you will forget a password every again. You can easily log into any internet site with only a single click of the mouse.  These programs automatically sync your password data, so you can access them from anywhere whenever you need them. They are also safer than not having one, and they help to protect you from online fraud, phishing scams, and malware. They are also extremely secure, and all of your data is locally encrypted on your PC, an only you have the power to unlock it.

Here’s what to look for in a password manager:

  • One that can sync across multiple PCs and multiple browsers.
  • Has a smartphone app that syncs with the cloud.

Risks:

  • The security of password managers is almost a nonissue at this point, as most of them have such high levels of encryption that are extremely difficult to crack.
  • The real vulnerability that you will experience when using a password manager is with your personal computer and any malware that can take a screenshot or keystrokes. Make sure that you are running virus scans and update your antivirus software to prevent infections.
  • Another thing that you can do is to use the onscreen keyboard to enter passwords instead of the keyboard itself. This helps you to avoid tracking.