I’m going to start off by saying I used to have bad passwords. Really bad passwords that I thought were amazing, because I didn’t know better. A lot of time has passed since I learned how to make better passwords, and I feel it’s time to share what I learned.
Let’s get started.
A good password must contain a random mix of letters, numbers, and symbols. We’ve all seen this advice or requirement when setting up a new account online:
“Your password must meet the following requirements:
At least 8 characters long, and;
contain at least 1 number, and;
1 uppercase letter, and;
1 lowercase letter, and;
The problem with this set of requirements is we’re all humans. I can’t remember what I had for breakfast let alone remember passwords for all the websites and services I use. According to LastPass’ 3rd Annual Global Password Security Report, the average employee in a small business has 85 passwords. Can you remember 85 phone numbers and who they belong to? I sure can’t!
You might be thinking that’s not a problem; I just use the same 8-character password everywhere, now I only have to remember a single password. In an ideal world, where everyone is good and you don’t need a lock on your front door, this is a great answer. Except we don’t live in that world. Using the same password everywhere is like having every lock you need to open use the same key, whether it is your home, work, vehicle, or bike lock.
Why is using the same password on different services a problem? This boils down to the same reason that makes a lock on your front door necessary – criminals. Think back to the example of using the same key for every lock you need to open. Now imagine what happens if you lose that key, or if someone steals it? Your home can now be accessed by anyone who knows that was your key. Might your vehicle that sits in front of your house might drive away with someone else at the wheel. Your password, or key in this example, is usually tied to your email address, which can be thought of like your home address.
With your password and email address, now criminals know the two pieces of information that can be used to access everything you have, if you are using the same password everywhere.
LastPass’ report goes on to state that the employee reuses a password 13 times on average. That’s really bad, because the 2020 Verizon Data Breach Investigations Report found that nearly 80% of web application attacks (this includes web-based email) in North America were carried out using stolen usernames and passwords.
Better passwords start with forgetting about the requirements and advice from above. Some organizations will still require certain complex password conditions to be met, but a good deal of them have moved on from this archaic advice. Creating better passwords starts with something that you can remember easily but that can’t be easily guessed by someone who knows information about you, or that can be easily found online, like social media posts you might make about a beloved childhood pet or best friend.
How is this better? By having something memorable that only you would know, like a jingle you made up as a child, or something else that you won’t easily forget, can be used in a sentence. In cyber security, this is called a passphrase. A passphrase can be incredibly simple, but impossible for someone to guess. Maybe you dislike a certain color, word, or place – you can turn that into a passphrase with ease. Or, better yet, if a website always causes you to think of something specific. For example: let’s say you are creating a rewards account at your favourite breakfast spot. You could use the passphrase, “I dislike waffles.” It’s that easy, you can remember it, and best of all it is unique to you!
Passphrases open a world of possibilities by making your password a random number of characters, containing whatever punctuation, grammar, and spelling that you want. And best of all, a 20-character password using only lowercase letters and spaces is much harder to guess than a password that only has 8 characters and follows the requirements from above, because the bad guys don’t know anything about your password. By solely following password requirements outlined by a website or service, you are (unknowingly) telling criminals a great deal about your password and significantly reducing the number of potential combinations for them to guess.
While this sounds great, we all know that not every website is going to evoke some sort of reaction or memory that you can turn into a better password, or that the information you use for that password might be something you’ve shared publicly on social media.
There is an even better way! Password managers!
By using a password manager, you can have the best of both worlds. A strong, unique, easy to remember and difficult to guess primary password (passphrase) to log into your password manager, and unique, impossible to remember passwords for every single website or service you use. You read that right, impossible to remember. If the service allows it, you can have up to 64 characters of random numbers, letters, and symbols, or more! As a bonus, most password managers will automatically create and save these passwords for you in a database, or vault, so that you don’t need to think about them again.
Why is this important? If you can’t remember it, then you can’t possibly reuse it somewhere else! Let the password manager handle the remembering of your everyday passwords. All you need to remember is the primary password for the vault and your password to login to your computer or phone. Now, if a website or service you use is breached and your password is compromised, the only site that password is used on is the one that was breached. You don’t have to worry that any of your other accounts are now vulnerable because of this breach.
An added benefit to using a password manager is the ability to have secure passwords for the apps on your phone or tablet. A good password manager can automatically fill the login information for apps and websites on your phone, making it easy to have great passwords and not need to remember anything but your primary password. Many password managers allow you to use biometrics, such as fingerprint scanners on Android phones, or Face ID on Apple devices, to unlock the password vault without entering your primary password every time you need to access your passwords.
By combining a password manager with good primary passwords and multi-factor authentication wherever possible (again, think fingerprint scanners or Face ID) you can ensure that your accounts stay secure.
To close out, I’ll leave you with a timeless quote that sums up good password practices:
“An ounce of prevention is worth a pound of cure.”