Today, I want to talk about two questions I have gotten many times over my career: is changing my password frequently really necessary, and how do I come up with a strong password, anyway?
The answer to that first question is a bit more controversial than you might think. The conventional wisdom has been yes, you should change it every three months or so. The reasoning is if your password gets leaked or hacked, it is not compromised for long.
Lately, however, many experts are starting to disagree. The problem with frequent password changes is that people are human. We take shortcuts, like writing the password on a post-it note, or just adding a number to the end of the password and incrementing it each time your password is changed. The post-it note potentially makes it MORE likely that your password will be compromised, because now there is a physical record of it for someone to find, either on purpose or accidently. And incrementing the number at the end negates all benefit of changing your password. If a hacker knows your password WAS “FluffyDog5”, and that doesn’t work now, they’re going to try “FluffyDog6” and “FullyDog7”.
I prefer to use a strong and unique password for each individual service and change the password if I think it has been compromised. That way, even if a password is compromised, the damage is mitigated, and I only have one password to change. And with services like HaveIBeenPwned, I get alerted if my information is in a known data breach. If a service offers two factor authentication, I make sure to enable that. I will be doing a deeper dive into two factor authentication in another post.
For the second question: how do you come up with a strong and unique password for every single thing you sign into? The answer is: you don’t. Instead of trying to think of some complex password that you can still somehow remember, but a hacker will not figure out or crack, and then making a unique one for every single website and service you sign on to, you should use a password manager. Password managers like 1Password will generate a strong password that is virtually uncrackable and then store it in an encrypted data base. They even feature browser add-ins to auto-fill your passwords and mobile apps, so you can sign into your services on any device. This can also save you from phishing attacks, because if the password manager does not autofill your password, you know something is up.
Now, you still need to come up with a strong password for your computer, and for the password manager itself. For this, I prefer to use the mindset of a passphrase, rather than a password. This means coming up with multiple words, or a phrase, rather than trying to strengthen one word. You want it to be longer than 15 characters, easy for you to remember, but hard to guess. The problem with substituting letters for numbers or symbols is that you end up with a password that is hard to remember, but actually really easy to crack.
Think of a combination of unrelated words that you can visualize. A password like “Hockey44” would be easy to guess or crack, even if you change the O to a zero and the H to a pound sign. But if you take a few random words, like “drink phone power stamp” and add a random number and symbol in the mix to get “Drinkphone55%PowerStamp”, you have a pretty good password that won’t be easily guessed or cracked but is still fairly easy to remember.
Hopefully this helps demystify some of the basics of password security and gives you an idea of how to keep your accounts secure. If you have a question you’d like to see featured on one of our videos and blog posts, you can let us know on Twitter or Instagram at @ReliabilityTech.