The Dos and Don’ts of passwords, and why you should be using a password manager

October is National Cybersecurity Awareness Month! In light of recent security events (Equifax, Deloitte, BlueBorne, Mac firmware, etc.), I’m going to try to post about ways that you, as an individual can better protect yourself when companies don’t care about properly securing your data. First up, passwords.

According to Intel Security, the average user has 27 different login accounts. This includes social media, bank information, email, work credentials, utilities, and anything else you need to log into. Usually, all of those have a username and password combination to log in. your username is probably similar across all of them, whether its your email address, or some combination of your first and last name, but its more and more common for users to have the same password across many of their services. While that is convenient, its extremely dangerous. If one company is compromised and an attacker gains your password, they can try that password on any other service with your email address and its likely they’ll get in. Over 50% of breaches in the last 2 years  leveraged stolen or weak passwords.

To have good password practices, follow these basic rules

  1. Use a different password for every account.
  2. Use a long password, I try to aim for 12-24 characters.
  3. Use special characters (*&^%$#@!), numbers, and a combination of capital and lowercase letters.
  4. Change your passwords every few months.
  5. Don’t write down your passwords or save them in Excel files.
  6. Don’t share your passwords, even to tech support.

For 27 different logins, these rules might make it really hard to remember your passwords. 91% of people reuse their passwords, and 20% of people say they have to fill out a “forgot password” form once a week. The problem is only getting worse, as more and more companies transition to an online presence, users will have even more passwords to remember.

How do we solve this? A password manager.

Personally, I use LastPass to manage all of my passwords. For those of us not familiar with password managers, they’re a utility that allows users to have one master password that they need to remember. All of their other passwords are securely and randomly generated and stored. Some examples of previous passwords generated by LastPass include

  • &KYmIf3%dE3ucib2
  • ^I79!YsBugn84qJ8
  • 6O&5euSZ5zmO#WDj
  • 75l%quJHyQeD$1VD
  • 5V*LLjCOFaKn7zw^

Some password managers even have audit capabilities that will go through your stored passwords and tell you how secure they are, others have 2 factor authentication to make sure you’re the only one accessing your passwords.

Can’t the password manager be hacked?

Absolutely, as was the case in 2015, when LastPass was breached. The good thing here, is that even though the attackers got some email addresses, they couldn’t crack the master passwords because they’re hidden behind thousands of rounds of military grade hashing. (For a breakdown of what Hashing is, check out my other blog post)

Which password manager should I use?

The highest recommended ones are

In conclusion:

Password security is hard, and all the rules make it hard to remember your passwords when they’re so complex. When you only have to remember one secure master password instead of 27, you are much safer in the event one of your services suffers a breach.

3 thoughts on “The Dos and Don’ts of passwords, and why you should be using a password manager

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.