by Larry Magid
Passwords are the bane of our existence, and I’m hoping that they will soon go away. Indeed there are already alternatives to having to enter passwords. My bank lets me use my fingerprint to log in on its phone app, but like most biometric methods, there is still a password that you may have to enter in some circumstances.
Almost every piece of expert advice about passwords says that they should be long and nonsensical and never be a word that you can find in the dictionary. Experts almost universally recommend that they be unique. Do not use the same password for multiple sites because, if any of those sites are compromised, the hackers might try to use that same password to get into your other accounts. Passwords should always be at least eight characters long, but even longer is better. I try for 15 or more characters.
Trouble is, most of us have many passwords, and it’s nearly impossible to remember all of them, which is one reason people often re-use the same password. But there are some techniques to create passwords that you are likely to remember as well as programs and apps that will remember them for you so you don’t have to. There are also ways — like two-factor authentication — to add additional security to offer you an additional layer of protection if your password is breached.
There are some tricks you can use such as a string of words that don’t form a sentence like VolvoParisMechanicFortuneMartini. Even though these are real words, they don’t appear as one in a dictionary and it would be difficult to crack. Another trick is to come up with a phrase that’s meaningful to you but not others like “I met Susie Jones at Lincoln High School in 1972.” Take the first letter of each word, capitalize the proper nouns and add numbers and symbols and you have “ImSJaLHSi#1972.” But don’t use that exact password on different accounts, instead add a couple of letters that are unique to each account that not only make the password unique but a little longer, which is also good. Just make sure you have a way to remember those letters.
One way to have really strong and nonsensical passwords is to use a password manager that will remember them for you. There are many on the market, including LastPass, Roboform, 1Password and Bitwarden. Most of these products offer a free version and paid upgrades if you want more features such as automatic syncing across different devices you use. Most of these programs and apps will automatically record and save your passwords and enter them for you when you revisit the site. You should keep an accessible backup of that password just in case the password manager fails or becomes inaccessible. Of course, a password manager is a single point of risk, so make sure you give it a very strong password that you perhaps write down in a secret place. If anyone hacks into your password manager they have the keys to all your accounts.
Before you look around for a password manager, consider what you already have. Many browsers, including Chrome and Edge, have password managers built-into them. They are also included in some security products like Norton 360.
Two-factor authentication works like an ATM card where you need both a PIN and the card to take money out of your bank account. With two-factor authentication, you need both your password and — typically — a secret numeric code that will be sent to your phone if you sign in from a new device or browser. Most sites make this an option so, for example, you could configure Google, Facebook or Twitter to send a text message to your phone the first time you log in on a new device or browser or after clearing your cookies. It adds a lot of security, but it’s not 100% secure because there are ways for hackers to access your text messages. A more secure option are free apps like Authy, Google Authenticator and Microsoft Authenticator which will generate a code directly from your phone or another device. There are also physical “keys” you can purchase like the Yubico Security Key which plugs into a USB or charging port on your PC or phone. Programs that create two-factor authentication often let you write down secret codes to bypass them should you ever be locked out. Make sure you store those in a secret place, preferably not on your computer.
Don’t share or post near your computer
Regardless of what passwords you have, make sure you don’t share them or make them too easily accessible. Both kids and adults sometimes share passwords with friends, which is not a good idea even if they trust them at the time. That other person might accidentally share it or store it in an unsecure manner and, sadly, friends sometimes become ex-friends. Some people say to never write down passwords, but I don’t agree. Of course, don’t put them on a sticky note on your computer or place them where others might find them, but unless you live with people you don’t trust, you can probably store them safely in a notebook that you keep in a drawer, as long as it’s not findable by someone who might break into your house. It definitely won’t be found by a remote hacker.
Be careful how you click and what you type
Be very careful before clicking on a link (even if it appears to be from a legitimate site) asking you to log in, change your password or provide any other personal information. It might be legit or it might be a “phishing” scam where the information you enter goes to a hacker. When in doubt, log on manually by typing what you know to be the site’s URL into your browser window.
You can find more advice about passwords and security at ConnectSafely.org/passwords and ConnectSafely.org/Security.
Larry Magid is a tech journalist and internet safety activist.