5 tips for smarter password and security management
Passwords are ubiquitous in today's digital society. Chances are, you've had to make, remember, and enter at least one password in your week, and that's not about to change.
The world of online security, however, is changing. The paradigms of password management are also being rewritten day to day, depending on what big breach is currently in the news.
To combat this, it's good to have some basic guidelines in place for your management of passwords as well as what you do with those passwords in your daily life.
While not an all-encompassing guide, the following are tips that can help you stay safe online as well as prepare for the worst in case something happens.
Strong, unique passwords for everything
Here's the basic tenet of password management today: You want to have a different, unique, and strong password for the different services you use. Every different service should have a demonstrably different password and shouldn't be a variant of something you commonly write.
The thing about password strength is that conventional wisdom says longer is better with a 64-character password being better than a 10-character one, but a long password does not necessarily mean it's automatically a strong password.
Password crackers are more likely to use common words and phrases as a baseline to get started breaking into people's accounts. For instance, a common phrase turned into a password – take, for example, "Winnerwinnerchickendinner" – is going to be easy to get past as it's a relatively common phrase.
In a post meant for tech companies with authentication services, Troy Hunt, the webmaster behind online breach notification service Have I Been Pwned, showed that various companies have different rules for setting up passwords. You may not always be able to use a long password, and you should adjust according to the situation.
Harder passwords to crack are, by circumstance, also harder to remember at times. If you can make a 64-character password made up of random numbers and letters whose combination is not easy to recall, try that.
You just have to make sure you don't forget it, which leads to our second tip.
Use a password manager application
Password managers – programs that store your passwords for you for quick retrieval– are useful in that you can access your personal database of names, passwords, and notes for certain services without needing to remember all your passwords yourself.
In my case, I have close to 300 unique passwords for the various services I use, and I take advantage of a password manager to access, adjust and manage them.
Now, you may argue that password managers are just begging to be hacked. A good, offline password manager with 300 strong, unique passwords is better than trying to remember 300 flimsy passwords: the mind is a worse password manager, by far.
Besides, you just need one really good password as a master key for the password manager lock, and as long as you keep that secret and hidden from everyone, you're generally in the clear.
In 2014, we recommended KeePass and LastPass for password management. We still recommend those, but there are also other services now, such as 1Password, Dashlane, and Roboform 8 that do the same job, and are just as free. Do a search for what a password manager can do for you, then pick one and stick to it.
Get two-factor authentication where you can
While it may be an added hassle for some people, taking advantage of two-factor authentication on certain services can save you from considerable headaches in the case of a potential attack.
Two-factor authentication is the system by which a users sets up their authentication service to require a second piece of information beyond the username-password combination. This second factor is something only the user has access to.
Usually, this can come in the form of a alphanumeric or numeric code from an authentication app or email after logging into a service.
It's an extra step to get into your service quickly, but it helps especially if you don't have a password that's up to standard.
Check your passwords against existing breaches
Have I Been Pwned also has a new feature that can be useful in the fight to maintain password integrity.
The service now has a password cross-referencer – called Pwned Passwords – that checks your hidden, typed-in password against information breaches. Specifically, a password you've checked will be referenced against over 320 million breached passwords, and if it's already there it's good thinking to consider using a different password on a particular account.
Hunt explained that companies can use the data to better set up their password protection systems, but the same data can also be used by laymen to better protect themselves as well.
That said, while there are also password checkers online that try to use math to determine how strong it is, but we don't advise inputting your current passwords against password checkers or Have I Been Pwned's breach list – only check ones you're planning to replace or suspect of being bad passwords.
Why? Well, you may end up having that password recorded without meaning to, so better to be safe in that regard.
Assume the worst and prepare for it
Here's a sobering thought: You either have had or will have an account hacking happen to you. This inevitability is the basic tenet of internet security today, and it's an unfortunate reality that people will try to use a data breach, phishing attack, or other manipulative action against you.
The good news is you can choose to be prepared for the eventuality, as well as mitigate the damage by having a ready response to some threats.
For starters, have antivirus and malware scanners on your computer and scan files you have downloaded before accessing them. They won't always catch everything, especially with newer types of malware meant to steal data, but they're a start.
Second, subscribe your email addresses to a breach reporting service or periodically check your accounts against reported breaches on Have I Been Pwned.
Third, in the case of a reported breach affecting you, make sure you have an outlined plan in place to replace passwords you have as soon as you're able, and prepare other contingencies in case other information has been taken, such as credit card information and the like.
Lastly, take some time out of your schedule to study what you can do in case of a breach. Aside from studying legal remedies to take errant companies to account for inevitable breaches that they didn't adequately defend against, you can also read up on cybercrime laws in your country, as well as research current and constantly updated practices for keeping safe online.
Staying safe online isn't a perfect, static science, and in the hands of a determined and skillful attacker, nothing is ever truly 100% safe.
If you can make a malicious hacker's life a little bit more difficult by working on improving your own preparedness over time, however, that may be worth a bit of trouble on your end. – Rappler.com