On this year's World Password Day, Eddy Willems and Tim Berghoff share some tips on how to improve your password security.
The idea of "best practice" when it comes to choosing a password is actually very straightforward. So many things have already been said about this topic (you could even go as far as saying "discussed ad nauseam"), but we are going to repeat them since not everyone uses those best practices. First and foremost, all your passwords should contain a combination of upper and lower case characters together with numbers and symbols. This makes them harder to guess. When you take a look at recent data breaches, you will find that password like "123456" are still way too popular. In fact, it is one of the worst password choices you can make. Therefore, as password like “AGdhjIKLOmp,12!?AAAzdrt” seems to be a good choice - but it is hard to remember. There are a few strategies for creating a safe password. For instance, Eddy's recommendation is to use an easy to remember small sentence. (for example IreallylikeGDATAsince2000!). This easy to remember, has enough characters in it and contains digits and a special character. You could even make a drawing of this so a child can remember it.
Let's say you have created a sufficiently long password using the above strategy. It would be tempting to just take this password and run with it for every online account you own. This strategy somehow makes sense, because your password is long enough and contains special characters and all that - but reusing that password over all of your online accounts is a bad idea, as some high-profile celebrities found out the hard way. So we can’t (or rather: shouldn't) use the same password for each site or account. Here's what you can do: change the password and include the name of the site or something you remember the best about that site or account - something like DoyouReallylikeFBsince2010? could be a good password. Just don’t use the same password at every site or account. If your password get hacked one time it could result in you losing access to all your accounts at one point if someone decides to take over your online identity.
The principle again is very simple: you generate a sufficiently long and complex password - but this time you do not have to store it in your head or write it on a piece of paper. There are programs which can do this for you. Tim uses a password manager to keep track of his numerous accounts and logins. There are many solutions out there that will do this, some are locally installed, others are based on a cloud platform. The most important thing is that you only need to remember the password that you use to open your password manager. Some password managers can also create strong and complex passwords automatically. Human-generated password are often too easy to guess and never truly random. A password manager (like G DATA’s) saves this information and gives you access to your credentials as soon as it is needed.
If you can, do not rely only on a password to secure your accounts. Many platforms offer their customers the possibility to add another authentication factor to their login. The purpose of this is to build in a fallback in case a password is compromised. A "two factor" or "multifactor" authentication keeps your account safe, even if someone manages to steal your password. This form of authentication combines something that you know (i.e. your password) with something you have. This might be a hardware authentication token, or a code that is sent to you via text message (or generated in an app on your phone).
As outlined in our article "P@55w0rd5 - Blessing or curse?", there are ways to find out if accounts have been compromised in the past. Large databases exist which contain information about major data breaches. Those databases are searchable. If you wonder if any of your login data was leaked, check those databases using your user name or email address. Even if there is a match, there's not necessarily reason to panic - a positive match only means that your login credentials were exposed at one point or another. It does not mean that your account has indeed been abused.
Even the safest password in the world will count for nothing if providers do not secure their platforms properly. Sadly, some services have a poor track record when it comes to security - the past five years paint a pretty bleak picture with millions of accounts or personal records that were potentially compromised.
Another often overlooked problem is that passwords remain in use for too long. If you are using the same password for your Facebook login as 4 or 5 years ago, it is definitely time to change it. It is not hard. While you are at it, you can also enable login approvals.
Passwords should be changed on a regular basis. A rule of thumb that works well for most is to change passwords as least as often as their toothbrush, which should be every 3-4 months. If you use a password manager, all you need is a couple of clicks to generate a new password. It's not much effort and it significantly improves your security.
Let us all work together to make passwords like "123456", "password" or "qwertyuiop" a thing of the past.