Guide to Password Security
With so much of our personal data online today, a username and password are usually what stands between you and almost any account you own. Everything from bank accounts to email to social media is protected by a password, and gaining access to that information could be all someone needs to carry out a malicious attack. But despite over 90% of internet users recognizing this vulnerability, nearly a quarter of all Americans have used a generic password like “12345” or “password” on a personal account. Read on to learn more about how to avoid these unsafe passwords and protect your information.
Why is good password security important?
The more secure your password is, the less likely it will be for someone to guess or generate it without your permission. In addition to creating passwords that are individually secure, this includes using a variety of passwords across accounts, rather than one password as your login credentials. Doing so can be the difference between an inconvenience and a catastrophe for your personal data.
Passwords hide sensitive data
The most compelling reason to invest in password security is as simple as the password itself. With your password, someone could access sensitive information, whether it is your bank account or personal photo storage. This access could lead to identity theft or someone acting as if they are you to carry out online scams, post to your social media, and other acts you may be responsible for if they were to happen. In some cases, a secure password is the only thing keeping your data safe.
Passwords can reveal personal information
Many people choose passwords based on things like their birthday, middle name, or other information they know by heart and will always remember. While these can make convenient passwords, keep in mind that if someone were to find out your password, they would also have that personal information. Especially if there is a crossover with things like your Social Security Number or answers to cybersecurity questions, your password itself may reveal more information than you intended.
Less secure passwords can be easily guessed
In some cases, a password can be guessed simply by knowing a person or their basic information. But cybercriminals make a business of hacking online accounts and run algorithms and programs to help guess complex passwords and gain access to others’ personal data. The fewer characters your password has, or the more it is made up of simple terms, the more likely this is to happen. Password security will help you avoid these hacks as much as possible.
How do hackers get my password?
It’s easy to feel like passwords are personal and will be difficult to guess for anyone who doesn’t know you. However, hackers are usually not targeting a single person, but using a systematic approach to find as much information as they can. A password that is not secure is more vulnerable to these approaches. There are a number of ways hackers carry these out, with five main methods.
Phishing and social engineering
If a hacker is able to avoid guessing at your credentials, they will, which is what makes phishing popular. Phishing attacks involve sending out emails, text messages, or advertisements that appear legitimate enough to gain your trust, in the hopes that you will enter your account or payment information. A common example would be receiving an email from the IRS (which corresponds only by mail) asking you to enter payment information, which is then stolen by the hacker.
Ransomware: A malicious attack, or form of malware, that blocks access to a device or account until payment is made to the originator.
Phishing: Sending emails or text messages pretending to be an individual or company, with the goal of the recipient revealing personal information, such as a credit card number.
Password spraying: A form of brute force attack in which a hacker attempts to access many accounts at once. This is done by obtaining a list of usernames and trying to use common passwords to see which accounts can be accessed.
Any program that accesses or disrupts your device is malware. This can be something that is downloaded through a phishing scam, like clicking on a false advertisement, or is somehow placed onto your device Once malware is present, the hacker behind it may be able to track your keystrokes or access your accounts to obtain your information. Any computer virus is considered a form of malware.
Malware: Any program designed to damage a device, disrupt the use of the device, or hack into a device or account. Viruses and ransomware are both examples of malware.
Brute force attacks
Brute force attacks rely on you having a weak or common password and a hacker being able to simply guess it on their own. This can be done on an individual basis where someone quite literally guesses combinations or more systematically uses a script that populates and attempts many combinations at once.
Another form of brute force attack is password spraying, where the goal is to access many accounts at once. In password spraying, a hacker will take a list of usernames for service and try common passwords against all of them, with the expectation that at least some will work.
Brute force attacks: A method of hacking that uses trial and error to guess passwords, usernames, and other credentials. This can be done by an individual or a prebuilt algorithm.
Similar to a brute force attack, a dictionary attack involves systematically guessing as many iterations of a password as possible. In a dictionary attack, rather than common passwords or combinations of random characters, every word in the dictionary is used as the basis for the guesswork.
Dictionary attacks: An attempt to access any account or device by systematically entering every possible word and combination until the right one is discovered.
How to create a strong password
When creating a password, there are steps you can take to ensure password strength, including:
Use unique passwords for important accounts
The average person has 100 accounts with a password at any given time, but most of them will use at least some identical elements. While it may not be feasible to remember a different password for every account, your important accounts should always have completely different ones. This includes banks and email accounts, along with anywhere else money can be transferred or stored.
Choose a password at least 8 characters long
Most websites have a minimum number of characters for a password, but even if they allow a number below 8, you should never make your password that short. Eight or more characters eliminate over 50,000 short and common words and force people to combine words, numbers, and uppercase and lowercase letters to make the password less easy to guess. The password should have a mix of characters, including numbers and letters as well as special characters like punctuation marks and a mix of capitalization.
Do not include personal information
Your password should not include information that is easy to access or could be used to otherwise impersonate you. Your name, age, birthday, address, or Social Security Number (and those of your children or family) should be off the table. Pet names and favorite foods should also be avoided as they can often cross over with security questions.
Avoid consecutive keyboard combinations
Along with common passwords like “password,” weak passwords like “qwerty” that go in order of the keyboard are also ripe for cyberattacks. These can seem simple to remember while also being different than regular words, but they are also very commonly guessed.
Try to use non-words
Security experts say one great way to choose a strong password is to use a sentence as your guideline, and then use the first letter of each word. For example, if you want to use “I love to eat fresh watermelon on Sundays,” your password can be “iltefwos”. It looks like random letters and is difficult to guess, but will be something you can remember as needed.
Bad password habits
If all of your major accounts use the same password, then someone only has to hack one of them to gain access to your entire library of data. While it’s fine to use something common for less vulnerable accounts, if there is anything you want to be extra secure, never use a duplicate password.
Writing down your passwords
Having your passwords spelled out somewhere can cause a huge problem if someone gets ahold of the document. Not only would they have access to all your accounts, but those passwords may also contain personal information like birthdays that they could use. And even if no one finds the list of passwords, losing it could mean you suddenly have no access to your own accounts anymore.
Never changing your password
It can be easy to keep one password for years, especially when your phone or browser remembers it and you never have to think about it. But passwords should be changed regularly, especially if any of your accounts have ever been involved in a large data breach. You may notice that when you change a password, the website also requires more characters or other security precautions as regulations become tighter.
What is a password manager?
Password managers are apps on your computer or mobile device that store and manage your passwords so that you do not need to remember them. Instead, you use a single password and authentication method to access the manager, which then encrypts your passwords and uses that information to safely access your accounts.
Some password managers offer additional security features, like scanning the dark web to alert you to any breaches of your data.
Are password managers okay to use?
A password manager can feel counterintuitive to some people- these applications are a single repository for all your accounts, giving you easy access without having to remember unique passwords. Behind the scenes, they encrypt your passwords before they leave your device, constantly changing the passwords to keep your accounts safe.
However, most password managers are considered to be extremely secure, and you’ll find a lot of IT and InfoSec professionals rely on them in their personal lives. The combination of encryption on the backend and the use of two-factor authentication to access your accounts makes password managers a good option for added security and convenience.
Top password managers to try
Each password manager offers different options and levels of security, but these are thought to be the strongest and easiest to use on the market.
This completely free, open-source password manager is perfect for users who want military-grade encryption and complete control over their data. While the interface is a bit more technical and doesn’t work on an application for Android or iOS, KeePass is the choice for those looking for high-level security, including the option to generate passwords and add plugins.
Along with the basic password management functions, Dashlane is known for additional security features like scanning the dark web to find information leaks. Dashlane also provides a secure virtual private network (VPN) and a password changer option. While the free plan is limited to 50 passwords and one device, the free version does include two-factor authentication and payment autofill.
With both browser and mobile-based offerings, LastPass is popular due to its simple-to-use interface and the fact that its free version offers the most necessary features. LastPass uses multi-factor authentication and allows biometric access to be used as well. The free plan includes unlimited passwords, device syncing, and even a digital wallet to manage credit card information.
While 1Password doesn’t offer a free version, the small monthly fee allows for not only password management but document storage and a web scanner. The program is known for offering family plans that allow sharing between users, with permissions set for up to 5 family members.
This cross-platform password manager allows access to passwords across basically any browser, computer, or mobile device. Users can access their information in a variety of ways, including through a PIN or a fingerprint. Because of the deep customization possible on LogMeOnce, many large companies use the product to manage their own information security needs.
With almost all versions of the program being completely free, Bitwarden is a comprehensive product that allows for syncing, two-factor authentication, and the ability to store passwords offline. A premium plan is available with added features, but the open-source nature of Bitwarden means the free version is robust enough for most users.
In addition to personal and family plans, Keeper is unique in that there is an enterprise-level password management option that hooks into single sign-on authentication for companies. Advanced security and role-based access control are helpful in large organizations, though the tool can be used by any individual as well.
What characters can I put in a password?
Each website or application will have its own rules about what exactly can be in a password. Most allow alphanumeric characters and certain special characters, like ! or ?, to be used. Some may also require upper or lowercase letters or a combination. Anything you use should be able to be entered via any device, so something like an iOS emoji will normally not be allowed, as it could not be entered from a PC.
How do I know if my password is strong?
Some websites will tell you how strong your password is as you set it up. However, not all websites have very strict security around passwords. A strong password is something that cannot be easily guessed, like a simple word, and cannot be easily cracked by a hacker. This usually means more characters of varying types are better and things that are not personally identifiable.
When should I change my password?
You should always change your password if you know or believe an account has been hacked or accessed, as well as if you have accidentally shared your password. It can also be helpful to change passwords every year or so to ensure you are keeping up with recent security standards. With a password manager, this isn’t necessary as the password is changed automatically and often.
What is two-factor authentication?
In order to add security, password managers and other websites may require two-factor authentication, in which more than just a password is needed for access. Once you have entered the correct credentials, a code of some sort will be sent to an email or phone number registered with your account. Only with that code can you then access your information.
What is the most secure password to use?
The most secure password is a random combination of numbers, letters, and special characters with no real meaning. However, since that is not always possible, the more you can simulate it the better. Use the first letter of each word in a sentence, or swap letters for similar special characters (like $ for S) in order to make your passwords more secure.
What is the best password size?
Somewhere between 11 and 15 characters is considered to be a sufficient password length for maximum security. While longer combinations can be harder to guess, they are also difficult to remember and store, and security experts agree there is no need to go past the range of 11 to 15.
What are the most commonly used passwords?
The most commonly used passwords include generic terms and sequences, such as: qwerty, password, 12345, qwerty123, q1w2e3, 1234567890, and 11111. It is also common for passwords to include personal data like a birthdate, pet name, middle name, or address.