Choosing strong passwords is hard and remembering them is often harder. We explore what makes a password strong and how you can best manage your credentials to stay ahead of the bad guys.
Nearly every single one of our Sutherland Shire customers has a password problem.
Each of us needs to keep track of dozens of usernames and passwords.
The majority of people write down their usernames and passwords which means they are no longer secure.
Others use password strategies that offer a false sense of security.
Managing your passwords doesn’t need to be so complicated.
We’ll show you what you need to do and how to do it with ease.
What makes a password strong?
Choosing strong passwords begins with observing these three key traits.
Strong passwords are random
The more random a password is, the longer it will take for a hacker to crack.
Unfortunately, human behaviour is very predictable (93% predictable according to research) which makes our capacity for randomness poor. It often seems the harder we try to be random, the more predictable we are. Furthermore, a truly random password is often just too difficult for most of us to remember.
Strong passwords are unique
You need to use a unique password for every login so if it’s compromised, your exposure is limited to that one account. Our memories are terrible, however, so creating a unique password for every login isn’t feasible without a robust management process in place.
Longer passwords are stronger than shorter passwords
Professional hackers can crack an 8 single case character password in minutes. Add a number to it and it now takes 9 hours. Add a special character and it now takes 23 years.
Always go for longer passwords over shorter passwords. What might take years to crack today could take hours to crack tomorrow.
Check out the Better Buys Password Cracking Times site if you’re curious to know how long it takes a hacker to crack password.
How to make sure your passwords stay strong
Strong passwords is not just about choosing a robust password in the first place; it’s also a matter of how you manage and use them.
Don’t write your passwords down
You absolutely shouldn’t do this in a work environment and we’d argue you shouldn’t do it at home either.
Loose pieces of paper are easily thrown in the trash. Notebooks can be stolen or lost.
You’re more likely to opt for a simpler, shorter password if you know you are going to have to write it down. You’ll also need to make sure your writing is neat and that you can clearly tell the difference between 1, l, I and | (as well as o,O and 0).
Don’t use personal information in your passwords
See our previous point about selecting a random password. It’s common knowledge that people like to use pet names, important dates or children’s names for passwords. Hackers know this and optimise their programs to exploit this predictable behaviour.
Don’t reuse your passwords
We mentioned earlier that each password should be unique – let us explain why in more detail.
There have been many high profile security breaches over the past 10 years that have resulted in large troves of usernames and passwords being released to nefarious actors.
The largest known data breach occurred in 2013 when 3 billion Yahoo users saw their credentials stolen. If you had a Yahoo account in 2013, your password was made probably sold on the dark web. It’s safe to say that it’s now a record on numerous password databases identified by your email address. You can also assume that hackers will use your Yahoo email address and captured password to try logging into PayPal and any other number of financial institutions.
Perhaps you think your risk here is low because you don’t use that Yahoo account anymore. The problem now is that the bad guys know someone has used this password before. They’ll save the password in a database because they know people like to reuse passwords.
Failure to use unique passwords will eventually come back to haunt you. Don’t say you weren’t warned.
Don’t enter your passwords into insecure websites
A secure website will have a green padlock in the address bar. If you don’t see one, don’t use it because any information you transmit can be intercepted and/or changed.
We recommend installing the HTTPS Everywhere plugin for your browser which will direct you to https websites whenever they are available.
Don’t click on links in emails
Phishers are becoming increasingly more proficient at crafting legitimate-looking emails that appear to come from your bank. Always open your browser and navigate to the website manually.
How to choose strong passwords
Our preferred way to choose a strong password is to randomly select four words for use as a passphrase. This method will meet all three of our strong password criteria above and will be memorable.
Remember how we told you earlier that humans are bad at behaving randomly? Well, this means you can’t just select the words off the top of your head. Not to worry though, there are password generators on the internet that can do this for you.
We recommend the ssh.com passphrase generator because it’s secure, runs in your browser and allows you to set your strength preference. Select a minimum of medium strength (64 bit), select “Random words” and run the script to collect random words that you can construct into a memorable passphrase.
We also think tapping in four words on a smartphone is easier than tapping in a complex 10 character password.
How are four easy-to-remember words stronger than my complex 10 character password?
This well known xkcd comic does a great job illustrating how a long password consisting of single case characters is stronger than a short but more complex password.
Introducing password managers
As we’ve pointed out, strong passwords need to be unique, random and sufficiently long which therefore makes them difficult to create and impossible to remember.
This is why you need a password manager.
A password manager (used correctly) will take care of the following for you:
- Generate long passwords consisting of random characters automatically or on demand
- Ensure uniqueness across all your logins
- Remember all your passwords
- Allow you access to your passwords on all your devices
That ticks all of our boxes so far.
Online vs offline password managers
Password managers can save your encrypted passwords online (in the cloud) or locally (on your computer). The most security-conscious may prefer to use an offline password manager however this does introduce complexity that may be beyond the average user.
We suggest leaving offline password managers to the professionals that require the greatest security over all other features.
Will they really solve my password problem?
Yes, they will. They’re so useful, you’ll wonder how you ever managed without one.
Dashlane
Our pick of the most popular online password managers is Dashlane because it takes all the pain out of managing strong passwords.
Dashlane setup is simple. Download and install their application on your Windows or Mac computer, create an account (with a secure password!) and Dashlane will start importing your usernames and passwords from your computer. Your credentials are saved (encrypted) to their cloud servers so you will be able to access them from anywhere.
Install the Dashlane browser plugins and it will start filling in your credentials where ever you browse.
We like Dashlane because it:
- is simple to setup
- allows your passwords to follow you where ever you login
- creates very long, complex passwords
- can import all your browser passwords
- reliably fills in your browser credentials
- presents you with a security dashboard that rates your security
- warns you of vulnerabilities
- can reset your weak passwords for you (!)
Why not 1Password or LastPass?
We prefer Dashlane over 1Password because we found 1Password often failed to capture passwords or wanted to capture text that wasn’t passwords which frustrated us.
We prefer Dashlane over LastPass because of its security dashboard and bulk password changer.
All three password managers offer free or trial periods so you can try before you buy.
A premium Dashlane subscription will cost you USD $39.99 per year whereas 1Password comes in at USD $36.00. LastPass is much cheaper at USD $24.00 but we think Dashlane is worth it’s higher asking price.
KeePass
We recommend KeePass for those users that who don’t like the idea of their encrypted passwords being too far from their person.
KeePass is open source which means it’s source code is freely available for all users to review. It has been the password management tool of choice for many security professionals for years. It’s small size and portability makes it great for storing on a USB device.
KeePass can be installed (free of charge) from the KeePass website.
To get started, create a database and use a strong password to secure it. Save the database somewhere secure and you’re done. KeePass is a very basic application with a rather dated user interface and you won’t get many of the features we love most about online password managers.
Many KeePass users sync their database files to their various devices using a FileSync service like Dropbox or OneCloud. The truly paranoid few will only sync their database files manually.
KeePass versions & variants exist for Windows, Mac, iPhone and Android.
Other resources that will help you stay secure
Stay Smart Online
You can sign up for security alerts at Stay Smart Online. This government-run service sends regular security tips to subscribers and will also notify users “of the latest threats and vulnerabilities schemes within an Australian context”.
TechSolvers is a Stay Smart Online partner.
Have I been pwned? (HIBP)
HIBP is run by Australia’s own Troy Hunt, a globally recognised expert on information security. This site collates publically available credentials from large breaches and notifies you if your login has been exposed. The HIBP database currently stores under 5 billion compromised logins.
Register your email address (it’s free) and HIBP will send you an email whenever your email address appears in a data breach. It’s up to you what you then do but I like to shout Troy a coffee every time HIBP notifies me of a breach containing my email address.
Got more questions?
You can send us your questions using our contact form or via the Facebook comments section below.
Alternatively, you can call us on 02-8502-8954. We’re always happy to give out our advice freely over the phone.
Do I really need a password manager?
Yes, you do. Stop asking and get one already!