Password Best Practices
Passwords. We all hate them. There are only a few things in life that I hate. Passwords are amongst those things. Truth be told it isn’t the function that I hate but the arcane implementations and policies that lead us to bad passwords. That is a fundamental truth. I say we just admit to that truth and move on to some practical advice. The goal for this musing is to introduce some best practices that anyone can follow to improve their use of passwords immediately.
There are four main topics that this document addresses:
Creating better passwords. Managing your passwords. Better than passwords. Take it to the next level. Creating Better Passwords There are several rules that make a password good. A good password:
Is something that you know and no one else knows Is something that you can remember Is something that cannot be easily guessed OK those are some obvious basic ideas of what a good password is. What makes a password bad? There are a few rules to follow that prevent bad passwords. Don’t:
Use simple dictionary words such as “apple” or “cat” Use the word “password” or any variation Use words that convey seasons or months Use your company name Capitalize only the first letter Put special characters (!*$%) only at the end What steps can you take to make better passwords then?
Ignore grammar and spelling Use multiple words Do the opposite of what human nature dictates Confused yet? That is OK. Let me give you some practical examples.
Bad Password: Password1234 Bad Password: March2020 Bad Password: P@ssw0rd1234 OK Password: cAtdog1234 OK Password: 1dOgcat234 Better Password: work@CatDog20201127! Better Password: gmail@CatDog20201127! Did you notice something about the “Better” password examples? Yes, I reused a portion of the password but in the end I had two unique passwords. This is an example of a method of creating both a good and unique password for your various accounts. The first step is to define a strong password. Then apply a unique pre-or-post-fix to make the password unique for each service.
Managing Your Passwords Managing your passwords is easier than you may think. I make two key recommendations in this topic.
Follow the earlier principle to design a unique but memorable password for each service. Use a password manager. In the first case your password, and the associated service(s), should help you remember the account and password. They both work together to autheticate you to the service. For example if you are logging in to GMAIL then your password would be GMAIL + password.
In the second case you should use some sort of password manager. This gives you the ability to generate random passwords that you never have to remember. So long as you have access to the password manager then you’ll be able to gain access to your known passwords.
For password managers I recommend using a program that you can access across all of your devices. Personally I use LastPass. No, I don’t make money from recommending the service. Why do I like this service?
I only need to remember one password to get access to all of my accounts. I can use the program on all of my computers and phones. It can autofill the username and password on most websites. At the end of the day you should device a system that works for you. It starts with creating a better password then managing your passwords in a manner that makes sense for you.
Better Than Passwords When you think of the word “password” your mind instantly thinks of a single word. Then your knowledge kicks in and you realize that you need more than just a simple word and so you add character substitutions, capitalization, and special characters at the end of the word. It takes you an awful lot of effort to create that password. Is it strong enough you hope? Will I remember it you ask? Which service was this for again?
Passwords suck. Passphrases, however, rule.
My name is Richard Maloley II
A passphrase is a phrase that you use for a password instead of a traditional password. The above phrase works as a strong and complex password. It consists of 31 characters. It has capital letters. It has special characters. It is not a single word password. This is a good password and it is simple to remember. Even better is that if spoken it is nearly impossible for an attacker to figure out how to use this password.
Instead of passwords start thinking of passphrases. This is my Facebook password. This is my work email password. A passphrase is easier to create and easier to remember.
Take It To The Next Level You’ve learned what makes a password bad. You’ve learned what makes a password good. You’ve learned about ways to manage your password so that you can easily remember them and keep them sure. You’ve also learned that instead of traditional passwords the use of a passphrase is easier and stronger. Now we’ll go one step further - multifactor authentication.
Multifactor authentication simply means that you perform an additional action above and beyond entering your username and password. You’ve encountered this often and for some time now though you may not have known what this is. For example when you log into your banking website the bank will text you a code. This is a version of multifactor authentication.
There are numerous version or types of factors for multifactor authentication. This document isn’t design to get into all of the different factors. Instead my writing is simply meant to inform you of the option and to convince you to turn it on.
The vast majority if your common services will have the option to enable multifactor authentication. You should always enable this option. Do this on your banking website. Do this on your Facebook/Twitter/Parler/Instagram and other social media. Do this on your email.
The default option, likely a text to your phone, is fine for your use case. There may be other options available. Personally I am a fan of hardware tokens. I utilize a YubiKey hardware token to secure many of my accounts.
At this point you should be armed with the knowledge and capabilities to create and manage better passwords (or passphrases) to secure your online accounts. Good luck and practice safe cyber habits.