3 Tips for Better Password Security next to an image of a hand holding a phone, with a screen that says Choose a new password, retype your new password, and update password.

3 Tips for Better Password Security

Whether it’s your bank, your email, or your social media, it is important that you start taking password security seriously to protect yourself online.

Implementing better password security can seem overwhelming, but there is no better time to start. And, it’s not as complicated as you think.

There are only 3 simple guidelines you need to remember to implement better password security.

#1 Create a new password for every account

By using unique passwords for every service, you can help avoid additional risk if your password on a single service is compromised. If the only service for which you use a given password gets hacked or exposed, then you won’t have to change your password on many sites, because none of them are also using the compromised password.

For example, let’s say you use the same password for your email account, Facebook, Twitter, bank, and a few other sites. Then, you get an email from Twitter describing a data breach (like their 2018 data breach which exposed the plain text passwords of 330 million users14). Unfortunately for you, you can’t just change your password on Twitter, you must also change your password on your email account, Facebook, bank, and any other sites where you were using it. So, if this does happen to you, make sure to change each of the sites to a unique password.

#2 Create complex passwords

Create passwords using upper case letters, lower case letters, numbers, special characters, spaces – as many different options as the service will allow and at least 9-10 characters in length. Longer is better here and many people advocate using passphrases, such as a string of 4 unrelated words, for their ease to remember and their mathematical complexity. Avoid using any of the following: any real words, proper names, foreign words, or personal information.

Some examples of really bad passwords from a recent list include: “qwerty123”, “superman”, “password1”, “sunshine”, and “baseball”. If you’re using any of these passwords, please go change them now.

Why is a long complex password better?
It has to do with how password cracking attacks are carried out, through a combination of dictionary-based words, common substitutions, comparisons to previously hashed results, and finally, brute force2,9. It makes it much computationally harder to brute force crack your password if it meets all these criteria and is, at the very least, 9 characters in length9. This comic from xkcd8 gives a peek at the math behind brute force password cracking in relation to password complexity.

An xkcd comic with 6 panels and text at the bottom: panel 1: A password like ‘Tr0ub4dor&3’ meets the following criteria: Uncommon (non-gibberish) base word, maybe caps, order unknown, common substitutions, punctuation, and numeral. (You can add a few more bits to account for the fact that this is only one of a few common formats.), panel 2: This password is approximately 28 bits of entropy, 2^28 = 3 Days at 1000 Guesses/Second, (Plausible attack on a weak remote web service. Yes, cracking a stolen hash is faster, but it’s not what the average user should worry about.) Difficulty to guess: EASY, panel 3: ‘Was it trombone? No, Troubadour. And one of the 0s was a zero? And there was some kind of symbol…’ Difficulty to remember: HARD, (next row), panel 4: A password like ‘correct horse battery staple’ is four random words, panel 5: This password is approximately 44 bits of entropy, 2^44 = 550 Years at 1000 Guesses/Second, Difficulty to guess: HARD, panel 6: Horse: ‘That’s a battery staple’, Person: ‘correct’, Difficulty to remember: You’ve already memorized it, ending text: Through 20 years of effort, We’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

If it sounds like it’s still too complicated, keep reading for a better solution.

#3 Start using a password manager

A password manager maintains an encrypted list of your passwords that you protect with a really good password that you keep very secure. It enables you to autofill passwords and look them up as needed. It simplifies the process of using a different, complicated password for every service you use.
Using a password manager allows you to use a hard to remember AND hard to guess password. It’s the best of both worlds.

If you want to learn more about passwords, I recommend watching the video ‘How to Choose a Password’ from the Computerphile channel on YouTube10. And check out the additional links below for some more in depth password videos.

Are you already using a password manager? Tell us about your favorite in the comments!

Additional Links and Information

  1. World’s Biggest Data Breaches & Hacks. (2020, January 29). Retrieved February 12, 2020, from https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  2. Granger, S. (2002, January 16). The Simplest Security: A Guide to Better Password Practices. Retrieved February 12, 2020, from https://www.symantec.com/connect/articles/simplest-security-guide-better-password-practices
  3. Intuit. (n.d.). Password & Username Best Practices. Retrieved February 12, 2020, from https://security.intuit.com/index.php/protect-your-information/password-username-best-practices
  4. Chaikivsky, A. (2017, February 7). Everything You Need to Know About Password Managers. Retrieved February 12, 2020, from https://www.consumerreports.org/digital-security/everything-you-need-to-know-about-password-managers/
  5. Rubenking, J. (2019, December 26). The Best Password Managers for 2020. Retrieved February 12, 2020, from https://www.pcmag.com/picks/the-best-password-managers
  6. Price, R. (2017, February 22). Password managers are an essential way to protect yourself from hackers – here’s how they work. Retrieved February 12, 2020, from https://www.businessinsider.com/how-to-use-password-manager-store-protect-yourself-hackers-lastpass-1password-dashlane-2017-2
  7. Winder, D. (2019, December 14). Ranked: The World’s Top 100 Worst Passwords. Retrieved February 12, 2020, from https://www.forbes.com/sites/daveywinder/2019/12/14/ranked-the-worlds-100-worst-passwords/
  8. xkcd. (n.d.). Password Security(comic). Retrieved February 12, 2020, from https://www.xkcd.com/936/
  9. De Joya, M., N. De Guzman, M. Bilon, and A. Sentones. (2019, October). Use of Different Graphic Processing Unit Architectures to Analyze Variance in Hash Cracking Rate and Real World Implications of Password Creation by Users. The Online Journal of Science and Technology, 9(4). Retrieved February 12, 2020, from https://www.tojsat.net/journals/tojsat/volumes/tojsat-volume09-i04.pdf#page=50
  10. Computerphile (Youtube Channel). (2016, July 20). How to choose a password. Retrieved February 12, 2020, from https://youtu.be/3NjQ9b3pgIg
  11. Computerphile (Youtube Channel). (2019, May 1). How password managers work. Retrieved February 12, 2020, from https://youtu.be/w68BBPDAWr8
  12. Computerphile (Youtube Channel). (2017, August 30). 2FA. Retrieved February 12, 2020, from https://youtu.be/ZXFYT-BG2So
  13. Computerphile (Youtube Channel). (2016, July 13). Password cracking. Retrieved February 12, 2020, from https://youtu.be/7U-RbOKanYs
  14. Gartenberg, C. (2018, May 3). Twitter advising all 330 million users to change passwords after bug exposed them in plain text. Retrieved March 31, 2020, from https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now

Recent Posts in the Library