We know passwords are a hard to use well. You’re supposed to remember a different long and complex password with symbol$ and CapiTAls for every single site.
No one really does that. Not even cybersecurity researchers. People have typically done this by writing down passwords they use on a paper note or saved to their computer’s desktop in a file. Please don’t do that.
Ready to get scared? I want you to visit a website to see if your email account has been leaked onto the darkweb. Please go to https://haveibeenpwned.comDon’t worry, they’re safe. Once you put your email address in, it will show you how many data breaches have leaked a mixed-up form of your password. I’ll show you what turned up for my email address.
Figure 1, https://haveibeenpwned.com
Yep, my own email address has shown up in 9 different data breaches. However, I’m not worried because I know my password is good. By the end of this article, I want you to also be confident that your passwords are good.
If you just want to know what to do, skip to “The Solution:” at the end of this page and you’ll see the best solution. For those who want to understand why, keep reading.
Golden Rules #1:
You shouldn’t reuse the same password for other sites.
You’ve heard about breaches, right? Well, if the bad guys get your password, they’ll immediately start trying it on every other site around – including every bank, credit company, store, and email accounts.
One strategy is to use a base password, and add to it with a part of the name of the website you’re accessing. For instance, my base password is “ImSo$mart”, and when I’m logging into Facebook, I use the last four characters of Facebook so my password is “ImSo$martbook”.
Oh, wait, I just published my password, didn’t I?
Golden Rules #2:
Your password should be long and contain weird characters.
When there is a data breach, a password isn’t directly leaked, but a mixed-up form of it is that’s called a hash. Just as you cut up potatoes and fold them over to make hash browns, computers mix-up and rearrange the characters of your password to make a hash. Now, your password can’t be seen from the hash. The only way to recover the password is by trying to guess what your password is, making the hash, and comparing it to the hash from the data breach.
“Nobody will guess my password is ‘nevada06’.” you say? Um, yes they will. It’s possible to make a specialized computer that can make more than millions of hashes per second and feed it a large list of dictionary words to crack simple passwords. It’s a process called hash ‘cracking.’
As a cybersecurity researcher, I own a high-powered computer just for this purpose. I wrote down how long it would take my ‘cracking’ computer to try every combination of every letter/capital/number/symbol for passwords of different lengths.
6 characters : less than 1 second
7 characters : 8 seconds
8 characters : 22 minutes
9 characters: 1 1/2 days
10 characters : 10 years
11 characters : 894 years
12 characters : 79, 571 years
Notice how much longer it takes to crack a 12-character password versus a 6-character password. A little over 79,571 years difference !
Now here’s the good news. Even if your password’s hash has been leaked, it’s highly unlikely that any criminals will be able to get your password it if it follows the following rules.
Longer than 12 characters
Uses a mix of lowercase, uppercase, symbols, and numbers
While we’re talking about length and complexity, I just want to make sure you don’t use your phone number, social security number, or any variation of ‘password’.
Golden Rules #3:
Your email account password is more important than you think.
While you may not care if criminals read your emails, they know that people reset their banking accounts by their email account. Your email history will also show which banks your account is at, and maybe the account numbers too. Bad actors can change your password, delete the “changed password” notice, and freely transfer your money. They’ve also been known to change the ‘language’ that your account is set to so you get a notice of change in another language – which you can’t read. Make sure your email password is as strong, if not stronger, than your banking account passwords.
The Solution:
Get to know a password manager.
There are many free ones, and you should try any one of them out on your computer, phone, and tablets. Yes, I said free. I personally use a paid version of Lastpass, but I know many people that use the other two. Once you have one of them installed, you only need to remember one password. Please make that password really long and complex ( more than 15 characters and some numbers/symbols ). It’s like storing all your passwords in your browser, but a heck of a lot safer. Here are some links to a few of them.
The important thing is to try any one of them out on every device you have so you can depend on it working. You’ll notice too that they come with a ‘vault’ feature that allow you to view the password. Another useful feature is the “make my password” feature which will make a super uncrackable password for you.
Once you get used to using a password manager, you’ll never go back to writing down passwords.
