Password hygiene is important. Do you have good habits?
May 7, 2020 is World Password Day! World Password Day provides an “official” reminder to everyone to brush up on their password habits and make sure their online personal data is safe and secure. The official World Password Day website PasswordDay.org has tips and resources for managing passwords; today’s blog post is going to drill down even further.
Before even getting started on talking about aspects of password management, it’s crucial to remember that you should never use the same password for multiple sites or services. This creates extra administrative hassles for you – and we’ll discuss ways to reduce that burden later on – but having different passwords for each site you visit is essential to limit your exposure in the event that someone hacks one of those sites. Cyber criminals exploit the knowledge that some people reuse their credentials, so once they figure out your LinkedIn password, it’s easy for them to try to use the same password to get into your email, banking information, Amazon account, etc.
You’ll see a lot of websites evaluating your password “strength”, often with a score or a red/yellow/green bar. What does this actually mean? Password cracking tools use a variety of strategies to determine your password, so these sites map your proposed password against known hacking methods. Hackers will often use a dictionary-based algorithm as a quick first pass to determine your password, so any codes containing “real” words will be picked off in seconds, even if you tack on a number at the end or change a “B” to an “8” in a word. Generally, the tips for good password creation as are follow:
- Avoid “real” words and names (especially “password”)
- Avoid “common” passwords (especially “qwerty” and “123456”)
- Combine lower/upper case characters, include digits and special characters
- More characters generally mean more safety
An approach I love is using mnemonics for a password. I find something easy to remember (for example, the first line of a favourite song, a line in a movie, or the inspirational message on a poster in my office). Let’s take “Louis, I think this is the beginning of a beautiful friendship”. Now take the first letter of each word – respecting the capitalization – and use that as a password: “LIttitboabf”. Looks like gibberish, but it’s nice and long, and super-easy to remember. The My1Login website has a password strength tester that’s great for giving an indication of how crackable your password is. Running our mnemonic password through it suggests that it could take almost 400 years for current hacking tools to figure out your credentials. Not bad, but if we add an asterisk (think of it as a propeller on Ilsa’s plane, to keep the Casablanca motif going) to the end of the password (e.g., LIttitboabf*), the complexity jumps to about 3000 years to crack. Tack on the year of release of Casablanca – to make a password of LIttitboabf*1942 – and we’ve got protection that would take about 8 million years to crack. Once you have a solid foundation for a password, adding length can make it exponentially more complex – and secure.
So now we’ve got a strategy for coming up with an easily memorable, acceptably strong password. But, according to a 2017 Dashlane survey, the average person has about 150 online accounts that require a password (with that number expected to climb to 300 by 2022!). It’s unrealistic to come up with that many clever passwords, which may encourage us to reuse passwords or write them down… which is bad news. More and more people are using password management software as a response to credential sprawl. There are lots of great options out there – both paid and free – so do your homework and find the application that fits your needs and budget. 1Password and KeePass offer dependable password managers, but I use LastPass – it’s secure, free, synchs across my many devices, can auto-change passwords for me on selected services (e.g., Facebook, Amazon, etc.), and can even launch a browser and log into an application without ever showing me the password. I use my complex mnemonic password as the master gatekeeper for the application, then I refer to my secure catalog of websites and userids/passwords in password keeper as my go-to for credentials when I need them.
Password Expiry and Rotation
Many systems and websites will include a lifespan for your passwords, forcing you to change them after a fixed number of days, weeks, or months. This protects you in case your credentials are somehow stolen without your knowledge. A “memory” of your used passwords is also retained, preventing you from reusing a password within a certain time period or frequency. The same logic applies with respect to protecting you from theft – if you alternate between two passwords and someone has compromised your credentials, you increase the chance of someone being able to gain unauthorized access.
You’ll also hear a lot about two-factor or multi-factor authentication. This type of approach helps mitigate the dangers of crackable passwords. Where it’s supported, a multi-factor authentication approach will ask for two or more different types of authentication. For example, you could be prompted to enter a password, but then also have to enter a one-time code that has been texted or phoned in to you. Another example would involve entering a one-time code from a special keytag, followed up by scanning your fingerprint. The key for two- or multi-factor authentication is that the methods for validating your identity need to be distinct (i.e., entering two passwords doesn’t qualify as true two-factor authentication).
The Password of Tomorrow: No Password!
Believe it or not, tech companies understand our pain when it comes to password management, and they’ve been working on ways to do away with passwords once and for all. Fingerprint recognition has been part of Android and iOS devices for years, and work is continuing on making facial recognition, voice recognition secure and reliable. Retinal scanning and even venous analysis (i.e., the scanning of veins in your fingers or palms) has been in development and limited use for years, but may make further inroads as public frustration with our panoply of passwords rises.
So celebrate World Password Day by reflecting on your use of passwords and password management tools, and stay safe out there on the Internet!