How To Improve Your Password Hygiene
3 tips to help you improve your password hygiene and protect your accounts from being compromised.
Passwords: We all hate dealing with them but they’ve become just as important as the keys to our home. Unfortunately, too often we don’t take the security of our passwords as seriously as we do our house and car keys.
If your house key is lost or stolen, what do you do? Change your house lock immediately. And when you get a notification that your password may have been involved in a breach? If you’re thinking, I’d ignore it, you’re not alone. Oftentimes, we discount the seriousness of these notifications and decide it’s too much of a pain to change our passwords.
Unfortunately, that along with the poor password management practices many people have, makes it very easy for malicious actors to compromise passwords and hack into social, banking, and other important accounts. Implementing good password hygiene is no longer a recommendation but a requirement for anyone with an online presence.
This article will cover three things you should start doing to improve your password hygiene and protect your accounts against compromise.
Use a password manager to vault your passwords
If you read last week’s article, you’ll know one of the tips I covered was the need to create random, lengthy passwords. You were probably rolling your eyes at that thinking, yeah that might be secure, but how can anyone keep track of those without writing them down?
Well, I have a solution for you: password managers. Password managers are essentially a notebook to store all of your passwords in, but much more secure. It’s basically a safe protected by a master key used to access all of the passwords stored within it.
Many people don’t understand the point of password managers. The typical argument is, well what if the password used to grant access to the rest of my passwords is guessed or stolen?
The password used to gain access to your vault should be the most random password you’ve ever created and be something that no one would be able to guess. At the same time, it can’t be so complex that you need to write it down because we all know you shouldn’t write your passwords down.
I would suggest using a 15+ character passphrase that’s alphanumeric and contains random numbers and special characters. The keyword here is random: don’t use an @ in place of an a or a $ in place of an s.
Instead, use a passphrase generator to come up with a random sentence with random separators that aren’t easily guessed. Doing this will ensure you have a complex enough password that can’t be guessed or cracked quickly, but not so complex you can’t remember it.
This master password should also never be used anywhere else. That would defeat the purpose of it being a master password and put it at risk of being compromised. Create your master password and ensure it never gets used for any other accounts.
By following each of these guidelines, you’ll have one robust master key that will likely never be compromised so long as you are careful online.
Avoid using guessable info in your passwords
This next tip isn’t one of my favorites because I’m an advocate for using randomly generated passwords, but I know not everyone does that. Being comfortable with using randomly generated passwords takes time so it’s understandable that people still create their own passwords. However, if you do this it’s very important to avoid using any guessable information in your password.
I don’t care how random you think your password is, if it contains things like a pet’s name or a child’s birthdate, it’s not a secure password. Much of your personal information is publicly available and even if it isn’t, attackers have ways of finding that information or obtaining it from you via social engineering.
If you’re opting to continue creating your own passwords, please keep the below things in mind as you do so:
Don’t include any family member or pet details like first, middle, or last names, birthdays, or anniversaries.
Avoid using details like car models, school names, or street names that relate to you or anyone in your family.
Passphrases are great unless they’re things like “IL0v3myDog!”. If you’re going to create a passphrase, make sure it’s something that’s completely random or unique, like a song title, lyric, or line from a movie.
Don’t replace letters with special characters. Instead, use special characters as separators like, “I%lov3&my#dog!”. This makes the password less guessable and a bit more secure.
Always use Have I Been Pwned to check that your password hasn’t been previously compromised. If it has, don’t use it!
While I don’t condone creating your own passwords, keeping these pointers in mind should ensure you’re at least creating ones that are likely more secure than ones you’ve used in the past.
Use multi-factor authentication wherever possible
Multi-factor authentication (MFA) is something you’ve hopefully heard of before but if you haven’t, it’s a second factor used to authenticate you in addition to a password.
In general, there are three types of authentication:
Something you know — a password or pin
Something you have — usually a one-time password or token
Something you are — biometrics (fingerprint, facial scan, etc.)
In some cases there are also two other types of authentication: somewhere you are and something you do. For day-to-day MFA purposes though, the above three are the primary ones you’ll leverage.
When you log in to accounts with MFA configured on them, you’ll first input your password and then be prompted to enter a one-time password or token that you have.
This token is usually obtained from an authenticator app on your smartphone or texted to a mobile number on file. There are other options, like receiving a phone call that provides you with the verification code or having the code sent to your email, but those aren’t used as often. Having a verification code sent to your email also isn’t the best option because if your password is compromised, there’s a chance an attacker will be able to gain access to your email to retrieve the code.
So why is it so important to use MFA anywhere and everywhere? Defense in depth.
Defense in depth is most security professionals’ motto, but it applies in this situation as well. It’s the practice of having multiple layers of defense in place so that if one layer fails, there’s a second, third, fourth layer, and so on.
If we think about the security we have on our homes nowadays, it’s similar: a lock and deadbolt, a security alarm system, a smart doorbell, garage cameras, floodlights, etc. In the event of a suspicious activity or an intrusion, there are multiple defenses in place to either capture footage on camera or trigger alarms to scare off the individuals.
In our case, MFA adds a second layer to the stand-alone layer of security a password provides. Isn’t it a bit crazy that our finances and other sensitive information have previously only been protected by a single layer of defense?
MFA is imperative to securing accounts today. Without it, we’re leaving our information at risk of being exposed or our identities stolen. Just like many of us leverage multiple security controls on our homes and important assets, the same must be done for our online accounts.
To recap, we’ve covered some tips that can help you improve your password hygiene. These are three things you can start doing to improve your password security and better manage them:
Use a password manager to vault your passwords — this is a great way to store all of those randomly generated passwords, but be sure your master password is unique and not easily guessed! It’s best to create a passphrase that you’ll be able to remember but is complex enough that it can’t be guessed or easily cracked.
Avoid using guessable info in your passwords — if you insist on continuing to create your own passwords, avoid any personal or family member information that can be easily found or guessed. It’s also best to avoid using common special characters as letter replacements.
Use MFA wherever possible — multi-factor authentication is imperative to protect your online accounts because it provides a second layer of defense in the event your password is exposed or guessed. It’s best to use a mobile authenticator app or text/phone call to receive your verification code, but avoid having the code emailed to you.
I hope you enjoyed this week’s tips and have a better understanding of the things you can do to improve your password hygiene. Stay tuned for the last article of Cybersecurity Awareness Month where we’ll be discussing tips to protect sensitive information.