It's cybersecurity awareness month and we all should be doing out part to #BeCyberSmart.
The one thing I see people struggling with the most is using passwords and I get it.
A lot of what we've been subjected too about passwords is wrong and actually makes things less secure. Making matters worse, security folks—myself included!—aren't known as being the most communicative.
So, I set out to demystify passwords. In the video above 👆, I walk through how passwords are attacked, the UX around them, what makes a truly strong password, and finally I lay out a practical path for dealing with the mishmash of systems out there.
Here in this post, I'll give you the highlights...
Strength
A strong password is a long password...or more probably, a passphrase.
Length is the single most important factor in determining the strength of a password.
The second most important factor is the variety of characters you pick from (so, not just a-z). That's the reason for those crazy password rules we're all so familiar with.
Start thinking pass*phrase*, not password.
Old Rules
Those old rules I mentioned 👆? The whole "at least one capital letter, a number, a symbol, and be at least 8 characters long" thing?
Those rules actually lead to weaker passwords.
Thankfully the most commonly used guidelines were updated in 2017 but a lot of systems are still behind the times. That means we still have to deal with them. 😔
Password Manager
In addition to dealing with those older systems and rules, we also need different passwords for every site and app we use.
Why? Because it reduces your risk if one of those sites is hacked or has a breach.
One of the first things cybercriminals do when they get new credential sets is test them against popular sites.
But keeping track of all of those passwords is a pain. The solution is to use a password manager.
Which one doesn't matter much. Just make sure it runs on all of your preferred devices and has a nice user experience.
That's going to keep your passwords safe and sound...and generate long, gibberish passwords for any new logins.
Taking things a step further, the manager will actually log you in to those sites and apps when needed.
One Password To Rule Them All
To keep all of those passwords in the manager safe and secure, you'll need a password (couldn't avoid them completely 🤣).
Thankfully, almost all password managers are up to date on the rules and we can use a passphrase here.
This passphrase is only going to be used with your manager and you should only change it when you think someone might have figured it out or about every year or so.
Remember, this is the only password you're going to be typing in yourself. Make it a good one!
Here are some simple guidelines to follow to create a really strong and easy to remember passphrase:
- use a random word generator to select at least 4 (more if you can) truly random words
- throw in a symbol or number (or both) just because
Boom. Easy to remember, super strong password.
Something like: polite2vacuumcensusmonkey!narrowfrozen
polite 2 vacuum census monkey ! narrow frozen
Not only is that a fun passphrase (which I swear was randomly generated) but it's easy to remember and crazy strong.
Stay safe out there and #BeCyberSmart!
Latest comments (2)
Great advice, thank you Mark!
I'll throw in an opinion here - if you only use passwords for websites, then use your browser's built-in password manager (they've all got one now!) That will do all the right things as above, and especially, it will stop you from typing in the wrong password in the wrong place when you inevitably click on a phishing link - because you can't! In addition, when you are surprised that your browser hasn't filled out the login screen for you, you are alerted to the fact that something has gone wrong - so you can report the email you clicked on! :)
Great tip!