You shouldn’t reuse passwords. This isn’t new advice.
But for whatever reason, the practice seems to be a persistent thorn in everyone’s side. Troy Hunt singled it out as today’s biggest cyber security issue. Motherboard attributed past data breaches and hacks to password reuse. And F-Secure Security Consultant Jan Wikholm quickly put to rest any optimism about this situation improving in a recent podcast.
According to Jan, people reuse passwords because they have too damn many of them to remember. A lot of people have jobs that cause mental stress. Remembering a bunch of random strings of characters or long phrases is just one more pain point. And it rarely helps anyone with their work. So people compromise on password quality (choose easy passwords to guess), quantity (choose a few strong passwords) or both (numerous accounts protected with an easy password to remember or guess).
That’s how you get situations where an overwhelming number of compromised passwords remain in use.
So advising people not to reuse passwords is not news. But it’s important enough to repeat over and over again. If you use a password manager, it’s surprisingly easy advice to put into practice!Download Poster
Password managers are vaults where you can store the keys for your digital identity. They can generate strong, unique passwords for you, and then store them in a secure, easily accessible place (either locally or in the cloud) where they can quickly be used to login to websites, programs, etc. The range of password management options – both free and paid – is enough to accommodate nearly everyone’s needs (F-Secure’s security solutions offer password management capabilities for individuals and companies).
Jan uses a password manager. He describes it as “the holy grail” of your online security, and acknowledges you need a very strong password to keep it protected. Even though this is yet another password to remember, it does enable you to forget (almost) every other password. So it’s a net win for your headspace!
But even with password managers, you’ll need to create one or two strong, unique passwords. So here’s some of Jan’s suggestions on how to do that.
- Have unique strategies for each password you create. For example, choose song lyrics for one (checkyourselfbeforeyouwreckyourself), a nursery rhyme for another (fivelittlemonkeysjumpingonthebed), etc. This prevents attackers from guessing patterns. Avoid putting things like months and years, names and birthdays, etc. together. Those are easy to guess.
- Length beats complexity. You want your password to have at least 14 characters. So combine words together (even common words) to make phrases (checkyourselfbeforeyouwreckyourself). Don’t bother capitalizing the first letter. Attackers already know you’re doing it.
- Eliminate dictionary words by removing or adding letters, replacing them with special characters, or mashing words together to make them unrecognizable to machines (chEkj00se£fB400rurse£f). More suggestions and example are available here.
- Don’t use any variation of the word password.
Finally, you should treat platforms, services, or anything else that prevents you from practicing good password hygiene with skepticism. There’s no reason for a service to have a character limit on passwords or other barriers to following good security advice. And use multifactor authentication where possible. It’s especially important for email (which acts as a password mechanism for most things) and other critical accounts.