Create and Maintain Secure Passwords
You are here
Many applications and services require a password. Passwords allow us to feel safe using digital technology to do things that only we should be able to do: signing into our computers and sending email, for example, or encrypting sensitive data. These secret words, phrases and strings of gibberish are often the only barrier between our information and those who might want to read, copy, modify or destroy it without our permission. We also rely on passwords to prevent others from impersonating us on social media and other online platforms. Attackers use various tricks when trying to learn our passwords, but we can defend against most of them by applying a few specific tactics and by using a secure password manager.
ELEMENTS OF A STRONG PASSWORD
A password should be difficult for a computer program to guess.
- Make it long: The longer a password is, the less likely it is that a computer program will be able to guess it in a reasonable amount of time. Some people use passphrases that contain several words, with or without spaces between them. Passphrases are a great idea for services that allow long passwords.
- Make it complex: In addition to length, the complexity of a password also helps prevent automatic 'password cracking' software from guessing the right combination of characters. Where possible, you should include upper case letters, lower case letters, numbers and symbols in your password. See the Password math section below for more about this.
A password should be difficult for others to figure out.
- Don't make it personal: Your password should not be related to you personally. Don't choose a word or phrase based on information such as your name, date of birth, telephone number, child's name, pet's name, or anything else that a person could learn by doing a little research about you. It is also a good idea to provide fake answers to the "security questions" that some services use to verify your identity if you forget your password. This prevents others from impersonating you by looking up your personal information online. Secure password managers are useful for recording these fake answers.
- Keep it secret: Do not share your password with others unless you absolutely have to. If you must share a password with a friend, family member or colleague, you should first change it to something temporary and share that one, then change it again when they are done using it. Often, there are alternatives to sharing a password, such as creating a separate account for each individual who needs access. Keeping your password secret also means paying attention to who might be reading over your shoulder while you type it in.
- Make it practical: If you have to write your password down because you can't remember it, you may end up facing a whole new category of threats that could leave you vulnerable to anybody with a clear view of your desk or temporary access to your home, your wallet or the trash bin outside your office. If you are unable to think of a password that is long and complex but still memorable, have a look at the Remembering secure passwords section below. As an alternative, you can choose a strong password, record it in a secure password manager like KeePassX or KeePassXC and give up on memorising it. Password managers are specifically designed for this purpose. You should not store your passwords in a regular file, even one that claims to be encrypted.
A password should be chosen so as to minimise damage if someone does learn it.
- Make it unique: Avoid using the same password for more than one account. Otherwise, anyone who learns that password will gain access to additional services and the information they contain. For similar reasons, it is a bad idea to rotate passwords by swapping them around between different accounts. Uniqueness is particularly important these days, as more and more websites are being compromised and having their password databases exposed online. Take a look at security researcher Troy Hunt's Have I Been Pwned for specific examples and to see if any of your passwords have been leaked. (But keep in mind that many account breaches go undiscovered, so you should still upgrade your weak passwords even if none of your accounts show up here.)
- Keep it fresh: Change your important passwords occasionally. The longer you keep one password, the more opportunity others have to figure it out. If someone is able to use a stolen password without your knowledge, they will continue to do so until you change it. As long as your passwords are strong in the other ways described above, you do not need to do this frequently, but it remains a good idea to refresh your passwords every year or so.
Read more from the [Source]