It’s time to upgrade your password. Consider the following password Do’s and Don’ts and the challenges they present.
Let’s start with the Don’ts:
- Use your login name (ssmith)
- Use a sequence or repeated characters (“123456” or “abc123”)
- Reuse for different accounts
- Share. A secret is no longer a secret once 2 people know it.
- Don’t store as contacts in your email or in a spreadsheet called, “passwords.xlsx”
- Think length (12 or more characters)
- Complexity – Intersperse punctuation marks or symbols (kdk_D!13FFv)
- Layer Up (2-factor, biometrics)
The average person has 23 online accounts. Following the rules above, you need 23 long, complex & unique passwords that you have committed to memory. Unless you are “The Amazing Kreskin” or “Rainman”, that’s impossible!
As the XKCD.com comic strip below illustrates, we’ve been making our digital lives too hard with complex passwords. The result is that people don’t use strong passwords. At best they use a complex root password and change a couple of characters based on the site they are signing into. In 2017, hackers have developed programs that account for this. If your Google password is G&y6t5r, they will quickly know that your Facebook password is F&y6t5r.
So, should you trade all your passwords for passphrases? While technically easier to remember, remembering 23 unique passphrases would also prove daunting if not impossible.
Start using a password manager program to generate and manage a vault of long, complex & unique passwords. Protect your password manager vault with a 7-word passphrase and use the built-in, two-factor authentication feature.
For a truly secure passphrase we suggest the, “Diceware” method. In Diceware you roll dice to generate maximum entropy. Rolling a 6 sided die, 5 times, will generate a number that you lookup on a predefined list. For example, 11111 is, “abacus” and 123456 is, “arrange”. In the end you will have a passphrase like, “ascent phrase ramp good doable taunt”. Notice this is much more random & secure than a phrase we might pick ourselves like, “giants yankees rutgers john jersey shore” I promise that if you write your passphrase down on a post-it and keep it with your ID, you will memorize it in a couple of weeks at most.
Take your time and build your password manager vault by adding your accounts and changing their passwords. The programs make it easy by learning your usernames and passwords as you go and have a password generator feature. You’ll rest easy knowing this vault is protected by your state-of-the-art strong passphrase and 2 factor authentication. Best of all you’ll be enjoy the convenience of signing into your password manager once and then having it log you in everywhere else. No more interruptions in your workflow to send your self a password reset link, further complicated by having you not use a password you’ve used before.
Here are some helpful links:
- Password Managers Best of 2017 https://www.pcmag.com/article2/0,2817,2407168,00.asp
- Diceware Passphrase word list https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt
- Diceware https://en.wikipedia.org/wiki/Diceware