Passwords 101

Summary — People are terrible at choosing and remembering strong passwords. Yes, that includes you (and me). The use of a password manager like 1Password (no affiliation) is essential if you want to keep your passwords strong, unique, and easy-to-retrieve.

Why do people put themselves, their businesses, or their families at risk by using terrible, terrible passwords? Passwords can be difficult, no question — and they’re everywhere — but there is a solution to the password problem.

  • Technology changes quicklypasswords that were considered strong only a few years ago are considered weak. Note that this was written in 2013; the situation has not improved since then.
  • Reusing passwords is extremely risky — when sites gets hacked, username/password tables spread like wildfire.
  • Tactics people think are clever really aren’t — changing letters to similar-looking numbers; adding your postal code, year of birth, or a version of a website’s name to a “standard” password are well-known tactics that are easily recognized and used against you.
  • You’re not defending against human attackers who get bored — you’re fighting software that can systematically test 3 billion passwords per second for days at a time. This is literally what computers were designed for.
  • Passwords are a software problem — best-solved with software. Password managers are essential — they solve the problem of easily generating & retrieving strong, site-specific passwords.

Got 2 minutes?

Ready to dig in a little more?

Excuses for bad passwords

Ever had any of the following thoughts?

  • “Strong passwords are too much hassle.”
  • “I’ve gotten away with using the same password everywhere for years; why change now?”
  • “I’m smarter than the bad guys: they’ll never guess my password!”
  • “I’m not a target — I’m not rich or famous.”
  • “I’ll deal with this later when I have time.
  • “Password managers cost money; they’re too expensive just to protect my bank account, Facebook account, email accounts, etc.”

These ideas might’ve been enough in the 1990s — maybe even the 2000s — but they’re dangerously outdated.

Password tactics you might be using (that are much worse than you think)

You’re at risk if you do any of the following:

  • You store passwords in email so they’re easy to look up. This is very convenient — especially for the people who break into your email account, which was easy because you use weak passwords.
  • You store passwords in a notes app or in address book entries on your phone or computer. This is also very convenient — especially for the people who find or steal your phone or laptop.
  • Your phone has no lock (passcode, etc.) because it never leaves your possession and it’s just easier that way. Do you lock your house? Aren’t keys a nuisance?
  • Your phone only has a 4- or 6-digit passcode (instead of a longer, alphanumeric code) that anyone around you — even children — can trivially shoulder-surf any time you enter it. Even a 6-digit code is much stronger than a 4-digit code. Better yet? Use a device with biometric access options like Apple’s Touch ID or Face ID so no one can shoulder-surf your passcode.
  • You “can’t remember passwords!”, so you have a “good one” you reuse and another one for “sites that don’t matter.” Hate to break it to you, but your “good password” is nowhere near as strong as you think it is. Worse, when a site using your standard password gets compromised (which happens regularly) your password gets passed around and used to access your other accounts.
  • You have a “basic password” (that’s “strong enough”), and you use site-specific variations for Gmail, Amazon, Facebook, etc. This is a well-known tactic, easily detected and used against you.

It’s not that hard to have better password hygiene — but if you don’t, when it’s too late — it’s really too late.

How to solve the passwords-are-hard-to-remember problem

  1. Use a password manager like 1Password, a Toronto-based software service with a long, solid track record. There are others, but I endorse 1Password (because it’s all I’ve used — and I’ve been using it since the mid-2000s).
  2. Generate strong, new passwords for your most important, frequently-used sites. You don’t have migrate everything at once.
  3. If you can’t use a dedicated password manager application, some operating systems and web browsers can store passwords for you. Apple’s iOS, iPadOS, and macOS (and, therefore, Apple’s Safari browser) include iCloud Keychain for storing passwords and synchronizing them safely across devices. Browsers like Chrome and Firefox have built-in password managers that are much better than nothing. Whichever you choose, make sure physical access to your devices is secured or it won’t matter.
  4. An excellent post from 1Password on handling those terrible password “security” questions that banks, especially, seem to love. They’re a terrible idea, of course, intended only to prevent expensive customer support calls (the fact that they seriously weaken your security is irrelevant to them). Still, we have to deal with them, and 1Password makes it more secure and easier.