Hundreds of millions of passwords were breached by hackers this year alone. Don’t think you weren’t breached—odds are good that at least one of your username/password pairs is floating around, being sold to the highest bidder.
Protect yourself by ensuring that you have strong passwords that are too rare and too complicated for most hackers to bother trying to crack.
Memory-Based Techniques
You need not memorize a hundred different passwords: One way to generate unique and secure passwords for every site you visit, yet remember them all in your own head, is to use a set of easy-to-remember rules.
Passwords don’t “leak” because someone found your secret password file. Rather, they’re exposed because a company or service provider did not properly secure its authentication system against attack. Check the popular Have I Been Pwned? to see if your email address has been associated with a known breach in corporate security.
Different sites specify different minimum standards for a password—minimum character counts, use of special characters, use of numbers, use of some symbols but not others—so you’ll probably need a base structure that differs for each of these use cases, but your algorithm can remain the same.
For example, you could memorize a series of fixed letters and numbers and then modify that string to focus it on the specific website. For example, if your license plate is 000 ZZZ, use these six characters as a base. Then, add a form of punctuation and then the first four letters of the site’s official name. To log in to your account at Chase Bank, then, your password would be 000ZZZ!chas; your password at Netflix would be 000ZZZ!netf. Need to change the password because it expired? Just add a number at the end: 000ZZZ!netf1.
This approach isn’t perfect—you’re better off using a password manager—but at least this method will ensure that your password isn’t among the estimated 91 percent of all passwords that appear on a top 1,000 list.
Application-Based Techniques
If remembering rules isn’t your thing, consider using a dedicated application service to generate, store and retrieve your passwords for you.
If you welcome the convenience of having your password manager in the cloud:
- 1Password includes a travel option to let you wipe passwords when you travel so that if your device is confiscated by authorities at the border, your passwords are safe.
- Dashlane generates and secures passwords on your behalf.
- LastPass works as a free-standing application as well as a browser plug-in.
- RoboForm includes a secure-sharing feature so you can share passwords with friends and colleagues.
If you prefer a solution that’s tied to your desktop computer, try:
- KeePass supports download as a portable application, so it doesn’t even need to be installed on your computer to run.
- Password Safe was designed by a noted security researcher; the tool is simple but effective.
Password Best Practices
The rules for password best practices changed in 2017, when the National Institute for Standards and Technology, an agency within the U.S. Department of Commerce, released its report, Digital Identity Guidelines: Authentication and Lifecycle Management. NIST recommended that websites stop requiring periodic password changes, eliminate password complexity rules in favor of passphrases, and support the use of password-manager tools.
NIST’s standards are widely accepted by the information-security profession, but whether website operators will adapt their policies based on the new guidance is unclear.
To maintain effective passwords, you should:
- Use a password manager
- Refrain from using “random” passwords using adjacent keypresses, e.g., qwerasdfzxcv
- Avoid reusing passwords among websites
- Skip words that are in the dictionary
- Avoid using commonly guessed passwords
Get the Latest Tech News Delivered Every Day