Passwords 101

Why do people put themselves, their businesses, or their families at risk by using terrible, terrible passwords? Passwords can be difficult, no question — and they’re everywhere — but there is a good, easy answer.

Only got a minute?

Just read these quick points:

  • Technology changes quicklypasswords that were considered strong only a few years ago are now considered weak.
  • Reusing passwords is extremely risky — when sites gets hacked, username/password tables spread like wildfire.
  • Tactics people think are clever really aren’t — changing letters to similar-looking numbers; adding your postal code, year of birth, or a website’s name to a “standard” password are well-known tactics that are trivially-defeated.
  • You’re not fighting people who get bored — you’re fighting software that can systematically test 3 billion passwords/second for days at a time. This is literally what computers were designed for.
  • Passwords are a software problem — best-solved with software. Password managers are essential — they solve the problem of easily generating & retrieving strong, site-specific passwords.

Got 2 minutes?

Ready to dig in a little more?

Excuses for bad passwords

Ever had any of the following thoughts?

  • “Strong passwords are too much hassle.”
  • “I’ve gotten away with using the same password everywhere for years; why change now?”
  • “I’m smarter than the bad guys: they’ll never guess my password!”
  • “I’m not a target — I’m not rich or famous.”
  • “I’ll deal with this later when I have time.
  • “Password managers cost money; they’re too expensive just to protect my bank account, Facebook account, email accounts, etc.”

These ideas are based on outdated information.

Password tactics you might be using (that are much worse than you think)

You’re at risk if you do any of the following:

  • You store passwords in email so they’re easy to look up [very convenient — especially for the people who break into your email account, which was easy because you use weak passwords].
  • You store passwords in notes or address book entries on your phone or computer [this is also very convenient — especially for the people who find or steal your phone or laptop].
  • Your phone has no lock (passcode, etc.) because it never leaves your possession and it’s just easier that way [Do you lock your house? Aren’t keys a nuisance?].
  • Your phone only has a 4- or 6-digit PIN (instead of a longer, alphanumeric code) that anyone around you — especially children — can trivially shoulder-surf any time you enter it. [If this is you, know that even a 6-digit code is much stronger than a 4-digit code.]
  • You “can’t remember passwords!”, so you have a “good one” you reuse and another one for “sites that don’t matter.” [Hate to break it to you, but your “good password” is nowhere near as strong as you think it is. Worse, when a site using your standard password gets compromised (which happens regularly) your password gets passed around and used to access your other accounts.]
  • You have a “basic password” (that’s “strong enough”), and you use site-specific variations for Gmail, Amazon, Facebook, etc. [This is a well-known tactic, easily defeated.]

It’s not that hard to have better password hygiene — but if you don’t, when it’s too late — it’s really too late.

How to solve the passwords-are-hard-to-remember problem

  1. Use a password manager like 1Password, a Toronto-based software service with a long, solid track record. There are others, but I endorse 1Password (because it’s all I’ve used — and I’ve been using it since the mid-2000s).
  2. Generate strong, new passwords for your most important, frequently-used sites. You don’t have migrate everything at once.
  3. If you can’t use a dedicated password manager application, some operating systems and web browsers can store passwords for you. Apple’s iOS and macOS (and, therefore, Safari) have iCloud Keychain, and browsers like Chrome and Firefox have built-in password managers that are better than nothing. Whichever you choose, make sure access to your devices is secured or it won’t matter.