Passwords are stupid.
Yet what’s stupid about passwords is not that they are inherently insecure, but they allow users—and in fact, encourage users—to do insecure things. When faced with the creation, and subsequent memorizing, of a new password, most users decide to use the same, stupid, easy-to-remember password they’ve used elsewhere. That’s just the kind of vulnerability hackers are looking for.
Don’t be that victim. You can turn all your stupid passwords into safer ones that are easier to manage, in three easy steps.
1. Acknowledge you have a password problem
Everyone has stupid passwords. Take the findings of managed security firm Trustwave, which regularly tests the security of its clients to find vulnerabilities. During its security tests in 2014, the company collected 625,000 password hashes (the scrambled form in which passwords are stored), and its researchers tried to break them. Within two minutes, more than half—54 percent—fell to common password guessing techniques. In a month, the company had recovered 92 percent of the passwords.
The most common passwords? “Password1,” followed by “Hello123” and, yes, “password.”
“The inherent problem with passwords is that they give the users far too much ability to do something stupid, but good security controls should not allow users to do stupid things,” says Charles Henderson, vice president of Trustwave.
No wonder tech companies and online services are looking for alternatives. The recent announcement by Yahoo! that the company will allow devices to store and send passwords—thus, eliminating the need for the user to remember them—is one example. Adding a second factor, such as the fingerprint sensor on Apple’s TouchID or the facial recognition of Windows 10, is another.
Yet, these solutions have their own problems. Consumer-level biometrics are often easy to defeat, because companies trade security for convenience. Apple’s TouchID fell to hackers within months, and other fingerprint sensors have had similar problems.
“Everyone in the security community agrees that passwords stink, but we are not going to get rid of passwords anytime soon,” says Henderson.
2. Use a password manager to create new codes
Creating secure passwords means using long strings of characters, numbers and special characters. While passwords are stored as one-way “hashes,” attackers have learned a variety of tricks to crunch through millions of possibilities very quickly, making complex passwords a necessity.
But let’s be honest: You can’t create them all by yourself. A variety of password managers—from LastPass to Dashlane to 1Password to KeePass—allow users to generate complex passwords, manage them across devices, and autofill login forms. There are even mobile-app password managers readily available.
3. DIfferent account, different password
The average user holds between 30 and 60 online accounts. With so many breaches of online services, there’s every reason to have a different password for each service. Otherwise, a breach at one site allows a attacker to try the same username and password on other sites.
Assigning a single password to each account, however, means the number of tricky passwords or passphrases that people have to remember has skyrocketed, according to password-management service Dashlane. “Now, we not only need several tens of passwords, but we also need to use them on various devices at different times,” says Emmanuel Schalit, CEO of Dashlane. “The complexity has blown up and become too much for human beings to manage.”
This is the other reason to use a password manager. Just remember to use them for good, not stupid. Avoid storing the same bad passwords in your password manager. Create the longest, most complex passwords possible, and a different one for every account.