Password Guidance for 2021
Jack of All Trades with an interest in facilitating networking through social interaction of IT Professionals
Published:
Browse All Articles > Password Guidance for 2021
Password rules and recommendations change often. Here's a list of tips and information for staying secure with your passwords in 2021.
Passwords (see tip 5) are a necessary evil. They, in conjunction with your user name, identify you to technology based services from the innocuous forum and coupon app to Social Media to your financial institutions.
Hackers know this. And they know how much we hate passwords. They know how much of a hassle it is to remember them for all the sites we use. They know most of us just use one password for everything, or possibly a small handful of passwords if we think we’re being safe.
In the movies and on TV, hackers are widely portrayed as individuals who quickly study their target and use the most obvious clues around them to guess their victim’s password in seconds. In reality, that’s not what happens or how it works. While there are occasions where a hacker targets an individual from the start, most look for the weakest links and exploit them. Many of today’s hackers are working for criminal enterprises with teams of malicious colleagues and advanced tools helping them guess passwords on stolen data from the likes of Adobe, Ancestry.com, Audi, Experian, Facebook, Sephora, and Yahoo. While I, personally, have no experience with these tools or their capabilities, I can envision programs being created to scour social media accounts for clues as to what words you use and then build dictionaries that can subsequently be used to guess your passwords. Brute force attacks don’t always start with the letter A or the number 1 and increment from there. They are often customized based on data the hacker’s tools have found about you. The better your password, the longer it would take the malicious hacker to crack and the more likely they’ll move on to someone else before ever finding your password!
Below are some tips and recommendations to help you stay safe.
1. Check if your email address has ever been stolen
The website www.haveibeenpwned.com will tell you if your email address has ever been a part of known breaches. If it has, change your password- there's really not much else you can do. If it hasn’t, keep in mind that this service only provides confirmation for KNOWN breaches. Hackers could already have your information only no one knows it yet! If you haven’t changed your password recently on websites, banks, and other places, strongly consider changing it!
2. Never use the same password twice.
If you use “2CherriesYum!” as your password and you utilize this password for Google, Apple, your bank, Target, Home Depot, and your brokerage, when ANY of these services get hacked, your password gets the hackers into all the others. Target and Home Depot may not be that important to your financial well-being, but both are common and both have been hacked. And if a hacker gets your password from them, getting into your bank and brokerage where you use the same password is just a matter of guessing which one you use (and often, information from one breach or social media can be used to make educated guesses as to which you use).
3. Write your passwords in a password notebook you keep at home.
Remembering a unique password for all the places we have accounts can be daunting and next to (if not outright) impossible. While there are more secure ways to save your password, most non-technical people who are not working at financial institutions or national security related businesses don’t need to worry about targeted attacks. Home break-ins where someone is looking for this kind of information specifically don’t generally occur. Thus, keeping your passwords in a password notebook by your computer can make them easier to recall when needed with minimal risk to your online security. If someone ever did steal your password notebook, you would likely realize it very quickly. Though the task might be time consuming, you’d be able to promptly contact each of your critical services and change your passwords with them. Consider a separate password notebook for your office.
If you’re more tech savvy, consider using a tool like KeePass to save your passwords. KeePass (and other password managers) can allow you to save your passwords in one place but take them with you wherever you go.
4, Don’t just increment your password’s number.
While I try not to remember them, working with my clients, I often learn a client’s passwords. With many places requiring a “complex” password (a mixture of UPPERCASE characters, lowercase characters, numbers, and Symbols like @#$%!), it’s common to want to make things easy to remember. Too frequently, I see people who, when a password is required to be changed, will increment a number. For example, “2CherriesYum!” becomes “3CherriesYum!” and then “4CherriesYum!”. While this often meets the password requirements, it’s NOT secure. Hackers know people tend to do this. As a result, hackers will often try the next few numbers in sequence when they get old password information. While it would be better to change the entire password, if you must use a similar one so it’s easy to remember, then consider changing one of the words. For example, your next password could be “2CherriesYummy!” or “2OreosYum!” It’s a lot harder for a hacker to guess a word than it is for them to infer a number.
5. Use Passphrases instead.
Movies and television and old computer programs and web sites have trained everyone well to use a password. Phrases, however, are MUCH stronger as they are much more difficult to guess. They also tend to be easier to type. I like to recommend using something funny or silly. For example, “5 Fish jumping into the fire” or “Bricks float in air?!” Passwords like these tend to be easy to remember while difficult to guess and often meet the complexity requirements of a given system.
6. Avoid using obvious references, such as family, friends, pets, well publicized likes and dislikes
What’s a well-publicized like or dislike? Many of us are on Facebook, Instagram, or other social media and often share comments, pictures, likes, and dislikes. A picture of you with an ice cream sundae with two cherries on top will be a clue that you like cherries. Someone trying to guess your password might include “2Cherries” and if you have posted before comments that include the word “Yum” it’s not a stretch for hackers to try combinates of Cherries, Yum, and numbers. In seconds, they can put 2+2+2 together and guess your password. Using family names is also very bad. Hackers know people often use passwords of the ones they love because they are easy to remember. If your daughter’s name is Betty, never use Betty as any part of your password.
7. Use two factor authentication!
What is two factor authentication (often abbreviated as 2FA or MFA or referred to as “two-step verification”)? Commonly, apps like Duo, Google Authenticator, or Microsoft Authenticator in combination with your password complete a 2FA solution. In a more abstract way, it’s something you know and something you have. A hacker may KNOW your password thanks to a security breach, but does not have your phone (which has the two factor authentication app), so the password alone doesn’t help him much (unless you’re using the same one everywhere as tip #2 warns against). Though many sites still don’t require 2FA, you might be surprised how many offer it. For example, Twitter, Facebook, Amazon, Target, Paypal, NewEgg, Discord, Groups.io, and LinkedIn can all be configured to require a separate, changing password when you log in from an unfamiliar device. Whenever you setup an account with a vendor, ask them if two-factor authentication is available. Search their website for the keywords 2FA, MFA, and two-step verification to learn how to setup their multi-factor authentication system, if they offer it.
Staying safe is a challenge today. It requires us all to make an effort to protect ourselves. Hopefully, these tips and recommendations will make it a little easier for you and your clients.
Below are some related links to the tips above.
For your computer:
KeePass - https://keepass.info/
For your phone iPhone:
Keepassium (KeePass Compatible App): https://keepassium.com/articles/keepass-apps-for-ios/
Google Authenticator* - https://apps.apple.com/us/app/google-authenticator/id388497605
Microsoft Authenticator* - https://apps.apple.com/us/app/microsoft-authenticator/id983156458
For your Android Phone:
KeePass2Android (KeePass Compatible App): https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en_US&gl=US
Google Authenticator* - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US&gl=US
Microsoft Authenticator* - https://play.google.com/store/apps/details?id=com.azure.authenticator&hl=en_US&gl=US
*Google Authenticator and Microsoft Authenticator largely do the same thing. With the exception of Google owned sites matching to Google Authenticator and Microsoft owned sites matching to Microsoft Authenticator, any website that is compatible with one should work just fine with the other.
Instructions for enabling 2FA on popular websites:
Facebook - https://www.facebook.com/help/148233965247823/
Twitter - https://help.twitter.com/en/managing-your-account/two-factor-authentication
Amazon - https://www.amazon.com/gp/help/customer/display.html?nodeId=G3PWZPU52FKN7PW4
PayPal - https://www.paypal.com/us/smarthelp/article/how-do-i-turn-on-or-off-2-step-verification-for-paypal-account-login-faq4057
Password History:
Man Behind Password Requirements Admits He Was Wrong - https://www.popularmechanics.com/technology/security/news/a27676/the-man-behind-your-password-requirements-admits-he-was-wrong/
Other Information:
List of websites that have been breached - https://haveibeenpwned.com/PwnedWebsites
Hackers know this. And they know how much we hate passwords. They know how much of a hassle it is to remember them for all the sites we use. They know most of us just use one password for everything, or possibly a small handful of passwords if we think we’re being safe.
In the movies and on TV, hackers are widely portrayed as individuals who quickly study their target and use the most obvious clues around them to guess their victim’s password in seconds. In reality, that’s not what happens or how it works. While there are occasions where a hacker targets an individual from the start, most look for the weakest links and exploit them. Many of today’s hackers are working for criminal enterprises with teams of malicious colleagues and advanced tools helping them guess passwords on stolen data from the likes of Adobe, Ancestry.com, Audi, Experian, Facebook, Sephora, and Yahoo. While I, personally, have no experience with these tools or their capabilities, I can envision programs being created to scour social media accounts for clues as to what words you use and then build dictionaries that can subsequently be used to guess your passwords. Brute force attacks don’t always start with the letter A or the number 1 and increment from there. They are often customized based on data the hacker’s tools have found about you. The better your password, the longer it would take the malicious hacker to crack and the more likely they’ll move on to someone else before ever finding your password!
Below are some tips and recommendations to help you stay safe.
1. Check if your email address has ever been stolen
The website www.haveibeenpwned.com will tell you if your email address has ever been a part of known breaches. If it has, change your password- there's really not much else you can do. If it hasn’t, keep in mind that this service only provides confirmation for KNOWN breaches. Hackers could already have your information only no one knows it yet! If you haven’t changed your password recently on websites, banks, and other places, strongly consider changing it!
2. Never use the same password twice.
If you use “2CherriesYum!” as your password and you utilize this password for Google, Apple, your bank, Target, Home Depot, and your brokerage, when ANY of these services get hacked, your password gets the hackers into all the others. Target and Home Depot may not be that important to your financial well-being, but both are common and both have been hacked. And if a hacker gets your password from them, getting into your bank and brokerage where you use the same password is just a matter of guessing which one you use (and often, information from one breach or social media can be used to make educated guesses as to which you use).
3. Write your passwords in a password notebook you keep at home.
Remembering a unique password for all the places we have accounts can be daunting and next to (if not outright) impossible. While there are more secure ways to save your password, most non-technical people who are not working at financial institutions or national security related businesses don’t need to worry about targeted attacks. Home break-ins where someone is looking for this kind of information specifically don’t generally occur. Thus, keeping your passwords in a password notebook by your computer can make them easier to recall when needed with minimal risk to your online security. If someone ever did steal your password notebook, you would likely realize it very quickly. Though the task might be time consuming, you’d be able to promptly contact each of your critical services and change your passwords with them. Consider a separate password notebook for your office.
If you’re more tech savvy, consider using a tool like KeePass to save your passwords. KeePass (and other password managers) can allow you to save your passwords in one place but take them with you wherever you go.
4, Don’t just increment your password’s number.
While I try not to remember them, working with my clients, I often learn a client’s passwords. With many places requiring a “complex” password (a mixture of UPPERCASE characters, lowercase characters, numbers, and Symbols like @#$%!), it’s common to want to make things easy to remember. Too frequently, I see people who, when a password is required to be changed, will increment a number. For example, “2CherriesYum!” becomes “3CherriesYum!” and then “4CherriesYum!”. While this often meets the password requirements, it’s NOT secure. Hackers know people tend to do this. As a result, hackers will often try the next few numbers in sequence when they get old password information. While it would be better to change the entire password, if you must use a similar one so it’s easy to remember, then consider changing one of the words. For example, your next password could be “2CherriesYummy!” or “2OreosYum!” It’s a lot harder for a hacker to guess a word than it is for them to infer a number.
5. Use Passphrases instead.
Movies and television and old computer programs and web sites have trained everyone well to use a password. Phrases, however, are MUCH stronger as they are much more difficult to guess. They also tend to be easier to type. I like to recommend using something funny or silly. For example, “5 Fish jumping into the fire” or “Bricks float in air?!” Passwords like these tend to be easy to remember while difficult to guess and often meet the complexity requirements of a given system.
6. Avoid using obvious references, such as family, friends, pets, well publicized likes and dislikes
What’s a well-publicized like or dislike? Many of us are on Facebook, Instagram, or other social media and often share comments, pictures, likes, and dislikes. A picture of you with an ice cream sundae with two cherries on top will be a clue that you like cherries. Someone trying to guess your password might include “2Cherries” and if you have posted before comments that include the word “Yum” it’s not a stretch for hackers to try combinates of Cherries, Yum, and numbers. In seconds, they can put 2+2+2 together and guess your password. Using family names is also very bad. Hackers know people often use passwords of the ones they love because they are easy to remember. If your daughter’s name is Betty, never use Betty as any part of your password.
7. Use two factor authentication!
What is two factor authentication (often abbreviated as 2FA or MFA or referred to as “two-step verification”)? Commonly, apps like Duo, Google Authenticator, or Microsoft Authenticator in combination with your password complete a 2FA solution. In a more abstract way, it’s something you know and something you have. A hacker may KNOW your password thanks to a security breach, but does not have your phone (which has the two factor authentication app), so the password alone doesn’t help him much (unless you’re using the same one everywhere as tip #2 warns against). Though many sites still don’t require 2FA, you might be surprised how many offer it. For example, Twitter, Facebook, Amazon, Target, Paypal, NewEgg, Discord, Groups.io, and LinkedIn can all be configured to require a separate, changing password when you log in from an unfamiliar device. Whenever you setup an account with a vendor, ask them if two-factor authentication is available. Search their website for the keywords 2FA, MFA, and two-step verification to learn how to setup their multi-factor authentication system, if they offer it.
Staying safe is a challenge today. It requires us all to make an effort to protect ourselves. Hopefully, these tips and recommendations will make it a little easier for you and your clients.
Below are some related links to the tips above.
For your computer:
KeePass - https://keepass.info/
For your phone iPhone:
Keepassium (KeePass Compatible App): https://keepassium.com/articles/keepass-apps-for-ios/
Google Authenticator* - https://apps.apple.com/us/app/google-authenticator/id388497605
Microsoft Authenticator* - https://apps.apple.com/us/app/microsoft-authenticator/id983156458
For your Android Phone:
KeePass2Android (KeePass Compatible App): https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en_US&gl=US
Google Authenticator* - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US&gl=US
Microsoft Authenticator* - https://play.google.com/store/apps/details?id=com.azure.authenticator&hl=en_US&gl=US
*Google Authenticator and Microsoft Authenticator largely do the same thing. With the exception of Google owned sites matching to Google Authenticator and Microsoft owned sites matching to Microsoft Authenticator, any website that is compatible with one should work just fine with the other.
Instructions for enabling 2FA on popular websites:
Facebook - https://www.facebook.com/help/148233965247823/
Twitter - https://help.twitter.com/en/managing-your-account/two-factor-authentication
Amazon - https://www.amazon.com/gp/help/customer/display.html?nodeId=G3PWZPU52FKN7PW4
PayPal - https://www.paypal.com/us/smarthelp/article/how-do-i-turn-on-or-off-2-step-verification-for-paypal-account-login-faq4057
Password History:
Man Behind Password Requirements Admits He Was Wrong - https://www.popularmechanics.com/technology/security/news/a27676/the-man-behind-your-password-requirements-admits-he-was-wrong/
Other Information:
List of websites that have been breached - https://haveibeenpwned.com/PwnedWebsites
Jack of All Trades with an interest in facilitating networking through social interaction of IT Professionals
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (2)
Commented:
I think it's great.
Author
Commented:That said, I also only named one password manager (the one I use). There are many choices.