Why Your Password Is Bad
Thu, 02 Feb 2023 21:03:18 -0600
We all have online accounts. Not only do we have online accounts, we have dozens if not hundreds, and most, if not all, require us to have a password. As a result, we often find ourselves reusing passwords (we are all guilty of it including myself). Sometimes, you think you're clever and change one character or two to say one step ahead of the hackers, but unfortunately while one or two characters may stump a human, a computer will barely notice as it runs through thousands of password possibilities a second. So, what can you do to make sure that your data stays safe online? Below I have outlined some guidelines for creating and storing a strong password.
Creating a good password
Below is a list of best practices and common mistakes people make:
- Mistake: Reusing Passwords. It goes without saying that reusing passwords across multiple sites is a bad idea. Often what happens, is you have used apassword for an import secure service (say your bank) and you've also used that same password on a less secure service (say some shady internet forum). Then, the less secure site gets hacked and your bank password is floating out there! A clever hacker may figure out that you use the same email and password for your bank, and now your financial info is at risk!
- Solution: Don't Reuse Passwords. Just don't do it.
- Mistake: Short Passwords. People like short passwords, they are easy to both come up with and remember. However, as stated above, computers are very fast, and they are getting faster every year. Short passwords are highly susceptible to a brute force attack. This is an attack where the computer attempts to guess every possible combination of characters until it gets the right one, and if you have a short password you are far more vulnerable.
- Solution: Longer Password. A longer password is all it takes to get past this mistake. Given the speed and power of today's computers, it is recommended to have a password of at least 12 characters, but even this is too few in my opinion. To stay on the safe side it is best to have at least 16 characters. Even better yet, mix up your characters. Add in upper and lower case characters along with numbers and special characters. The more variety the better! To explain the reasoning behind this, let's do some math. If you decide to use upper and lower case letters, that gives you 26+26=52 character choices, so if your password is 1 character, then in the worst case computer will have to make 52 guesses. Suppose that you have a 4 letter password made of upper and lower case letters. Now, in the worst case the computer has to make 524 = 7,311,616 guesses. This is a dramatic increase (although still not a problem for modern computers). This is increase because the number of potential guesses the computer will have to make increases exponentially. You can see that by adding just a few more characters can really improve your situation. Also, if you include numbers, now you have 62 characters to choose from. If you decided to add special characters, it gets even better.
- Mistake: Using Personal Information. Many times, we are tempted to use birthdays, names of our grandparents, pet names, nick names, or other information that can be attached to us. This makes it easy for hackers to guess your password. In many cases, if you are being targeted by a hacker, they may visit your social media or search your name on Google to get a better idea about your hobbies, family members, anniversary dates, or any other information that may be used in a password. This allows them to refine there search.
- Solution: Don't Use Personal Information. It doesn't matter how secret you think it is, just avoid it.
- Mistake: Using Common Dictionary Words. You may think that avoiding words that avoiding words that are associated with your family is enough, but you should also avoid common dictionary words as well. Hackers and perform an aptly named "Dictionary Attack" in which they use common words to guess your password.
- Solution: Avoid Common Words. In fact, it is best to avoid any English words at all, but if you must have words in your password, it is best to use uncommon words. Technical terms, long words, or words from old English are all good candidates.
- Mistake: Replacing Letters With Symbol Analogs. Sometimes in order to squeeze that special character in, we swap out an "o" with a "0" or an "s" with "$". Unfortunately, you're not the only one whose thought about doing that, so many hackers account for this when trying to crack passwords.
- Solution: If you are going to swap out a letter with a special character/number try something wildly different. For example replacing a "B" with "<".
- Mistake: Putting Your Special Character At the Beginning or End. Most people when forced to put a special character in their password put it at the end or beginning. Again, this makes your password more generic and easy to target. Solution: Mix Up the Special Character Location. Put an * in the middle and ^ at the end, do what you have to do!
- Solution: Use a Random Password Generator. There are many online and they're free to use.
- Mistake: This is Too Complicated I'm Not Going to Remember this.
- Solution: Read the next section.
Storing your good password
Now you have a good strong password, but chances are, if you followed the previous section, you will have a hard time remembering it. To remedy this, most people will jot their passwords down on a post-it note and stick it to their computer monitor; another popular option is sticking all of your login information into an Excel spreadsheet'; finally, most people just let their browsers save their passwords for them. All of these options are quite risky for a verity of reasons, but for the sake of brevity I will simply say they are easy targets. With all of these options out the window, how should you store your passwords? This is where password managers come into play. Password managers are applications that keep your passwords both organized and safe. Password managers use strong encryption algorithms to secure your passwords, keeping them out of the eyes of hackers. Better yet, many modern password managers integrate directly with your browser so you don't even have to type them out when you visit a website.
Password manager I recommend
In my opinion, the best password manager on the market for everyday users is KeePassXC. Features include:
- Browser Integration/Autocomplete
- Offline Password Storage
- Builtin Password Generator
- Search Feature and Folder Organizer
- Allows you to set password expiration dates
- Compatible with Windows, MacOS, and Linux
Best of all, it is free as in cost and free as in freedom. KeePassXC is a trusted and secure open source project (this means that people can look at the code to see if it's working). Also, because KeePassXC is an offline password manger, your password database is controlled by you. This way, you don't have to trust some company to keep your passwords safe. Many other password management software have been hacked in the past because they keep their passwords online and don't make their encryption methods transparent. It's better to go with an option that you control.
Also, there are a lot of great tutorials on how to use KeePassXC on YouTube, so there's no reason you can't learn.
Concluding remarks
In today's world of increasing online activity, you can never be too careful with your personal data. Remember good online security is better to have and not need then need and not have. Everyday people lose thousands of dollars because of bad passwords. Don't make yourself a target!