How secure is my password?

Password security is one of those things that tends to become a concern only after something has happened to one of yours, either directly or indirectly, much like losing an hour of typing a Microsoft Word document because the computer crashed and you forgot to click Save.  Whether it’s happened to you and you found us on purpose, or you started looking for a Marvel movie trailer and ended up on an amazing tangent, you’re here, so take a few minutes to see how your password sits in the realm of cybersecurity and, more importantly, how to secure your password as much as possible.

If you want to quickly check and see if you have a secure password for your most sensitive accounts, you can scroll to the end and find a brief summary of this article, referring back to the main sections as needed.

I have a complicated password that no one will ever guess, so I use that for everything I do.  Unbreakable!

Whether your password is simple or complex, using it for more than one account is a surefire way to get all of your accounts hacked at some point in the future.  You may be careful, but many of the companies that hold your account information are not.  

A quick check at the website haveibeenpwned.com can tell you if (or how many times) your email account has been breached due to a company’s negligence.  Companies like LinkedIn, Dailymotion, Ancestry, and Snapchat have all been breached at one time or another, with the corresponding email address and passwords (and sometimes more information) sold on the dark web or simply posted online for anyone to see.

In fact, if you added all of the online accounts whose information has been distributed in some way, shape, or form, it’s approaching 10 billion accounts, though many specific email addresses have been leaked more than once (the author’s email address lists nine breaches).  

If you only use one password (or simple variants on the same password) you can be as careful as you’d like, but it only takes one data breach for all of your accounts to potentially be exposed.

I use an 8 digit password with a number, upper case letter, and special character, and I change it regularly, just like we’ve been taught.  I’m in good shape, right?

Actually, no.  It turns out that the man who wrote the modern password rules back in 2003, Bill Burr (not the comedian) didn’t know much about the subject when he wrote what became the password management gold standard. The special characters don’t make it harder on hackers, and most people tended to add a number to the end of their password when it needed to be changed (Pa55word! to Pa55word!1).  In addition, using the crazy characters and switching out some letters for their numerically visual equivalent only made it harder to remember for the actual password owner.

It turns out that, because there wasn’t any empirical data found on password security Burr relied almost solely on a mid-1980’s white paper.  Put another way, many people are unfortunately using password technology from a time where an advanced home computer had all the computing power of a Fitbit (Please note: Fitbits are amazing!  They just don’t have a large amount of computing power compared to conventional computers).

The current conventional wisdom is that length, with random word variance, including uppercase letters, numbers, and random characters, is the best way to go.  This means that if your password isn’t two to four random words strung together (not a cogent phrase or sentence) you may want to think about changing it.  A website that can help with this is correcthorsebatterystaple.net.

I should jump in here and say that this is not enough to give you a secure password, for a couple of reasons, but it’s a good start.

One more thing: If you follow the recommendations in this article, you won’t need to regularly change your password.  The additional security will be enough.

All of this makes sense to me, but it seems like a lot of remembering.  I have 50 passwords to manage.  Is there an easier way to keep secure passwords?

Some people prefer knowing that they created their passwords and are the sole keeper of all of their information, which is what has been discussed until now.  Others prefer the path of least resistance.  If you’re in the latter group, you can use a password vault (password manager) to take care of password management for you.  I won’t go into it too much here, but if it’s something that interests you, here’s an article showing the best password managers for 2020.

The article contains both paid and free services, but if you’re going to trust all of your passwords to a piece of software, it’s probably worth shelling out a few dollars per month to make sure you have the best.

Okay, I’ve followed all of this, so can I finally say that I have a secure password?

In a word, no.  But we’re close!  There’s just one more thing we need to do: Enable two-factor (multi-factor) authentication on your online accounts if it’s available.  Many companies have made two-factor authentication available for years, and if you do any banking online, you’re probably familiar with the concept.

Here’s the way it most commonly works:

You go to log into email.  It asks you for your email address and password.  Assuming you typed those correctly, a popup appears on your screen asking you for the code that was either texted to your phone or enter your authentication code (an app on your mobile phone).  You enter the six digit number within a reasonable amount of time and you’re in!  If you take too long, or make too many wrong guesses, you’re locked out from that IP address.

This means that for someone to hack into an account with two-factor authentication enabled, they’d need three things: Your username/email address, your password, your phone in their hands.  Two-factor authentication makes it exponentially harder to hack your accounts, and it’s something we feel is an absolute must in order to secure your password.

Two-factor authentication is an extra step, and it’s one that will slow you down a bit, but it’s absolutely necessary to secure your password.  If critical accounts, like email and online banking, don’t include two-factor authentication, you should look into alternatives.  All of the main email providers (Microsoft, Gmail, Apple, Yahoo, etc.) provide this service, so if you have a local phone or cable company account that doesn’t offer it, you should switch to a service that does.  Similarly, if your online banking login doesn’t include some form of two-factor authentication, switch to a different financial institution or, more simply, stop using online banking until they offer the added security.

To review:

Most of us have online passwords that aren’t very secure.  According to NordPass, the top 10 passwords from 2019 are:

• 12345
• 123456
• 123456789
• test1
• password
• 12345678
• zinch
• g_czechout
• asdf
• qwerty

If you have any of these, any upgrade would be a good upgrade, but in all seriousness, you need to take a multi-prong approach to achieve and maintain a secure password.  To do this, you’ll need:

• A password manager, or
• A different password for each online account, that
• Has a decent amount of length (let’s say 16 digits or more) and variability, and
• Two-factor authentication enabled as a second line of defense.

All of those things together will give you a secure password and, perhaps just as importantly, peace of mind.

We use 1Password as the password manager of choice for our company but there are many options on the market. We can't stress enough that if you use a password manager, it will greatly reduce the chances your password gets compromised ONLY if you make sure your access to this password manager is protected by MFA. If you are unable or unwilling to protect access to your passwords with MFA, then don't use a password manager at all.

Here is another link to a very comprehensive list of password managers and associated prices: https://digital.com/password-managers/