Recently I was digging into my online security setup to make sure it’s still working and keeping my online accounts secure. There have been some pretty high-profile hacks in the last 20 years or so, and no website is exempt from the possibility of a breach. If you’ve ever had a friend whose email, Facebook, or even bank account was hacked into, you know that passwords don’t always save you.
In this series of articles, I hope to outline some elements you can add to your online security that will greatly decrease your chances of getting hacked. Some of these tips might seem pretty complicated at first, but even improving one aspect of your online security will make a difference. Security is never perfect, and you can never fully prevent a hack or a breach. But you can significantly reduce the chances using the tips I’m going to share.
So with that, let’s start with the topic of this article, and arguably the most important aspect of your online security: Strong passwords.
Personal security on most of the internet is build upon passwords. I hope that this will change in the future because of all the problems they cause, but for now, it’s what we have to live with.
That’s why it’s so important to use strong passwords. Here are some top tips for creating them:
The longer the better.
One misconception about passwords is that in order for it to be strong you need to make it really complicated with letters, numbers, symbols, and all sorts of messy, hard-to-remember junk.
Sure, using symbols and numbers can help. But actually the best way to make a strong password to make it really long.
A simple 30 character password made up of only lowercase letters and spaces is astronomically better than a really complicated 12 character password using uppercase letters, lowercase letters, numbers, and symbols. I did the math. The 30 character password is about a billion billion times better.
I’ve played around with password-cracking tools before. They’re out there, and they’re pretty easy to use. Any password that is less than 8 characters is not hard for a computer to guess using brute force. If you have any that are shorter than that, even making it just a bit longer (I would recommend at least 12 characters) will help. And even longer would be better.
If 30 characters seems unreasonable, then consider this: the phrase “If 30 characters seems unreasonable” actually contains 35 characters. This is the key to making a good password: make it a phrase that is easy to remember and type.
However, there is an important caveat to this:
Don’t use something easy to guess.
If you actually use the phrase mentioned above for a password, it would not be a strong password for a few reasons.
First, it’s an English phrase that makes sense. It would be better to come up with something more nonsensical. An xkcd comic on the topic once suggested “correct horse battery staple”. This is a nonsense phrase, it’s 28 characters long, and makes for a much stronger password.
The second reason why the phrase above is bad is simply because I’ve included it in this article. Don’t use a phrase that you’ve seen before. Anywhere. Ever.
When I talk about a password being easy to guess, I mean easy for a computer to guess. Computers are fast, and under the right conditions they can try millions of passwords in a relatively short amount of time. If you use a phrase that you’ve seen before, there’s a much better chance a hacker will try it. Just make something up yourself. It’s not too hard.
The other thing computers can do pretty easily is character replacement and adding things like numbers. So you might think that the phrase “c0rr3ct h0rs3 b4tt3ry st4pl3 555” is more secure. It’s not. The computers have figured out your trick, and it doesn’t work anymore. Sorry.
Oh, and don’t make your passwords longer by just adding something dumb to the end, like “123456”. Do you really think a hacker wouldn’t try that?
Ok, next tip:
Do not reuse passwords.
This one makes me sad.
Because I know you know this already. You’ve know that it’s a bad idea to reuse passwords.
But you still probably do it. And it’s unlikely that I’m going to be able to convince you otherwise, even if I make some really good points about why it’s a bad idea.
So let me just say this: somewhere along the line, your password is going to get hacked. Almost definitely. Honestly it probably already has. Some of mine have.
If you’ve only used that hacked password for one account, good news! The hacker can only get into one site! And if you’ve used 2-factor authentication (explained in a later article), then they can’t break into that site even when they do get your password.
Compare that with a reused password. The hacker gets that one password, and now they can get into several (all?) of your sites.
You think they won’t know which sites use that same password? They’ll just try a bunch of them. Computers are fast.
Think you’re safe if you use a “variation” of the same password on different sites by changing a couple characters? They’ll just try a bunch of variations.
Do you have a fancy “algorithm” or “system” for generating clever variations? This is better than nothing, but there are people who spend their lives studying and creating secure algorithms, and there are hackers who spend their lives trying to crack them. I bet your system isn’t secure enough, and an adequately motivated hacker could figure it out.
Please. Don’t reuse passwords.
Here’s a great alternative:
Use a Password Manager.
If all of my suggestions above seem good to you, but they look too hard, then let me introduce you to the wonderful world of Password Managers, which will solve all your problems! (Kinda…)
A Password Manager is a piece of software that can securely generate and remember strong passwords for you. You can generate passwords that are long and pretty much impossible to guess (most of mine are completely random), and you can very easily use a different password for each site. In fact, the Password Manager that I use warns me if I’ve used the same password for multiple sites.
There are lots of articles about Password Managers out there, and there are several good options that you can use. I personally use LastPass, which has a great free version. Let me just make a few quick points about them:
- Password Managers are built to be highly secure. That being said, the same password tips above apply to your password for getting into your Password Manager.
- Although the idea of storing your passwords somewhere might be scary, a good Password Manager uses all of the best security practices for this storage. They’re stored even more securely than credit card numbers. Seriously.
- If you store your passwords in some other digital way, such as a file on your computer (even if it’s password-protected), it is much less secure than storing them in a Password Manager.
- If you write down your passwords on a piece of paper, that’s actually ok from a security perspective. It’s unlikely that someone will break into your home and steal your passwords. But the only way to make it as good as a Password Manager is to use long, completely random, truly unique passwords for every site. If you’re ok with writing all those down on a piece of paper and leaving that paper home in a secure place at all times, go ahead. But I think you’ll find that there are issues with that solution.
Change your passwords once in a while.
Another misconception is that you should change your password really often. It actually doesn’t help that much compared to the tips above, and people who are forced to do so usually pick bad passwords. Doesn’t hurt to change them once in a while just in case, but don’t stress about it.
Pick one and do it!
So those are my password tips. Stay tuned for some articles about “two-factor authentication” (which can keep your accounts safe even if your password gets stolen) and why you should care about cryptography (what the heck is “https”, anyway?)
But for now, pick one of these tips and just do it. Make your passwords harder to hack, and make the internet a safer place. If you don’t know where to start, try a Password Manager (LastPass is a great free option). Just add a couple accounts to it. See how it feels to have virtually unbreakable passwords.
Questions on how to implement these suggestions? Any more password tips that I missed? Disagree with any of my recommendations? Leave a comment!