By Troy Young, Chief Technology Officer at AdvancedMD
If you’ve ever had one of your passwords compromised, you know the fallout can be substantial. If you’ve so far remained unscathed, you’re either an expert in security hygiene or you’re very lucky. Hackers are working hard to crack your codes.
Still, it’s a common misconception that successful password management is a complicated endeavor. In reality, there are a few basic principles that will help protect your passwords—and the data they guard—effectively. While management of numerous accounts and their passwords can be tedious, a simple system will give you the protection you need to stay strong and rest easy.
Don’t share
Sharing is caring—except in the case of passwords. Don’t use the same one across different accounts, and, of course, don’t share your passwords with others. If you use the same exact password on various sites, a compromised account can lead to many compromised accounts very quickly. Passwords should be unique to each account, period.
Go strong means go long
Picking a strong password is more of a function of length than complexity. For example, a pass phrase like “This will keep my account secure!” is generally stronger than a shorter password with greater complexity, such as “M4p@ssW0rd!.” Twelve to 15 characters is considered “long enough.” Many systems require upper- and lower-case letters, numbers, and special characters, which can make creating an easy-to-remember pass phrase difficult. In those cases, try to get in the habit of appending the same few required characters to the end of every pass phrase you use. Better yet, use a randomly generated password (see next tip).
Get a manager
Managers aren’t just for movie stars: password managers or vaults will generate long, random, secure passwords when prompted. Gone are the days of manually typing in pets’ names, favorite bands, or lucky numbers. These security managers—which “type” complex passwords in for you—exist through your operating system’s credential manager, the Google password manager, or a commercial password manager like LastPass. They can automatically supply a strong password and often require biometric confirmation of your identity, or a PIN. Keep in mind, these don’t work very well for logging into Windows or iOS, because you don’t have access to the password manager before you are logged in to your computer or device. Password managers are effective in most other scenarios.
Enable two-factor authentication
Always take advantage of a two-factor sign-in if it’s available. This strategy is more effective (and in many ways more convenient) than any other password hygiene technique you could practice. The most secure two-factor options are those that require you to type in a code provided by your authenticator app or one like Microsoft’s, which pushes an approval request to your device along with a number that you are required to match for the approval. Codes sent via SMS to your phone are probably the least secure, but are still much, much better than those without two-factor sign-in and should be used if no authenticator app-based option is available.
Try passwordless
If the software vendor supports “passwordless sign in,” let the company and your smartphone do the work! The iPhone, for example, evolved from password to fingerprint ID to facial recognition technology. Microsoft now enables you to access Windows computers and online Microsoft resources by employing a very strong, authenticator app-based mechanism, as well as a user-friendly approach called “Microsoft Hello,” which uses face or fingerprint recognition. Other companies will continue to follow suit to go passwordless.
Use the tools
If you’re following the above security recommendations for your passwords, you don’t need to worry about changing them frequently—or at all. In fact, password expiration and mandatory password changing are fizzling out. Forcing new passwords leads users to choose (and reuse) short, easy-to-remember passwords, which actually does more to compromise password strength than bolster it.
Some browsers, including Google Chrome, display a warning if they detect that some of your passwords have been compromised, and help you to identify compromised, duplicate, and weak passwords. Some password vaults also include tools that allow you to periodically review your passwords.
Stick with the above-mentioned security protocols for solid password creation: enable two-factor authentication; always use a strong, long password or pass phrase; and don’t share passwords among accounts. Let a password manager or vault be your support system for added password protection.