Passwords are keys to doors — in some cases, virtual safes — that should be used carefully to preserve the valuable information on the other side. Yet, many businesses freely share credentials, don’t promote good password hygiene, and otherwise leave the key in the door (for instance, favoring the castle-and-moat approach to security over the zero trust model).
The facts that data exposures frequently make headlines and 61% of breaches are attributed to stolen credentials would suggest an inherent problem with passwords. Is it downright dangerous to depend on them?
Well, you can’t simply stop using passwords — they’re integral to online interactions, and though new technology may be on the horizon, passwords are probably here to stay for a while. Instead, consider adjusting your perspective on security, privacy, and helpful technology to improve your password management.
Weak vs. strong passwords
The average internet user has 100 passwords across various websites and services, so it’s natural to consider reusing or simplifying these secret codes. However, don’t expect hackers to be merciful.
According to a recent Google study, Americans often use very basic passwords (think “abc123” or “password”) and share their credentials with other people. In turn, millions of people are easy targets — but also only a few steps away from a much stronger defense.
The three Ds
Aside from keeping your secret codes, well, secret, you can strengthen your passwords to instantly improve your chances of surviving a brute force attack (that’s when hackers use trial and error to guess your credentials and gain access).
There are plenty of ways to describe a strong password, but let’s begin with three notable characteristics:
The first rule of good password management is differentiation — never use the same password for different accounts. This makes perfect sense in theory, but it can be difficult to abide by in practice.
Many people knowingly put themselves in danger: the vast majority realize it’s risky to use the same password across accounts, yet a recent study shows that about a quarter of us do it anyway. Although more unique passwords mean more to track and remember, it’s well worth the effort.
Not only should you use different passwords across accounts, you should ensure they’re unrelated. That means no slight variations in spelling or capitalization; each password should be an entirely different collection of letters, numbers, and symbols.
Random phrases or words that aren’t connected to your life are your best bet to ensure no lucky guesses crack the code, so steer clear of pets’ names or birthdays. After all, there’s plenty of accessible information out there, and bits of data could be pieced together to guess a password (or to fuel phishing scams).
Difficult to guess
It should go without saying that a password should be difficult to guess…but what does that really mean? Here are a few facts to consider when creating a hard-to-guess password:
- Longer is better than shorter
- A mix of characters is better than repetition
- No personal ties
One example of an ideal password could be an assortment of 11 or more random uppercase and lowercase letters, numbers, and symbols. However, that wouldn’t be very easy to remember.
Alternatively, you could string together four or five words that are unrelated to each other (and to you), which would be easier to memorize.
A passphrase is a collection of full words (as opposed to arbitrary characters) designed to be both memorable and sufficiently complex for good security.
The passphrase advantage
You may have heard that using dictionary words in a password is a bad idea, as these can be rather easily decoded in a dictionary attack. While it’s true that common words can make for a risky password, it really comes down to how many there are and how they’re arranged. Enter the passphrase.
A passphrase is a collection of full words (as opposed to arbitrary characters) designed to be both memorable and sufficiently complex for good security. Passphrases should be longer than conventional passwords: aim for at least four words and 15 characters in length.
You can test your passphrase in a password strength tool to see just how long it would take someone to hack it — you might be surprised!
How to keep passwords safe and organized
Regardless of whether you choose a password or passphrase, the fact remains that recalling dozens or hundreds of sets of credentials is a difficult task. Fortunately, a password manager can do much of that memory work for you, relieving the burden of recall without sacrificing security. So why are only 20% of people using a password manager?
Are password managers safe?
The short answer is yes, password managers (also known as password vaults) are safe. However, concerns about security, cost, and product confusion are clearly holding people back. Understanding a bit about how password managers work may help instil confidence.
Most online password managers use what’s known as zero knowledge proof: this is when one party (the prover) can prove to another (the verifier) that a given statement is true without revealing the information itself, or any additional information for that matter.
Zero knowledge proof ensures your data (the password) is encrypted before it leaves your device, and the provider (the password manager) has no way to decipher the data along the way. Your secret stays secret, even as others verify and relay it on your behalf.
Why you should use a password manager
From convenience to security, there are plenty of reasons to use a password manager. Here are some of the clear advantages:
- Make it easy on yourself. With only one master password to remember instead of many, you immediately relieve the burden of memorizing.
- Get stronger security. By generating complex codes and automatically saving them, the password manager can improve your security hygiene.
- Share easily. Passwords can be securely shared with others, like coworkers who may need access to the same platform or program.
- Save time. You can often autofill passwords and other credentials or info on sites you visit for a welcome head start.
- Stay on top of breaches. Many password managers will send security alerts when your credentials may have been exposed in a breach.
Password managers range in cost, usually offering tiered pricing (and often a free version). They’re also generally easy to set up and use, so don’t be too concerned about the time or effort it takes to get started.
MFA for extra security
Since your data is so strongly encrypted, you can confidently count on your password manager to keep it private. However, nothing is guaranteed. There’s a small chance that your password manager could be hacked.
Happily, you can safeguard against this unlikely situation: attach another form of authentication to your password manager, and ensure all your colleagues do the same.
A text message (SMS) to your smartphone is a natural choice for your second authentication factor, but biometric data (like your fingerprint or a face scan) is an even stronger option. The bottom line is that if you want to dramatically improve your cybersecurity (and who doesn’t?) then you need multi-factor authentication.
One piece of your cybersecurity puzzle
Smart password habits are necessary in a world where millions of passwords are stolen each week, but simply adding a password manager to the mix isn’t enough to protect yourself.
Hackers have many tools and avenues to uncover your personal information, so you need to stay in the know when it comes to cyber risk. Once you get your password manager set up, head over to the first piece in our recent cyber risk series for more tips — Cyber risk management: Basics for your business.