Continuing with our 101 series of introductions to privacy related issues and responses we discuss password hygiene today. As always with our 101 content, this is just the basics of the issue at hand. We will certainly put together a passwords best practise article in the future including ideas to set strong passwords and strategies to remember them.
Edit: As alluded to above in the original version of the article, click here for our Setting Strong Passwords article and Password Managers 101 article.
Why are we bad at setting strong passwords?
We touched on this in our Two Factor Authentication (2FA) 101 article – we are naturally bad at setting passwords. As mentioned in that piece this has happened due to a bit of Security Fatigue and the sheer volume of online accounts we’re expected to have (and seemingly for everything!).
It’s fair to say most people want to use good, strong passwords to keep their accounts safe. However most folks tend to throw in the towel once they enact the best advise for a password but forget it a few times and subsequently revert back to a combination of what’s listed as bad password hygiene further below. Indeed, there isn’t a silver bullet aside from dedicating some time to this as listed throughout this article. To answer the question, the reason we’re bad at it is because a good, strong password requires many elements which make it difficult to remember.
There are many ways passwords can be compromised but the two main ones are:
- Brute force: A bad actor tries a very large list of possible passwords to try guess the right one, with the right technology such as this, they can make 100,000,000 guesses every second. This means six letter password can be guessed in less than 5 seconds!
- Credential stuffing: A bad actor gains access to a list of usernames and passwords form a data breach and tries them against your other online accounts.
Bad password hygiene
Even if you don’t follow best practise, at least avoid the worst approaches to setting passwords such as:
Reusing the same password: By far the worst habit is to use the same password for all of your accounts. If you only take away one change from this article – make it this one and cut the habit.
Using searchable information: If your password contains names of your spouse, child, parents, pets or birthdays or your favourite sporting team it’s not a good password. A good rule of thumb is: the words in your password shouldn’t be found on your social media.
Sharing passwords: This is particularly bad if the password shared is attached to any other of your accounts, also don’t leave passwords written down or laying around the house and avoid texting or emailing passwords.
The obvious passwords: You know the ones that regularly make the lists of the worst passwords to have such as: “password”, “123456”, “password123”, “Password:” and the such.
Not so secret questions: The usual suggestions for secret questions to prompt a forgotten password tend to be answered truthfully. This seems logical sure but think back to the second point in this section about using searchable information! As a minimum (and yes it involves a bit of memory work too) set your answers to secret questions so they aren’t truthful. Your mother’s maiden name can be the name of your first pet, the street you grew up in can be the street of your dream house and so forth. You may get it wrong the first time but getting a correct answer rejected as wrong should trigger what you actually listed for a secret question.
Good password hygiene
Simply put the opposite of what’s above in the bad password section but a few more points to help. If you follow through on what’s below, you’ll be in far less a risk category than those who practise the bad password hygiene. Don’t be the low hanging fruit for bad actors!
Length: The longer the better and this is why when setting passwords, you’re prompted for a minimum of 8 characters. The longer the password the more ‘guesses’ needed to crack it so don’t stick to the minimum – people are known to go as high as 30 characters. It’s also worth advising to avoid setting a password that would embarrass you if leaked. This tip is particularly helpful against brute force attacks. Finally,
Unique: If you have to reuse the same passwords at the very least come up with at least five and use them based on a category. One password for all social media, a different one for all emails, a different one for all online shopping accounts and so forth. This obviously still isn’t best practise or even ideal, but it certainly beats using one password for all accounts. This is particularly helpful against the credential stuffing outlined earlier as if one password is compromised only one category of accounts will be.
Separate work & personal: In the same family as the point above – do not mix your work account passwords and personal account passwords. A bad actor having access to your personal account is one thing but they can do substantial damage with access to your work accounts which could result in damage to your organisation, a loss of revenue and/or a loss of employment for you. On top of that if you’re at a big organisation, your in-house IT team may have visibility of your passwords. We wrote an introduction to doxing last week and touched on the fact everyone has enemies and sometimes you don’t know that someone has it in for you.
Enable 2FA: Here’s our introduction on enabling 2FA highlighting how it protects unauthorised access to your accounts
Consider a Password Manager: These do have their pros and cons which are listed in the linked article to this point but they do make a viable option if you really struggle to remember multiple passwords. Popular ones in the market currently are (in no particular order as we have no affiliate relationship with any of these): Dashlane, 1Password and LastPass.
Change passwords regularly: We know this one will invoke the most eye rolls considering we’ve said the main issue is people struggle to remember them to begin with, let alone the current from a previous. It’s recommended to change passwords every six months but why not set a time yourself and do it at least yearly! Christmas is a time where many organisations shut down and people take holidays – you’re at home with some free time, why not shut yourself in the study for an hour and make changing your passwords a Christmas time ritual!
Stop browsers from remembering your passwords: Yes, another one that may seem annoying, but it will certainly be a positive move from a risk perspective if your device is stolen. It will also help you memorise your passwords if you have to type them out regularly!
Avoid typing your password on a device that isn’t yours: As we discussed in The less obvious ways bad actors can access your data you can never know who has it in for you. Someone may be happy to lend you their laptop or mobile phone on which they can set up a keystroke logger or similar malware to capture your password. Even if it’s not that intentional when the person lending you their device is part of the low hanging fruit which doesn’t take any cybersecurity precautions seriously, as such their device may be infected with such malware unknowingly. These examples are based on someone lending you a device to use temporarily but also extends to the IT department in your workplace. Avoid using employer provided devices to log in to personal accounts per the earlier point about separating work & personal.
Just remember it is called ‘password hygiene’ for a reason, just like brushing your teeth and cleaning your body is part personal hygiene, the small rituals outlined above form part of staying clean online. It’s easy to throw in the towel because strong passwords are hard to remember and as the years go on we have more and more online accounts leading to Security Fatigue. From here, we suggest reading our Setting Strong Passwords article to make sure your passwords are strong. After that consider our Password Managers 101 article to see if a password manager is the right tool to help you ‘do passwords’ right with good password hygiene.
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.