Password Best Practices – Protect Yourself!
I wanted to talk a little about password security and the need for two factor authentication. As I’m sure you are aware, the internet is a scary place, and over the last few years information theft is hitting home for regular folks like you and me. Home Depot, Target, Sony, Citibank just to name a few have all been hit with large scale targeted attacks where massive amounts of data were stolen. Identity theft is rampant, and given that most people don’t think about passwords that much, its far too easy for bad people to get your data and do really bad things.
What can you do?
Three simple rules for Password Safety:
- DON’T use the same password everywhere – I’ve done this so many times, and it is just asking for trouble. Don’t give the bad guys the keys to the castle when they break into the tool shed!
- Use long passwords – the longer the better, but 8 characters minimum.
- Use complex passwords – mix case, use numbers, use special characters (ampersand, asterisk etc).
How to I maintain secure passwords without driving myself insane or just writing them all down?
There are lots of ways to do this, and I’m not going to pretend like I know them all – but there are a few basics to remember
1) Use a hash
Simply put, this means use a base password that is always the same, then use the site name to generate something unique.
For example, make your base password something easy to remember like your favorite color or your nickname for your partner. In this case, lets use “fido”.
I want to login to my mail account at yahoo. I could make my password “fidoyahoomail” or yahoodotcomfido.
I could get more secure if I split the keyword and added some special characters and replace letters with numbers: “fiy@hooD0” – note the o in fido was changed to a zero.
2) Don’t use all letters! There are lots of creative replacements you can make for plain letters – use what makes sense for you.
replace all “e” with 3
replace all “a” with @
replace all “e” with # (shift 3)
replace all “o” with 0
replace all “s” with $
you get the idea
3) Use a password manager
There are many out there, but I really like Lastpass (www.lastpass.com). It’s cross platform so will travel with you to whatever device you want, will generate and store very complex passwords, and probably most importantly uses multi-factor authentication scheme from Duo and several other providers (more about that later).
The basic idea is that you store all of your passwords in one place then use a single password to get at your password “vault”. I know, this is a single point of failure and what if the password manager gets hacked? That’s a valid concern and if I’m honest I don’t have a good response other than it’s the best you can do for the moment. Choose a site (like lastpass) that has good two factor authentication choices so that you reduce the possibility that your master password gets hacked – that way you just need to worry about Lastpass itself getting hacked which will never happen – oh wait –
4) Use multi-factor authentication where possible.
What is multi-factor authentication (also called two-factor authentication)? Basically it means another way for the system you are trying to access to know that you are who you say you are. Since passwords can be hacked, a second authentication means that you further reduce the ability for someone to hack the system. In practical terms that can mean a lot of things – an email with a security code, a text message with a security code, your smart phone fingerprint reader, a USB key for authentication etc. This is an evolving space, authentication methods are improving all the time. Check out the FIDO alliance for more on second better authentication methods.
As an aside, when LastPass reported their breech, I was not concerned because I had two factor authentication turned on. I changed my vault password anyway, but I was relieved that I was protected regardless of the breech.
A couple of DON’Ts are necessary to mention here too –
- Don’t use names of people you know in your password – wives, children, relatives. In fact, don’t use proper names at all.
- Don’t use dates that are discover-able – birthdays, anniversaries. Nothing that someone can find out if they google you. You want to use the date of your first date with your wife, or the day your kid said “No!” for the first time, that’s fine.
- Avoid simple, easy to guess passwords! Things like “password”, “abc123”, “qwerty” etc. When Adobe was hacked, the Stricture group released a list of the most common passwords found from the hack. Please don’t use any of these!
Really Bad Passwords – these are the top 10 from the Adobe hack:
- 123456789
- password
- adobe123
- 12345678
- qwerty
- 1234567
- 111111
- photoshop
- 123123
Passwords are a necessary evil, so please take a little time to come up with a strategy to keep your data safe that works for you. You don’t have to have a photographic memory to maintain solid security on your passwords, use a password manager like lastpass or come up with a repeatable scheme and you’ll be fine. Don’t forget about two factor authentication too – it’s an extra step, but totally worth it.