I used to really dislike passwords. I found them aggravating and tedious. And quite frankly, I still don’t like them very much. But we’re stuck with them —at least for the time being. Let’s all agree, passwords are problematic. But they don’t need to be if we use logical policies, governance, technology and products that enforce strong password principals.
Given the fact that passwords are a necessary evil, the following 10 things will help us keep them safe:
1. Know if your password has been compromised, or “pwned.” You can find out if your passwords have been the victim of a breach at https://haveibeenpwned.com/Passwords. Also, don’t respond to anything that looks questionable or that might be a phishing attempt! Any email asking you to click on a link and enter account information is always suspicious.
2. Use a passphrase, not a password. “To be or not to be” is better than “Hamlet.” You can also use several random words of different lengths, like XrayYellowZebraHelicopter.
3. 2Bor!2b? is also good, and it aligns with an obsolete, but still follows the widely enforced standard for strong passwords: 8 characters- 1 upper case, 1 lower case and one non-alphanumeric character.
4. Stop changing your password every 90 days, unless it’s been compromised. A strong password that you easily remember should last a long time. Scheduled password changes are an invitation to iterative passwords, which are problematic.
5. It’s OK to write your passwords down. But not on a yellow post-it stuck to your monitor or under the keyboard. And never do so in a public place, including your office. Put them somewhere safe like a notebook or journal stored away from your computer.
6. Passwords should be unique to every site you visit. Reusing the same password for your financial information on a social media site isn’t safe.
7. A password manager is a good idea as we’ve just suggested using multiple unique passwords. Password manager software stores and manages online credentials within an encrypted database and is locked behind a master password.
8. Stop using passwords and use biometrics instead! Passwords are a weak link in a cybersecurity defense. Biometrics, on the other hand, provide unique credentials that cannot be duplicated because your body is the key that unlocks access, e.g., fingerprint or facial
9. Multi-factor authentication, or MFA, is a password, plus some other verification code that can be sent to you via email, SMS, phone or even an app on your smartphone. It can even work without the password with just the verification code or one time password.
10. Let your browser pick one! Most of the major browsers will suggest a password that’s almost impossible for you to remember. As long as you access that site with the same browser on your computer or have it linked across all of your devices, it works great. Just remember that like a password manager, the password securing your computer has to be strong.
Passwords will provide bad actors with an ongoing source for their malicious activity for the foreseeable future. As you can see, there are many ways to manage passwords and methods to ensure protections. Hopefully the suggestions above will help increase awareness of the need to protect credentials and provide some helpful guidelines to help keep your information safe.