So we have acknowledged the problem with passwords: some people opt to choose such easy ones that they are practically providing an open invitation to hackers. Like the one stated in the previous post: PASSWORD, while hard to believe, is actually quite commonly used. The user may alternate between caps and lower case, thinking that is really shaking things up, but that doesn’t delay the hack-fest even a little bit. The question for anyone serious about his or her IT Security now becomes how to deal with this precarious predilection.
Let’s cover what we know. Exactly why do people choose easy passwords?
- Reason #1: Because they must memorize passwords, not write them down;
- Reason #2: But complex passwords are too hard to remember;
- Reason #3: We all have too many accounts and passwords to deal with;
- Reason #4: And we must change our passwords regularly!
Now for number one problem: The human brain. I am giving everyone an out by saying that forgetting could directly relate to the massive amounts of information we have floating around in our cranial hard-drive. Picking a complex, hard to guess password also (ironically) means a password that is very difficult to memorize, and very easy to forget.
Then there’s storage. We often forget things like anniversaries, birthdays, names, and appointments. Now imagine trying to commit 20-30 or more different passwords to memory. Geez. Now it’s getting really complicated. So we want to write down our passwords, just as we do our important dates.
Conventional password wisdom says do not use the same password for more than one account. Thus begins the next problem. Most people have accounts for email, banking, bills, and social media, to name only a few, and good practice means that each should have its own distinct password. Therein lies the rub. If every individual account must have its own password, that’s a lot of passwords to create.
And if we continue to follow conventional wisdom, passwords should be changed regularly––say monthly or quarterly. There’s the final rub. Let’s say we succeed in figuring out the perfect password. Now we have to do it all over again on all of our accounts. Often. Most people would exclaim, “You’ve got to be kidding me!”
So let’s address each of these concerns.
One must memorize passwords, not write them down.
This one is easy! I’m saying you should write down your passwords! Wow! But this is really the only way to insure you don’t lose your passwords. Just be sure to write them down the old-school way: off-line and on paper, along with the accounts and login names associated with them. And store that paper in a safe yet accessible place. You can even take a copy traveling with you; just guard it like your passport, storing it away from your computer.
One must create complex passwords.
Unfortunately this is true. Password cracking software is easily available that can automate at great speed the checking of your passwords against commonly used passwords and dictionaries of common words, even in other languages. Cracking software can also check against common special character patterns, such as using ‘@’ for ‘a’. So it is really important to make good, hard to guess passwords.
The best passwords are long, much better than shorter passwords that use lots of numbers and special characters. Longer passwords take longer to crack. So how to make a long password that you can easily memorize? (Because you don’t want to check your paper all the time!). The “secret” is to use “pass-phrases”. Pick a song lyric or favorite quote or really any phrase memorable to you. Make it at least 15 characters long, the longer the better, up to the limits of the password field. You can even (or might have to) mix in numbers and special characters. Then write down the pass-phrase on your paper.
But I have too many accounts and passwords to deal with.
No way around this one. You really should have a different password, or better a pass-phrase, for each account. This isolates the damage to you if any one password gets stolen. Of course not all your accounts are equally important. Perhaps you use the same password for your different streaming music accounts without much worry. But bank, social media and other important accounts should each have their own, unique pass-phrase. Consider the damage to you of unauthorized access to each account then make your decision.
If managing all these different pass phrases becomes too much of a burden then consider using a Password Manager. This is software you purchase that manages all passwords and pass-phrases for you. You enter one, master password to unlock all the others. So you now only have to remember the master password. But that master password must be a long, complex pass-phrase because it is now the single point of access to all your passwords and accounts. Password managers can be used on all of your devices, including tablets and smart phones, with passwords sync’ed between these devices. Password managers can load your browser with your web-based accounts and auto-fill-in the login and passwords for you. Slick! Password managers can create extremely long and complex passwords for you, a different one for each account, and memorize them all.
And we must change our passwords regularly!
This used to be the recommendation from IT security experts, but not so much anymore. Change passwords infrequently, say once a year or two, or don’t change them at all. Or if you use a Password Manager, change only the Manager’s password. Why this new advice? Because changing passwords, from good, complex, protected passwords to new good, complex, protected passwords can be difficult and risky. Difficult to think up a new, complex password, difficult to make the change and not risk mistakes, and difficult to update your password records, either on paper or within a password manager. If you build strong passwords and protect them carefully, regularly changing them brings little additional benefit.
I’ll close on a final note. More and more sites and services are making Multi-factor Authentication available, authentication (verifying that you really are the authorized user) that includes a second “factor”, in addition to a password, to authenticate a user. That added factor is usually a text code sent to your mobile phone, but other factors can be used, such as finger prints. Chances are low that both the password and phone are stolen. In general Multi-factor Authentication is a very good practice and you should switch to it for your high-value accounts.
As always, you can write to me with any questions, suggestions or comments.