Keys and padlocks appear in red in this wax cloth print, against a gold background.

Let the Right One In

Make Your Passwords Stronger

Gus Andrews

--

I originally wrote this security advice piece for Tactical Tech’s Data Detox Kit; it’s adapted here with permission and thanks.

Do you find yourself reusing the same password for all or most of your online accounts? Because strong passwords can be so hard to memorize, you may tend to reuse the same one over and over. Or you might use simple passwords, which are weak.

And that’s how accounts get hacked. It’s not by code, or specialized hacking skills. Just easy-to-guess passwords.

When a so-called “hacker” tries to get into accounts, all they have to do is have a computer and try every known password. Or, if it’s someone you know trying to get into your account, they just make a few guesses until they get in — maybe they know important dates, teams, pets, or people in your life, or they just know the password you use on some other site.

But, don’t despair! You can defend yourself when it comes to passwords. Here’s the best current advice.

The Key to a Strong Lock: Long, Unique, Random

While it may seem tricky to create top-notch passwords, we’re here to tell you that it can be quite easy. All you have to do is follow a few basic principles, and you can even get a little help from our friend, the password manager. Your passwords should be long, unique, random, and stored in an encrypted password manager. Let’s look at each of these in more detail.

Long

The longer the password, the harder it is to guess, and that makes it stronger. At a minimum, all of your passwords should be eight characters long. Ideally, they should be more like 16–20 characters.

Unique

Using the same password on multiple sites is one of the biggest risks to your security. Ideally, each password you use on every site should be different. (Sound like a lot to memorize? We’ll get to how to store them in a moment.)

Random

This means your password does not follow a logical pattern and is therefore not easy for anyone (including you) to guess. You’re avoiding numbers that mean something to you (like your birthday, or address), and the letters or phrases lack rhyme or reason.

While it may seem like a strange idea to choose a password you can’t easily remember, keeping random passwords in an encrypted manager (explained below) makes it less likely that information from a breached site can be used against you elsewhere.

You may be asking: “But how am I supposed to remember hundreds of long, unique, random passwords?!” The answer is, you’re not. Remembering what you had for breakfast yesterday is hard enough! Use an encrypted password manager to help you out.

Store your passwords in an encrypted password manager

Ideally, you should use a dedicated password manager to generate and store all your passwords. A password manager — like 1Password and KeePassXC, the ones often recommended by security experts — is basically an app whose sole purpose is to protect your login credentials and other sensitive data.

“Encrypted” means that to anyone else, your information looks like a totally unrecognizable, jumbled up code. If you were to encrypt the term “Data Detox Kit” it might come out looking like “AG+%$37/94” or “77GDa5T45!” (for example) to anyone without the password.

Password managers use strong encryption and other extra security measures as a “lock” to keep them secure. Encryption on dedicated password managers is the best protection you have — it’s much, much more likely that your passwords will be guessed or exposed in a breach than that someone will break the encryption for your password manager.

Another benefit of this software is that it can generate truly random passwords for you. Most dedicated password managers make it possible to sync your passwords across devices, or even set it up so you can share some passwords with your family or coworkers.

Note: these managers are not the same as having your browser (Safari, Edge, Firefox, Opera, etc.) save your passwords. That kind of storage doesn’t provide the same protection as a dedicated password manager. And the “auto-fill” function of browser storage can put your passwords at risk.

Test the strength of your password strategies with the password skills quiz in Tactical Tech’s Data Detox Kit!

To keep your accounts safer, don’t use the “remember me” or “save this password” functions on a website or in your browser. Learn to recognize the unique pop-up your dedicated password manager gives you when it’s time to save a password. Better yet, copy your password by hand and paste it into that manager.

Tips for Using a Password Manager

To make your passwords more secure, use an encrypted manager. Below are some extra tips to make your path to a password manage simple.

1. Pick a password manager

Some great options are 1Password or KeePassXC. KeePass is free, but people often find it harder to use. You may find 1Password, which charges a subscription fee, easier, or have features you need, like sharing with other members of your family or work team. You only need one password manager, and it’s going to be something you use daily, so do some research and choose the one that feels right for your needs.

2. Install it

First, install your chosen manager to your computer, then on your phone. Not only is it a little easier to use password managers with a full keyboard, but it also means that you’ll have a backup that is ready to use in case you lose your phone.

For more detailed steps on setting up your password manager, check out the resources below:

For extra ease, you can install the browser extension for your password manager (steps can be found in the above resource links). This lets you easily copy and paste your login name and password into websites. (Again: this is not the same as your browser’s password manager; it has stronger encryption and other protections.)

3. Make a password for your password manager

Your password manager will ask you to create a strong master pass phrase — it should be a few words long, and not something you’ve used elsewhere.

Practice repeating this pass phrase until you memorize it! You’re going to need to use it daily. You may want to write it down and put it in a safe, locked drawer, or keep it in your wallet for a while, until you get it memorized. Just remember: this will now be the key to all your accounts.

4. Collect and store

Once you start collecting and storing your account details in your password manager, you may find that you have more accounts open than you realized. The collection process may take you a few weeks until you remember and store everything you’re using. This is also a good chance to look closely at the accounts you have open and decide whether you still want them, or whether you’d like to close some of those unused accounts.

During this time, you can become more comfortable with your password manager, and really make sure that you memorize that master password!

5. Strengthen your passwords

Now that you’ve gotten used to your password manager, it’s time to strengthen your passwords!

Start with three important accounts — say your bank or credit card, your favorite social media account, and the shopping site you use most. Don’t start with your usual email account — it’s most likely the key to recovering those other accounts. You want to practice with other sites first until you get the hang of your password manager.

Change the password on each of those three sites, following the instructions from your password manager on how to generate and store a strong password.

Feeling comfortable? Now it’s time to tackle that crucial email account.

You may be able to set up multi-factor authentication — like sending an SMS to your phone, using an authenticator app, or using a USB FIDO key — to make it so someone trying to get into your account needs one extra way of proving they ought to have access to it.

Bonus Tips

You don’t need to change all of your passwords at once! Over time, each time you go to another site you use, change your password and save it to your password manager. Before long, you’ll find you’re using your password manager all the time and that all of your accounts are becoming more secure.

To take you security to the next level, check to see whether your browser is still storing passwords for you, and tell it not to offer to save passwords (or, for that matter, payment methods!). In most browsers (Safari, Edge, Chrome, Firefox, Explorer, etc.), you’re looking for the section in “Settings” or “Preferences” called “Autofill” or “Passwords.” You should also be able to delete saved passwords there.

Forgot your password or get locked out of a site? No problem. Just use the site’s “Forgot my password” option, and save your new password in your manager when you reset it.

And finally, go at your own pace. Digital security is a journey and not a race. What’s most important is that you feel comfortable, confident, and calm.

For more digital security advice, check out Keep Calm and Log On.

--

--

Gus Andrews
Gus Andrews

Written by Gus Andrews

Researcher, educator, and speaker on human factors in tech. My policy work has been relied on by the EFF and US State Department. Author of keepcalmlogon.com

No responses yet