Everyone is sick of hearing about passwords: make them long, don’t re-use them, change them often, etc. There’s a good reason we hear about passwords – most of us don’t use good password hygiene and our poor passwords are the major inroads into our computers and networks for hackers.
According to Verizon, 62% of all data breaches involve hacking and a WHOPPING 81% of those hacks involved weak or stolen passwords. Google recently reported that about 2 billion stolen credentials are for sale on the black market. A study by cybersecurity expert Troy Hunt found that in the 2016 hack of online survey service CashCrate that a”86% of subscribers were using passwords already leaked in other data breaches and available to attackers.”
What to do about passwords?
Here’s the advice I got from a computer consultant recently which is borne out by other experts:
- The best thing is for every password to be unique, long and complex. Use a password manager like Dashlane or Last Pass to keep these passwords. More on password managers below (this is the solution to all these issues).
- If you don’t use a password manager, the next best thing is to write down your unique passwords. This is not recommended because someone could steal your list. But, it is substantially better than reusing the same simple password(s) as the chance of someone breaking into your home or desk at your office and stealing your passwords is low.
- DO NOT REUSE passwords under any circumstance.
- Use two-factor authentication where available.
- Don’t just change the number at the end of your password (like “Fluffy1”, “Fluffy2”, “Fluffy3” . . . )
- Don’t use discoverable personal information such as family birthdates, anniversary dates, children’s names, dog names (where do dogs go when they die? – they become passwords), etc. Instead, use a passphrase or have your password manager create random passwords for you and the password manager will keep track of them.
- Stop your browsers from remembering your passwords.
- Change your passwords periodically.
- DO NOT REUSE PASSWORDS.
Why shouldn’t you reuse passwords? According to Cybersecurity expert, Troy Hunt: “bad guys are grabbing huge stashes of username and password pairs from other data breaches and seeing which ones work on totally unrelated sites.”
Password managers – This is the best password solution. I’ve used Dashlane for about five years and I can’t imagine life without it. With one password (which is long and complex) I can access all my passwords. Better yet, it will generate random passwords, it automatically fills in usernames, passwords, addresses and credit card information (all after entering the complex master password). It stores my family’s SSNs, TSA pre numbers, passport numbers, and driver license numbers. Sound scary to have all that stored in one program? Yes. My master password has to be good and I also use two-factor authentication. There are other good password managers out there – here’s a link to PC Magazine’s recommendations (and my using Dashlane is not a professional endorsement since I’m not a cybersecurity expert).
What are the most commonly used passwords (i.e. most hacked)? According to the UK’s National Cyber Security Center, here are the top 20 from 2019:
- 1q2w3e4r5t (you need to look at your keyboard to see why this one is popular)
- Qwertyuiop (again – look at the keyboard)
So when I used to work for a bank, I would break so many of those rules/advice because I had to deal with a password reset every month. I wrote everything down next to a postit note stuck to my monitor. In theory, anyone could walk into my office and eventually figure out how to log into all my trading systems. I needed a better solution and so without revealing too much, I actually came up with a cipher approach to my passwords, and I use 2-factor on everything that I consider sensitive / confidential. I think the one point of failure using a password manager is not very comforting to me, and I’d rather risk physically writing it down (as its likely already in a location that isn’t easily accessible to everyone, or back in the day, i just needed to make sure I locked my office door when I left). So, the cipher incorporates elements of where I am signing into (ie, signing into Netflix, the password will use a combination of first letter of the portal “N”, and the last letter “x”, and the number of letters in the portal, etc… which will each translate to a random string of letters/numbers.) It’s surprisingly easy to remember and even if i wrote down my cipher for you, it is unlikely you will figure out what it even means. The only thing you memorize is the steps to produce the password, and I rarely if ever need to reset.
Great article & I am immediately using it to clear the morass of my passwords
I use LastPass which is good for all the reasons you cite. I have some legacy non-complex passwords on non-critical sites that I have not yet taken the trouble to change. Several of those have been leaked in infamous breaches including Dropbox and LinkedIn (LastPass tells me that) and occasionally someone uses one to (most recently) hack my Netflix account and watch free movies for an evening (Netflix easily verified my details and gave me back my account). But at least the bank accounts and other critical passwords are safe now.
I like the new website format!!