Getting serious about password hygiene
We’re all used to being asked to change our password and to follow various complexity rules at work and home. (I listen to my fiancé complain about it all the time.) But if you read my colleague Brian’s blog post, you should have a better understanding of how hackers operate and hopefully have a newfound sense of respect for password requirements. Now that you’re ready to reconsider your approach to passwords, here are some strategies that anyone can use to ensure their passwords are not easily compromised. How well you follow these password best practices and any best practices set forth by your own organization is known as “password hygiene.” And just as someone maintaining poor bodily hygiene is more likely to get sick, improper upkeep of your password hygiene makes it more likely for your credentials to be compromised.
- Don’t use the same password across multiple sites (personal and/or business). A coupon clipping site is not likely to have the same security controls in place as a healthcare organization, but if you use the same password for both, then it isn’t very difficult to make that mapping. ( (Mapping is a method that enables hackers to test the same credentials across multiple sites.)
- Remember the social engineering that goes into cracking passwords. We tell people not to use their kids’ names, anniversary dates, etc., but you also need to be aware that hackers are using “fun” questionnaires on social platforms to get other information that may not be as obvious. These questions aren’t necessarily trying to get your password, but they are extremely effective at gathering answers to common security questions, which makes it possible for hackers to reset your credentials without your knowledge. I recently saw this meme on Facebook that I think illustrates this point perfectly.
- Acknowledge that it’s almost impossible to maintain unique passwords everywhere without some help. But instead of writing them down or keeping them in an Excel or OneNote document (which don’t require a password to access), I suggest using a personal password manager (which does require a password). There are many password managers that are free to use, such as BitWarden.
If using random passwords (or a password manager tool) doesn’t suit you, here’s a password creating strategy I personally suggest to my own family members:
- Pick a random passphrase or set of unrelated words to start. Example: PeopleCurtainDesk
- For each unique credential/website, find 2–4 unique characters that describe it.
- Maybe it has a triangle àTRI
- Maybe the background is blue and white so BW
- Insert those characters somewhere in their phrase: PeopleTRICurtainDesk
- Do the same with the special character of your liking: PeopleTRICurtain$Desk
- If it is a site that requires you to change it regularly, pick a random number to start and increment in a unique pattern from there.
- PeopleTRICurtain$Desk835 (828+7)
- PeopleTRICurtain$Desk842 (835+7)
It may seem complex at first but in the end, you just need to memorize your chosen formula once.
Remember: When creating a password, complexity and length are your best friends. And while you may not be able to control the specific complexity and length requirements for the various applications you use, there are still a lot of ways you can control password strength and effectiveness by using the strategies I suggested above. Hackers aren’t breaking into systems. They’re logging in. So let’s make their jobs a little harder and keep your data safer with proper password hygiene.