top of page

Password Hygiene

Passwords are the bane of everyone's online existence these days. You hate them. I hate them. Everyone hates them.

But to state the obvious: Passwords are important and you need to do them correctly.


Waaay back in the day, I'm talking mid-1990s, when the internet was just a wee tot about to take off, an eight character password was considered reasonably safe. And the risks of reusing passwords on multiple sites wasn't that big of a deal. Not so today.

And just adding a couple of numbers to the end isn't going to cut it, either. Spend a few minutes reading on to see what you really need to do in the 21s century.

man at computer trying to remember his password

The sad fact is that most people aren't managing passwords securely. Who can blame them? There's bad and conflicting advice on what to do and it's PITA besides. Here's a partial list of bad practices that I've seen, in no particular order:

  1. Passwords that are too short

  2. Reusing the same password, or rotating between the same small number of passwords, on multiple sites

  3. Making new "unique" passwords by simply adding a digit or something

  4. Choosing passwords that are too easy to guess (e.g. names and birth dates)

  5. Choosing passwords based on famous people or quotes

  6. Choosing passwords that are easy to brute force (not enough complexity)

  7. Storing passwords in the Notes app or Contacts app on your phone (iPhone or Android)

  8. Not having a password or PIN on your phone

  9. Not storing passwords in some manner (relying on memory only)

  10. Not using multi-factor authentication on sensitive sites that offer it, like your email or bank

  11. Writing down passwords on random scraps of paper

Now lets discuss the above sins one at a time and how to repent.

  1. Passwords today should be no less than 12 mixed characters, 15+ is best. "Mixed" means having something from all four character groups: 1) lower case, 2) upper case, 3) number, and 4) non-alphanumeric "special" characters.
    Why? By including at least one character from each of the four groups, you are increasing "entropy". In short, more entropy means less predictability, less organization, more randomness.
     

  2. Every web site that you have to sign-up to use, no matter how unimportant, deserves its own password.
    Why? Because if you use the same password on multiple sites and one of those sites gets hacked and all the passwords are stolen, then it makes it far easier to log into your account on the other sites where you used that same password.
     

  3. Making a new password by slightly modifying an existing password, maybe by adding a digit or character to the end, isn't good enough. You must create an substantially new password each time you need a new one.
    Why? Password "crackers" (hackers who figure out passwords) already know these tricks. Part of their strategy is to make slight alterations to known passwords just like you might do. And they are pretty dang smart about it, too.
     

  4. Using birth dates and family names are too easy to figure out.
    Why? In the age of social media, lack of privacy, and data breaches, it's not that hard to figure out these kinds of passwords.
     

  5. Similarly, using the names of celebrities or notable quotes, isn't as safe.
    Why? Password crackers have dictionaries of very nearly every password that has ever been stolen in a data breach. If someone else used the same famous person or quote as a password that you used, then finding that password becomes far, far easier. Best to use passwords that are only meaningful to you -- but again, not names or birth dates.
     

  6. Short, non-complex passwords are easy to brute force.
    Why? A "brute force" attack is trying every combination of characters. The longer and more complex your password, meaning you followed the advice in #1 above, then the harder it is to guess by trying all possibilities. For more info on what a brute force attack actually entails, see the next section titled "Password Crackers Are Smart"
     

  7. Storing your passwords in the notes or contacts app on your phone is really insecure. If you are doing this then you must stop!
    Why? Notes and contacts aren't always encrypted. And depending on your email service, those notes and contacts may be synced to a cloud server where they can be accessed if someone sussed out your email password. Or if someone managed to get a hold of your phone while it was unlocked, even for just a minute, they could steal all those passwords.
     

  8. If your phone doesn't have a password or PIN set up then you are really asking for it.
    Why? Even if you don't store passwords on your phone, it's a good bet that you at least get email on your phone and, obviously, phone calls and text messages. If your phone is lost or stolen, and there's no PIN, then the finder could quite easily figure out your important accounts (by reading your email), perform password resets, then login to those sites, lock you out, then start wiping you out financially. Losing a phone with no PIN can lead to a catastrophic data breach that can ruin your year.
     

  9. If you are practicing good password hygiene then there's no possible way you'll remember them all. You should write them down (yes, that's safe. Just keep your password notebook securely hidden). You can buy "password notebooks" that contain templates for filling in all the important info. You can also use a password manager. More on that below.
     

  10. Multi-Factor (or Two-Factor) Authentication (MFA/2FA) is when you must provide both your password and a code that's usually texted to your phone. This is recommended for super sensitive sites like your email, bank, or sites where you can buy things like Amazon.com.
    Why? MFA/2FA helps protect your account in the event your password is compromised. The attacker might know your password, but without your phone, they cannot get the code number required to complete the login.

    n.b. MFA/2FA isn't bulletproof. There are hacks where people are socially engineered (tricked) into providing the code number. That's additional work for the attacker and definitely complicates things, so MFA/2FA is still recommended.
     

  11. Writing down passwords is fine but not on random scraps of paper. See #9 above for best practices on writing down passwords.
    Why? You'll never keep track of 37 random scraps of paper, they'll get lost, believe me.

Other tips to help prevent your password from being compromised:

  • Avoid logging into sensitive accounts from any computer that isn't under your full time control. Never use computers in a hotel's guest business center to sign-in to an account; there's a chance it's been infected by a previous guest. Simple web surfing is fine, just don't sign-in to anything. Logging in using a friend's computer is safer but do so sparingly. When logging in on a computer that's not yours, use the browser's private mode. On Chrome, that's "incognito".
     

  • Connecting to an open and unlocked public wi-fi should be done sparingly. It's far safer today than it used to be but it's still an attack vector. Better yet, if you can, connect your laptop to the internet using your smartphone's personal hotspot feature. Most phones and data plans allow that now.

Password Crackers Are Smart

When a password cracker is trying to figure out passwords, they never start with the "brute force" approach. Brute-force simply means trying every possible combination of characters until a hit is made. Yes, it's one approach they use, but it's slow compared to other approaches so they save it for last.

 

Instead, they try popular password lists, common word lists, and apply programming rules in order to crack passwords without trying every possible combination. By combining these advanced techniques and using a powerful purpose-built computer, a password cracker can make billions of guesses per second. And that guess rate increases every year as newer and faster rigs are built. The rig pictured here costs less than $10,000, making it affordable to any determined hacker.

You might say "But how can a hacker make several billion guesses per second? No one can type that fast, and besides, won't the website they're trying to break into limit the hacker to five or ten guesses?"

password cracking rig

Custom password-cracking rig

Yes, that's true enough, but that's not how password cracking works. Password cracking is performed offline against a stolen database containing millions of usernames and passwords. Such offline attacks aren't affected by web server security that may limit you to five or so login attempts.

It's beyond the scope of this article to go into the highly technical details of how, exactly, password crackers do their thing. Buy you can Google it for yourself -- be warned, that's a deep rabbit hole.

So you'll want to create passwords that are hard for a password cracker to guess, even though they are making many billions of guesses a second. How to do that?

Passphrases

Passphrases are an easy way to beef-up your passwords. It's better than using single-word passwords even with a number or two stuck to the end. One possibility is to think up 2, 3, or maybe 4 words that roughly describes the site that wants a new password. e.g. For your bank, it might be  something like "MyDoughIsHere" or "HoldsMyMoney". Your Home Depot password might be "FixingOurHome" or "LotsOfLumber". You get the idea.

To make it stronger, to satisfy #1 discussed above, you can add some numbers to it and a special character. In this case, the numbers could be the same for all your passwords because the "words" part of your password will already pretty long and unique if you follow my passphrase advice. So you could add a period, hashtag, comma, or other special character followed by any 3-4 digit number that's important to you in some way.

e.g. "MyDoughIsHere+456" or "456+MyDoughIsHere" or something similar. The "+" and "456" could be on all your passwords and in the same spot so that's easy to make up new passwords for each site by just changing the words. Come up with your own pattern. Whatever custom method you choose, the resulting passwords should be at least 12 characters long and 15 or 20 is even better. You won't have to type these in more than once (usually) if you're using a password manager so having long passwords isn't a big deal.

The password advice I suggest above is for all practical purposes no less secure than a password made of totally random characters but it's a whole lot easier to type in correctly.

Password Management

Even though passphrases can be easier to remember and, more importantly, easier to type in than a deliberately mangled single-word password, you'll still need to keep track of them if you want follow good password hygiene. There's several approaches you can take here.

  • The best old school approach is to buy a smallish 5x7 spiral notepad and dedicate an inch or so of space to each web account. That way, you have plenty of room for notes and corrections associated with each website. Use a pencil so you can edit later. Jot down everything you'd ever need to know: Username, password, answers to security questions, account numbers, etc. A spiral notebook cannot be hacked so it's actually a very safe way to record passwords. Write neatly so you can read it later and store the book in a safe place where kids and visitors aren't likely to find it. You can also buy notepads specifically for password storage that has spaces for all the important info. Look on Amazon.
     

  • Save all your passwords in a password-protected Word file (use a passphrase here, too). Then every time you edit and save the file, print out a copy as well so you'll have a hard copy, in case your computer dies.
     

  • The best solution is to use password manager program. These are programs that securely stores passwords and other sensitive info, synchronizes it all between your various devices, and auto-fill password boxes in your web browser.


More on Password Managers

Password Managers are programs that, well, manage passwords. But they do it safely and offer additional features. They hold all your passwords in a secure database that is, itself, protected by a master password. Password managers can also auto-fill password boxes in your browser and help you generate super-strong passwords for new online accounts that you create. I personally don't use the password-generate feature because I want to create passphrases, as I described above. But it's there if you want.

All the popular browsers (Chrome, Firefox, Edge, Safari, etc.) have password managers built-in. They work well enough but aren't compatible with each other. If you use multiple browsers like I do then you'll have to separately teach each one. 3rd party password managers are cross platform (Windows and Mac) and work with most browsers to auto-fill your passwords.

Password managers also help protect you from phishing emails that try to trick you into logging into fraudulent, look-alike websites. While you, a silly human 😉, may be fooled by a well-crafted fake Bank of America login page, a password manager would never be tricked like that. Using a password manager, you'll know right away if a login page is fake because the password manager won't auto-fill the username and password.

Another advantage to a 3rd party password manager is allowing you to store other kinds of non-password sensitive data, something that the built-in browser-based password managers don't do very well -- or at all. That might be tax info, combinations to padlocks, SSNs, security questions and answers, MFA/2FA backup keys, and other sensitive non-password info.

 

Such 3rd password managers include mSecure, 1Password, RoboForm, Bitwarden, and Dashlane to name a few. I would not recommend LastPass due to insecure practices by that company.

I use mSecure because it offers numerous templates for storing all kinds of other sensitive information, not just website passwords. Your sensitive info is securely synced between your devices so it's available wherever you need it.

Most 3rd party password managers are subscription based but they aren't expensive.


Multi Factor Authentication

Multi Factor Authentication (MFA) or Two-Factor Authentication (2FA) is a feature increasingly offered by websites these days. When a website account is protected with MFA, then you must provide multiple (two usually) forms of identity in order to access the account. The first is your password as usual, and the second is generally a random six digit number displayed on your smartphone. This way, if a hacker managed to figure out your password, they would be unable to access your account because they would not have your smartphone and so could not get the six digit number. There are ways around this, but generally the attackers will just move on.

The website TwoFactorAuth.org lists hundreds of popular websites and whether or not they offer MFA/2FA. Check to see if the websites that are important to you offer 2FA. If they do, then take advantage of it! If not, complain to the website owner.

Setting up 2FA is not entirely painless. It must be done correctly lest you lose access to your own accounts. e.g. Authorizing your phone to be the security token, creating emergency backup code keys, setting up alternate email address for account recovery, etc. This is where an I.T. pro like me comes in. I know how to set these up properly to keep you safe!

Insecurity Questions

Lots of websites ask you to give answers to one or more security questions as part of a new account signup process. Questions like "name of your first pet", "name of high school that you graduated from", "best childhood friend", etc... These questions are there to help you recover account access in case you forget your password. But it's insecure if you give truthful answers. Bad guys can figure all this out easily enough using social media and social engineering techniques.

Instead, provide false nonsense answers to these questions. I know a guy who answers them all with different brands of beer. Just remember to jot down your false answers and the question that it goes with so you can enter the answers correctly later on if the need arises. But since you'll be following my advice by recording your passwords in a notebook or using a password manager, then you won't ever forget your passwords in the first place. Right?

Brave New World

Security professionals everywhere constantly grapple with these opposing forces: Security vs. Convenience. TSA; metal detectors in government buildings, in sports venues, and concerts; and more. Same thing applies to computers and websites. Greater security means more hassles for legitimate users.

Imagine the ruin you could face if your bank or brokerage accounts are hacked into. If your business email or cloud accounts like Dropbox were hacked and your confidential info or your client's was ransacked and exposed, your liability could be limitless.

I know that all the things I've discussed and suggested above can be unnerving and even a pain to follow.  But this is the reality of living online today. Security is simply too important to neglect and as our lives and businesses are ever more conducted online, good security is critical. Disregard at your peril.

bottom of page