Passwords

Published: 6/21/2024
a person looking confused
  1. Introduction
  2. Best Practices
  3. Use Unique Passwords for Different Accounts
  4. Create Strong Passwords
  5. Using a Passphrase Instead of a Password
  6. Consider Two-Factor Authentication (2FA)
  7. Hazards
  8. When to Change your Password
  9. After a Security Breach
  10. If you get a Notification of Attempted Access
  11. If you Discover Malware or Phishing Software
  12. When Using Public Wifi
  13. Be Cautious of Phishing Scams
  14. Additional Resources about Passwords
  15. Tools
  16. Password Managers
  17. For Individuals
  18. For Families or Teams
  19. Two-Factor Authentication Apps (Authenticator Apps)
  20. Recommendations
  21. Advice For Tech-Adverse Individuals
  22. Conclusion

Introduction

Passwords are a necessary part of everyday life. We pay our bills online, chat with friends and log in to file our taxes. If you aren’t using a computer or other internet-connected device, life is becoming harder to manage. Strong, unique passwords are crucial for protecting your personal information and online security.

In this blog we will discuss password best practices, hazards to avoid and tools to help you manage your online security.

Please feel free to skip around to different chapters within this blog, as they generally do not require reading other sections.

Best Practices

Use Unique Passwords for Different Accounts

Never reuse passwords across multiple sites. Reusing passwords increases the risk of your email & password being exposed. For example, if your email and password from one site get hacked, hackers can use that information to access your accounts on other sites. There are thousands of data-breaches every year. You can check here to see if your email has been involved in a data breach. Companies usually encrypt personal information using a one-way encryption algorithm. However, this only slows down determined hackers.

Create Strong Passwords

More powerful computers can break longer passwords faster than before. You can check the strength of your passwords here and get estimates for how long it would take a computer to break them.

Follow the following points in order to create a strong password:

  • at least 12 characters long (ideally 16+)
  • include a combination of letters (uppercase and lowercase), numbers and characters (!&^%$)
  • don’t include any of your personal information like your birthday or address in your password (or kids’ names, pets’ names etc.)
  • don’t include any consecutive letters or numbers (abcd, 123), it should be unique and not repetitive in terms of its characters
    Example of a strong password: 9L!xY7$zT3nW
    Example of a weak password: password123

These requirements can make it difficult to come up with unique passwords, so consider using a password manager or password generator. You can also consider using a passphrase instead of a password.

Using a Passphrase Instead of a Password

A passphrase is a combination of words (ex. grimace-reliable-untracked). To create a passphrase, think of a few random words that are easy to remember but difficult for others to guess. For instance, ‘sunflower-bicycle-ocean’ is a strong passphrase. You can make it even stronger by adding numbers and special characters, like sunflower-bicycle-ocean-42!.

They have a similar level of security to a password of equal length, but are much easier for a person to write and memorize.

Consider Two-Factor Authentication (2FA)

Two-Factor Authentication is when an additional method is used to prove the authenticity of the person logging into a service.

2FA is an extra layer of security which can protect an account should the password become compromised. Usually it involves using emails, text messages or a two-factor authentication app to send you a code which has to be inputted after entering your email and password. The codes generated by the apps are refreshed every 30 seconds. 2FA is considered the gold-standard to secure your accounts (for your average person and small business). To be able to access your online accounts you have to both have your account credentials (typically email & password) and physical access to one of your devices (computer, tablet, smartphone).

Hazards

When to Change your Password

Security experts used to recommend changing passwords every 3-6 months. Nowadays, if you have a strong, secure password, frequent changes aren’t necessary and may lead to weaker replacements. However, it’s crucial to stay informed about breaches. Sign up for notifications from services like Have I Been Pwned to stay updated on potential breaches affecting your accounts.

After a Security Breach

If you know that your data is part of a security breach, change your password immediately. It will lock your breached account from any attempts to get in.

If you get a Notification of Attempted Access

If you get a notification about access from an unknown location, change your password to secure your account.

If you Discover Malware or Phishing Software

If there is software on your devices that can leak your keystrokes or inputs, change your passwords using another device.

When Using Public Wifi

Public Wi-Fi can intercept your data, including login information. Using a VPN can encrypt the data that you are sending and receiving. This will make any parties in the middle (internet service provider, bad actors) not have the ability to spy on your internet traffic.

Be Cautious of Phishing Scams

Phishing scams target consumers with emails, phone calls, or other messages that look like they come from a trusted source. For example, you might receive an email that looks like it’s from your bank, asking you to verify your account information. Be cautious of urgent requests, suspicious links, and email addresses that don’t match the official domain. If in doubt, contact the company directly using a known, trusted method.

Phishing scams use fear (emergencies), greed (winning prizes), empathy (family requests), or surprise (fake delivery updates) to trick you. There are often red-flags within the message that help indicate it isn’t genuine. The most likely targets of phishing attacks are the elderly or vulnerable persons throughout society. Although in reality large corporations are the most susceptible to phishing attacks.

Additional Resources about Passwords

Article about password cracking
Long & difficult passwords vs our memory
List of most common passwords

Tools

Password Managers

A Password Manager is a piece of software that acts like a digital vault. They will have a password locking it, and will store your passwords, credit card information and other personal data.

Password managers make saving, retrieving, and generating passwords or passphrases much easier than doing it manually. Here’s a comparison of recommended password managers:

For Individuals

BitWarden: Free for basic use, open source, cross-platform, and offers premium features for $10/year USD.

1Password: User-friendly interface, premium features, and $3/month USD (annual billing). Ideal for less tech-savvy users.

Dashlane: Offers password management, dark web monitoring, and VPN services, with a premium plan costing $5/month USD (annual billing).

I personally use BitWarden as my password manager.

For Families or Teams

BitWarden: For tech-savvy users, who appreciate open-source software for $40/year USD for 6 accounts.

1Password: Best for those who prioritize ease of use and robust family/team management features for $5/month USD (annual billing) (5 accounts).

Dashlane: Ideal for users who want dark web monitoring and personalized security alerts with a family plan costing $7.49/month USD (annual billing)(10 accounts). Only one of the accounts will have the VPN service.

Two-Factor Authentication Apps (Authenticator Apps)

Authenticator Apps are mobile applications that generate time-based one-time use passwords. They often take the form of a smartphone app. They are generally free to download and use.

Two-factor Authentication apps store and let you easily access your login codes. Some also offer features like password protection, secure notes, and password management. Since the majority of them are free, it’s recommended that you choose one from a reputable developer, as they are not immune to vulnerabilities.

screenshot of 2FAS

Recommendations

We recommend using 2FAS as your two-factor authenticator. It is open-source and allows saving a backup of your codes to cloud-storage (iCloud, GoogleDrive), synchronizing with other devices, among other features. It’s recommended over some of the other big name offerings (Microsoft Authenticator, Google Authenticator) as it allows you to easily backup and export your accounts without being tied to a Microsoft or Google account.

Advice For Tech-Adverse Individuals

For those uncomfortable with technology, use methods that are easy to integrate into daily life. Here are some practical tips:

  • Use a passphrase instead of a complex password. For example, ‘blue-cat-apple-2020’ is easier to remember and type.
  • Write down passwords in a dedicated notebook or on a sheet of paper. Keep this in a safe but easily accessible place.

Conclusion

Password management is crucial for securing your online accounts and personal information. By following best practices like using unique and strong passwords, considering two-factor authentication, and being aware of hazards such as phishing scams, you can significantly enhance your online security. While password managers offer an efficient way to handle multiple passwords and improve security, it’s important to choose one that fits your specific needs. Remember, the goal is to integrate these tools and practices seamlessly into your daily routine, ensuring your online presence remains safe without overwhelming you with complexity.