Picking a secure password is crucial to protecting sensitive information. Tom Merritt offers five do's and don'ts for picking the strongest password possible.
Oh, passwords. Someday the FIDO alliance or somebody will save us from them. Until that heady day, we still need them and we need to choose ones that are really hard to guess. Even if you have two-factor authentication turned on—which you should—secure passwords are still a good idea. Fire up your Horse Battery Staple, here are five things to know to pick a good password.
SEE: Password management policy (Tech Pro Research)
- Never reuse one. Ever. Data breaches are very common. When your password is breached at a service, that service will usually make you change it. But the service where you re-used it doesn't know that, so you just made that password very insecure.
- Choose a long and strong passphrase. Yes, it is possible to remember your password and make it secure. Don't choose dictionary words. Security researcher Bruce Schneier suggests taking a sentence like: "When I was seven, my sister threw my stuffed rabbit in the toilet." And using the first letters numbers and punctuation to make "WIw7,mstmsritt."
- Let a password manager do it for you. Yes, password managers are a single-point of failure, so be honest with yourself. Are your passwords more secure if you let a manager that is 2FA-protected pick really good ones for you? Or do you want to manage all that yourself? And is the way you manage it, more secure than a password manager? Be honest—nobody else needs to know.
- Don't update it regularly unless you're forced to. It used to be that it took 90 days to crack a password, so if you changed it every 90 days, you could stay ahead. Now it takes seconds, unless you've picked a strong one.
- Skip the secret question. If that's not an option, answer it like you're making a second password. There's no point in having a really secure password only to have it backed up by a dictionary word in your secret question that's easily guessable.
The fact of the matter is that you should really turn on two-factor authentication and hope that better methods will make the password obsolete. But, until then, I hope these tips help, friend.
- Password managers: How and why to use them (free PDF) (TechRepublic)
- Why nearly 50% of organizations are failing at password security (TechRepublic)
- Why passwords are a terrible method of authentication (TechRepublic)
- Microsoft: Here's why we're declaring end of password era (ZDNet)
- Man-in-the-middle attacks: A cheat sheet (TechRepublic)
- 5 privacy settings you should change in Windows 10 (CNET)
- Chrome wants to help you stop recycling the same damn passwords (CNET)