The following is adapted from a piece I wrote for Tactical Tech’s Data Detox kit, another great resource for digital security. Thanks to Tactical Tech for sponsoring this article and giving me permission to reprint it!
Here’s the first thing you need to know about digital security today:
That may seem confusing. Isn’t that what you’re supposed to do with passwords?
Nope. Memorizing passwords is a leftover from an earlier era. Security experts currently agree that having people memorize passwords is one of the biggest problems they face in defending our systems. Why?
Well, do you find yourself reusing the same password for all or most of your online accounts? Because strong passwords can be so hard to memorize, people tend to reuse the same one over and over, maybe making small, easily-guessed changes. Or you might use simple passwords, which are weak.
And that's how accounts get hacked. It's not by code, or specialized hacking skills. Just easy-to-guess passwords.
When a criminal tries to get into accounts, all they have to do is have a computer try every known password, going through lists and dictionaries. Or, if it’s someone you know trying to get into your account, they just make a few guesses until they get in — maybe they know important dates, teams, pets, or people in your life, or they just know the password you use on some other site.
But, don’t despair! You can defend yourself when it comes to passwords. Here's the best current advice.
While it may seem tricky to create top-notch passwords, it can be quite easy. All you have to do is follow a few basic principles. Your passwords should be long, unique, random, and stored in an encrypted password manager. Let’s look at each of these in more detail.
The longer the password, the harder it is to guess, and that makes it stronger. At a minimum, all of your passwords should be eight characters long. Ideally, they should be more like 16-20 characters.
For very important passwords—say, the ones for your financial accounts, or for your password manager—you might even consider using a passphrase instead. A passphrase is a series of words instead of a single word.
Using the same password on multiple sites is one of the biggest risks to your security. Ideally, each password you use on every site should be different.
This means your password does not follow a logical pattern and is therefore not easy for anyone (including you) to guess. Avoid numbers that mean something to you (like your birthday, or address). Use letters or phrases that lack rhyme or reason.
Again: you’re not. While it may seem like a strange idea to choose a password you can’t easily remember, keeping passwords in an encrypted manager makes it less likely that information from a breached site can be used against you elsewhere.
You may be asking: “But how am I supposed to remember hundreds of long, unique, random passwords?!" Like I said, you're not. Instead, you want to store those passwords securely. Here’s how to decide whether to write your passwords down or use an encrypted password manager to help you out.
The best way to do it is let the password manager do it for you. If there’s a case in which you can’t, here are a few compromises that provide stronger passwords than the ones you’ve likely come up with before, usually making a passphrase instead of a password.
Make a memorable scene. The Person-Action-Object method can help you come up with a random phrase you’ll find easy to remember later on.
Use the dictionary. This is more prone to our human inability to be genuinely random. But if you work hard at being random and use more than a couple of words, a dictionary can provide you with a strong passphrase. Open to a page at random, close your eyes, and stick your finger on a word (the one that’s being defined, not one in the definition). Do this five times. Write each word down on a piece of paper, maybe add a number somewhere, and voilà: passphrase. Don’t change any of the words to be more familiar to you—that’s taking away randomness.
Again: don’t re-use any of the phrases you come up with. Make a new one each time you’re not able to use your password manager to set a password.
Sadly, well-known song lyrics and poems aren’t the strongest idea for a passphrase. Like password lists, they are easy to find online. Which is a shame—rhymes are how people have been able to memorize long phrases since the dawn of human speech! But because they’re very memorable, it’s more likely a lot of people will use them—and that you’ll re-use them, so that you can remember them. So we’re back to square one on the lists-of-passwords front. Sorry to those of you who were looking forward to getting your favorite tune stuck in your head daily while logging in.
But using a rhyme with a partly-randomly-generated passphrase is not the worst idea when you need to memorize something—say, take the first couple of words from a random generator, and then choose another couple of words that rhyme.
And if there’s some obscure song nobody knows you know, and you’ve memorized every line, and you’ve got this one passphrase you really have to memorize because you can’t write it down on paper or put it in a password manager . . . well, it might not be the worst strategy to use a line or two from the song as your phrase. Just keep in mind you’ll have to remember which song, and which line!
Once you’ve got your password or phrase, it’s time to save it securely.
For more steps you can take to protect your digital security and privacy, check out that section of this website and pick up a copy of Keep Calm and Log On!