As someone who has a keen interest in online security and runs a business that needs to take security very seriously, topics like password security are kinda second nature to me.
I understand the need for strong passwords and how to manage them. But it remains the case that I’m not in the majority.
So, here are some straightforward facts and snippets of advice to, hopefully, help you a) appreciate the need for strong passwords and b) do something about it.
First off, some [interesting] facts n stats
(produced by internet security firm SplashData):
- In 2011 the most commonly used password was: password
- By 2017, this had improved not one iota: 123456
- In 2011, the second most commonly used password was: 123456
- By 2017 this had morphed to simply password
You get the idea…
Other common passwords (still!) are qwerty, 123456789, football and letmein (yes, ‘letmein’)
We got clever
Over the years password security has started becoming more widely understood and, if you work for a large firm or local government, enforced. At the same time, we started getting clever.
Numbers that look like letters made their entrance. E’s became 3’s, O’s become 0’s and so on. My name is St3v3.
Thing is, for a computer programmed to act on the behalf of the bad guys, this represents a few milliseconds of extra computation as it tries to brute force its way into your account.
Then we got REALLY clever
Hmmm, the firm’s security now demands a non-alpha character to be included in the password. I know, let’s add a * or a !. Now my name’s St3v3!
So, what makes a good password?
There is no fixed answer, more common sense, so I’ll go with some widely accepted good practice.
16 or more random characters containing both alpha and non-alpha characters. This means uppercase and lowercase letters and numbers, symbols like ‘;!@£$%^&*()_+=- and not done in a way that makes it almost human readable.
Using this password generator I came up with this:
That’s not-so-easy to either guess or remeber, right?
This is the scary part. If you’re unlucky and the bad guys somehow get a hold of your password, chances are they will exploit if for all it’s worth.
It’s worth noting that they will also need your username, but this is likely to be easy to guess and is generally not subjected to the same security measures as your password (should be). View our post on creating a secure username.
As a result, if your compromised username and password combination is used for more than one website or service, the bad guys – read ‘computers’ – are trying to gain access to 1000’s of websites with said combination.
The obvious bad consequences are having a bank account hacked, or other personal information that might have a direct financial impact.
But it’s much more than that. If you run a website for example (something which is close to our hearts) and you are hacked, this can have terrible consequences. Some hacks are subtle and won’t directly impact the day to day usage of your website. Other times, you’ll find you can’t access your website and it’s broken beyond repair.
There are risks and costs to action. But they are far less than the long range risks of comfortable inaction.
John F. Kennedy
What we want
In truth, passwords are a pain, but we know we need them. We’re in the age of accessing our most important assets online and as such passwords are unavoidable.
But we don’t want – can’t remember – hundreds of different passwords with 12 or more random characters.
What we want is a single, easy to remember password that is easy to type into our mobile phone and allows us ready access to our stuff. We want hassle-free access.
What’s the answer
Well, the answer is probably a bit of a compromise. It’s our belief that a reputable password manager holds the answer. That, along with Two Factor Authentication (2FA).
2FA? In simple terms what this means is that as well as a username and strong password, you will also need a second mode of authentication. This is often in the form of a text sent to your mobile with a one-time code. That way it’s impossible for a hacker to access your account unless they have your mobile to hand.
A good password manager like Keeper Security will enable you to store all of your passwords in a single place. They’ve developed plugins for most web browsers and standalone apps for most computers and devices.
Plus, if you have a mobile phone with fingerprint technology then you can access your passwords via the Keeper Security app that way. It offers 2FA and other security features, which you can read about more on their website.
It’s a pain, we know, but it’s important. Here are a few do’s and don’ts to help make your online life more secure:
- Do use strong passwords of over 16 random alpha and non-alpha characters
- Do use different passwords for every site and app
- Do use a password manager like Keeper Security
- Do use 2 Factor Authentication where you can
- Don’t use easy to guess or easy to work out passwords (like P455w0rd!)
- Don’t share passwords
- Don’t write passwords down unless they are going to be securely locked away
- Don’t think it won’t happen to you, is it worth the risk?
- Don’t panic, Mr Mainwaring – take your time. If you’re concerned about your passwords then think about your most important places where you need a password and start changing them, slow but sure is better than not at all.
I hope this has helped in some small way. I’m only touching the surface of password security, really, but putting the above points into practice will make your online activity far more secure.