What’s something that stands between you and a cybercriminal that’s in your full control?
The world of password security is a tricky one because, in my experience, many of the best practices for password security are not at all practical and therefore rarely used.
Considering all the accounts we need to secure with passwords and all of the rules regarding effective password hygiene, it can certainly feel that it’s almost impossible to keep up without a technical aid like a password manager. However, studies have revealed that password managers are vulnerable to being hacked, and if they get hacked, the cybercriminal essentially has the keys to your password kingdom, which of course defeats the purpose of having a password manager or even a password in the first place.
In other circumstances, people try to bypass the need for passwords by turning to biometrics, which uses fingerprints or facial recognition technology to grant a user access to sensitive data. However, biometrics has its own set of vulnerabilities that are actually more problematic than passwords.
As many people already know, using biometrics first requires you to save your fingerprint or facial features onto your device. But what if your biometric information is hacked? Just look at the June 2015 hack of the U.S. Office of Personnel Management where 5.6 million fingerprints were stolen in a cyberattack. This is a concern to cybersecurity professionals such as myself because, unlike passwords, your fingerprints and facial features can’t be changed if they’re compromised.
Yes, there are good technologies that exist to help us with password security and management, but I have yet to come across the perfect solution, which is why I prefer some good old-fashioned common sense and awareness.
With that in mind, here are some simple and, more importantly, practical tips that will help you keep your passwords secure:
1. Use a phrase that captures a memorable thought that only you know, or use the first letter of each word in a unique phrase to create a password.
2. Passwords should be a minimum of at least eight characters in length. Ideally, if the system allows, the password should be from 24 to 26 characters long.
3. When creating a password, remember to include at least one of each of the following: uppercase letter, lowercase letter, special character and number.
4. Don’t create passwords from dictionary words with repeated or missing letters, common phrases or keyboard patterns. Remember: Hackers don’t hack passwords by guessing; they have access to password cracking tools that bypass those simple tricks and can crack passwords in seconds.
5. Use different passwords for all accounts. I have to be very clear on this tip since it’s a bit controversial. Without the aid of a password manager, I can honestly say that I don’t know anyone who follows this advice, and I hate giving people advice that I know they won’t use. If you don’t have a password manager and you find it impossible to use a different password for each account, try your best to have as many different passwords as you can and make the passwords you do have extremely complicated, using the tips found in Nos. 2 and 3.
6. Change passwords frequently. Similar to my thoughts in tip No. 5, this tip is another best practice that’s almost never followed. If you find this tip too difficult to follow, then make sure you change your passwords after a breach, and remember: It’s not just your account that’s been compromised but your password itself. This means you need to change the compromised password for any account where it’s used, and you can never use the password again.
7. Create answers for web security questions that are hard to guess but easy to remember.
8. Don’t share your passwords with anyone. This one may seem obvious, but it happens way too often. Sharing is a good thing, but not when it comes to your password.
9. Don’t write down and hide passwords. If you have to write them down for whatever reason, don’t label them as “passwords.” Write down something that will only be understandable to you.
10. Don’t store passwords on your computer, websites or in web browsers unless they are in a strongly encrypted software program. If your device gets stolen or hacked, stored passwords will give easy access to any would-be hacker.
11. Consider investing in a password manager but proceed with caution for the reasons mentioned above. There are some great tips here for your password manager.
12. Make sure you actually use a password. Anything that can be secured with a password should be.
13. If you need to change your password due to a suspected breach, make sure the notifications in your settings profile only notifies you of the change. The last thing you want is a cybercriminal getting notified each time you change your password.
Most importantly, remember that a password is what stands between you and a cybercriminal. Make sure you and your loved ones approach your passwords with responsibility and security in mind.