In my previous post I talked about how to identify phishing attempts so you can avoid being a victim. In that post I mentioned that one of the risks associated with phishing is since most people use the same password on multiple accounts a single phishing attempt can put all your accounts at risk.
The best way to prevent that risk is to use a different password for each account you have. That is a lot of passwords, I get it. Later I’ll talk about tools you can use to make it easier to maintain separate passwords but first I want to talk about passwords in general.
Do you have a “good” or “strong” password? What makes a password “good”? My definition of good is a password that is easy for you to remember but hard for someone else to guess. There are a number of tools available on the Internet to guess or “crack” passwords. If your password is based on word, a name, a date, etc. one of these passwords crackers will be able to guess your password in a few seconds.
In general, you want to use as long of a password as the site will allow up to 20 characters. You should use both upper and lower case letters, numbers, and special characters (punctuation, shifted number keys, etc.). You also want to avoid common passwords such as “password”, “letmein”, or “abc123”. You can see a list of the 1000 most common passwords at http://www.passwordrandom.com/most-popular-passwords.
You test the strength of your password at https://howsecureismypassword.net/. Disclaimer: While I believe this site is safe to use if you enter your real password into this site you may exposure yourself to identify theft or other forms of fraud. Use it at your own risk.
Here are some sample results from https://howsecureismypassword.net/ of various passwords:
|Password||Time to Crack||Comments|
|railroad||Instantly||Top 3175 most used passwords, based on a word, too short, only has letters|
|Railroad||Instantly||Top 3175 most used passwords, based on a word, too short, only has letters|
|Railroad1||4 days||Based on a word and number, too short, no special characters. Depending on the tool used this could be guessed in a few seconds.|
|Rail-road1||6 years||Better, but depending on the tool used this could be guessed in a few minutes|
|Ride-the-Rails||29 million years||Now we are getting somewhere, but if I know you are interested in trains or railroad history I might be able to guess it in hours or days. How would I know you are interested in trains? Your social media history (Facebook, Twitter, etc.) reveals a lot about your interests and hobbies.|
|34 billion years||The first letter of each word in the first sentence of “The Hobbit” which was published in 1937. Easy to remember very hard to guess.|
|558 quadrillion years||I know what you are saying, how in the world can I remember that? Keep reading.|
OK, so the last two are looking good. They are essentially impossible for someone to guess. Unfortunately, the last one is also impossible for most people to remember. Also, I suggested that you use different passwords for every site: Facebook, Apple, Amazon, your bank, your email… that could be dozens of passwords.
That is where password managers come in. Password managers are tools for SECURELY storing your passwords – please don’t create a Word document and put all your passwords in it; especially if you name it “passwords”. There are many password managers available with many free options available. I have used Keepass for years but you may want to check out others – here is a good starting point https://www.cnet.com/news/best-password-managers/.
Here are a few things to look for in a password manager:
- It should encrypt your stored passwords with a master password (you will need to remember the master password but this is the only password you need to remember)
- It will work on all the computers and devices you use (Windows, Mac, Android, iPhone, etc.)
- It does not limit the number of passwords you can store (or least a very large limit)
- It will allow you to store the web site URL and some notes about the account (such as security questions).
- It will allow you to copy and paste the URL, username, and password so you don’t have to type them (very useful feature, I wouldn’t use a password manager without)
- It will maintain a password history of past passwords
- It will let you print a copy of your passwords – this is helpful for storing in a safety deposit box or with a family member in case of an emergency
After you put all your passwords into a password manager make sure you back it up regularly. If you accidentally delete your password file you don’t want to have to click “I forgot my password” on every website you use. Lastly, only use a well-known password manager from a reputable site; you don’t want your password manager to secretly send all your passwords to the software developer. Research whatever password manager you are thinking of using before downloading it.
It is an adjustment to start using a password manager and trusting it to remember your passwords for you but once you try it you won’t want to go back.