How do you protect your passwords?


It’s no secret that I hate passwords (I’ve written about it here, here and here). But while I despise these increasingly complex and unique phrases that we have to memorize for each of our dozens and scores of online accounts (and which we have to change every now and then, lest we risk our most sensitive data being stolen by malicious actors), I do admit that we’re still not ready to get over the use of passwords.

The majority of us (myself included, in some cases) continue to use passwords to bar entrance to our accounts, and many major services (such as Reddit) continue to offer plain passwords as the only means of protection.

So while we’re still stuck with this outdated authentication medium, we might as well make sure we use it in the safest manner possible. Aside from the basics, such as avoiding the selection of dumb passwords (“123456” anyone?), using password managers and two-factor authentication, here are some general tips on how to improve password security and lessen the chances of hackers gaining access to your credentials.

Prefer length over complexity

It is common knowledge that complex passwords are comprised of alphanumeric characters, symbols and punctuation. While this is true in essence, it doesn’t mean that your password has to look like gibberish (%^Tgh987__@$4). In fact all it takes is to add a single instance of each of those character sets to make the password strong enough to add orders of magnitude worth of complexity to brute force attacks.

So having a long password with few weird letters (such as “$topW@stingMyT!m3.94”) is much safer than a fully-loaded comic-book swearword ($@fePa$$w0rD).

(By the way, none of those are my passwords or have ever been my passwords, or have anything to do with the schemes I use to select my passwords.)

That said, you still need to consider two things:

  • Avoid plain strings: By length, I don’t mean to use a 30-charcter-long string of 1s as your password. You still need to include a minimum number of each character set in the password.
  • Distribute complexity across your passphrase: Some will contend with adding a few (%^&*$)s to the end or beginning of their password. This is wrong as well. Special characters should be distributed throughout your string, though you don’t need to overdo it as to render the whole thing unmemorable.

Don’t use common-knowledge catch phrases

You might have been enticed by Bruce Willis’s “Yippi Ka Yey” phrase or the Starks’ “Winter is coming” motto, but there’s a likely chance that those phrases are included in password dictionaries of most hackers, and they’ll be trying different variations of it on your account. So if you’re using a favorite sentence, try to use one that is more personal and less popular. Mine is “Do you live in a barn or something?” which was told to me by a shopkeeper who got pissed off after I forgot to close the door behind me on a particularly freezing winter day. That specific phrase is known to me and the few to whom I’ve recounted the hilarious episode. It’s not something you’ll find in a password dictionary.

(Again, that is not my password, and I’ve never used it as a password. I just brought it up here for example’s sake.)

Avoid duplicates at all costs

Even if you have the most secure password in the world, one that will take eons to break with an array of 100 IBM Watsons, never ever use it on multiple accounts. There’s a simple reason for this: Your password is as safe as the service it’s stored in.

So while cybercriminals might not be able to guess your password, they might be able to steal it from the server where it’s stored. General security practices rule service providers to use one-way hashing algorithms or strong encryption to store passwords, so in case their database servers become compromised, hackers won’t be able to make a wholesale theft of user credentials. Though giants such as Google and Facebook abide by these rules, there’s no guarantee that other service providers you’ve signed up with are doing the same.

In the case of the hack at VTech, in which sensitive information for millions users were stolen, the toy giant had used MD5 to encrypt its passwords, an obsolete hashing algorithm that is proven to be reversible. This means that hackers will only need access to one instance of your password to be able to crack into all of your accounts. And if you’re thinking you’ll be safe by using the same password with a short postfix, you’re wrong, because clever and resourceful hackers will make short work of postfixed passwords.

I know, keeping track of and memorizing so many unique passwords is a headache in the making, but that’s how life is with passwords. A workaround would be to use a password manager such as LastPass.

Don’t link all your accounts to the same email

This isn’t a direct password tip, but I think it’s useful to mention it here. Service providers will usually require an email address to which the account or its recovery will be linked. Don’t link all of your accounts to the same email address, because in the unfortunate case that that account becomes hacked, the attacker will be able to reset passwords and take possession of all of your accounts in no time. To understand the depth of the threat, I suggest you read Mat Honan’s nightmarish episode on how he lost access to years of online activities in the span of a few hours after his primary email account was social engineered by a hacker.

A best practice would be to have a work email, the one you use to correspond, which becomes known to your contacts (and which will more likely be targeted by malicious actors who wish you harm), and one or more other email accounts which will be the user ID and recovery addresses for your other online accounts such as social media, project management platforms and finance. Again, as a measure of precaution, do not mix up your social media recovery email with that of your finance accounts, because the former is more likely to be discovered by nosy users.

Stack up the layers of protection

Use extra strengthening measures and features whenever you can. Two-factor authentication is a must wherever it is. It involves knowing something (the passcode) and having something (a USB fob, a phone, fingerprint…), which means even if hackers steal your password in any way, they’ll still need that second element to gain access to your account.

You can also opt for alternative mechanisms to passwords wherever they’re available. The new mobile-based authentication mechanisms that are being rolled out by different firms are very useful, since mobile phones are very personal gadgets, a quasi-extension of our identity in the digital realm. Their security is extremely efficient (just look at the headaches Apple’s iPhones are giving to the feds), and having your accounts linked to your phone’s ID will enable you to secure your accounts with the very short PIN code you use to lock your phone.

Over to you

This list is far from comprehensive and can go on for many more pages. I tried to summarize some of the most effective methods that can help you stay safer out there.

How do you protect your passwords? I’d love to hear it. Share with me in the comments section.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.