Everything you ever needed to know about passwords, but were too confounded to ask
Umm, hi, I was told to talk to you about passwords and stuff?
Yes! Come, have a seat...
Our systems hold private and sensitive information, so we need to take their security seriously.
A big part of that security is making sure your passwords aren't at risk.
Oh, what are the ways my password is at risk?
1) Data dumps by hackers
If you use the same password everywhere, then when any of those organisations have a breech (like Yahoo, Dropbox, or LinkedIn have), then hackers will try those email & passwords against other services to see what works.
If your password is easily guessable, then a hacker could break into your account by running a password guessing app.
Does this mean I need to memorize a different random string of characters for every different service I use? I’m not Rain Man, you know…
It does mean you need different passwords, but you don’t need to remember all of them.
It's best if you remember three passwords:
- one for your computer,
- one for your email, and
- one for a password manager to store all your other passwords
Why? Because if someone gets access to your email, they can use that to request password resets for every other account, so it’s best to keep that password safely tucked away inside your brain. Similar deal with your laptop, anyone who can get into that can get into lots of other things from there.
So that means you only need to remember three passwords - the one for your email, one for your computer and one for your password manager (like 1password) which will remember all your other passwords so you don't have to.
For all other passwords, you can ask your password manager to generate something horrible and unguessable, since you’ll never need to remember them. If your password manager doesn’t do that for you, you can go to a website like this one to generate a new password for each site.
Still, 3 random strings of numbers and letters is a lot to remember ...
They don’t need to be random letters and numbers.
If you make a password out of 4 randomish words (also known as a passphrase), then that’s still secure, but you don’t need to be a HAL-9000 to remember them.
Take for example:
If I ask you to remember that, you’re totally going to write that down somewhere.
But what about:
purple train wave rider
It’s actually a longer password than the first one, but it doesn't feel that long to your brain because it's only 4 words to remember, and unless you happen to be a purple train wave riding enthusiast, no-one’s going to guess it.
This website will help you create passwords like this.
But they’re still random words, how will I remember them?
For the first two weeks of using your 3 passwords, logout and log back in every. single. day.
By the fourteenth day, you’ll be typing your password one handed while sipping your morning coffee and daydreaming about what it would be like if Aaron Sorkin was invited to write the next season of Bridgerton.
Is that it? Can I take off the tinfoil hat now and get back to doing that thing that technology was supposed to make easier?
Almost, here’s some other things you should remember to keep your password safe:
Don’t enter your password on a shared computer
Like an internet cafe or at an airport. It’s really, really easy to install what’s called a "key sniffer" on those computers, which will collect everything you type, including your password, and send it to the son of a Nigerian prince who has a very lucrative offer for you.*
(It's actually not that lucrative for you)
Don't enter details after clicking a link in an email
Not even if it looks legit. Type in the website address yourself.
Why? It’s very easy for that guy in Nigeria to send you emails that look like they came from your bank/google/me, and it’s really hard to tell if it’s legit. Just don’t click.
Use your password manager's autofill feature
For example, with 1password you can press Cmd + Option + \ and it will fill in the password on the website you're on. This isn't just convenient, when it does this, it checks if you're on the correct URL for that password, and if you've been tricked into visiting a dodgy URL, it won't fill it in for you.
Are you sure my password doesn’t need to contain an @, a number, an uppercase letter and at least one Egyptian hieroglyphic?
The National Institute for Standards and Technology has revised what is a “good password”, and have found that making passwords so hard to remember ended up making them less secure instead of more secure.
Here’s an article about it.
If you prefer, here it is described in a very technical comic strip.