Articles

Dealing with passwords

E-mail, social media, file-sharing, banking, transport, entertainment ... nowadays, most people have dozens of accounts to manage, at work, at home and online – and chances are, all of them use passwords as the most basic form of protection.

A handy guide


Keeping track of so many passwords can sometimes feel overwhelming, especially for accounts that you use only occasionally, or those that force you to change passwords regularly.

It doesn't have to be so troublesome though. Here's a quick guide on how to make handling your passwords simpler. You can also download this guide as an infographic (PDF).

Know Your Vitals


First things first: before thinking about how to secure your accounts, prioritize them. Some accounts are ‘nice to have', but if you lose access to them tomorrow, it won't affect you too much. Other accounts however are absolutely critical – losing them would seriously disrupt your life.

For most people, their most vital accounts are those related to money and identity, such as:

  • Banks, credit cards and loan accounts
  • Online shopping accounts
  • Business or social networking accounts that link to your work life
  • File-sharing accounts containing personal documents
  • Image-sharing accounts containing photos of you or your loved ones
  • Email accounts used as the point of contact for password resets for other accounts

Decide for yourself which accounts are just a convenience and which are vital to your way of life. Then focus on protecting the vital ones first. Once those are safeguarded, you can turn your attention to less critical accounts.

Make it Unique. Make it strong.


Once you've identified your vital accounts, think about the passwords you use for them (and eventually, all your other accounts). The very first rule about passwords is that you should never re-use passwords between accounts. Ever.

Keeping the passwords for each of your accounts completely unique means that even if an attacker manages to break through the defenses on one of your accounts, all your other accounts are still fully protected.

Next is the most common – and usually, most ignored – piece of advice: make your password strong. A simple definition of ‘strong' here is:

A password that is hard for other humans to guess based on what they know about you, and just as hard for a machine to crack if it tried out all possible words or combination of words a programmer could imagine.

Of course, constantly coming up with ‘strong' passwords can be a daunting chore. The easiest way to do that is to use a simple, easy-to-remember system that lets you create many passwords with little effort.

Here are a couple of systems you can try (but don't use the example passwords shown here).

BASE/ PIN

You can try combining a BASE element and PIN to create a unique password for each of your vital accounts.

For example, the BASE ‘aMa229' could be used to identify your Amazon account; you could have a PIN like ‘lolcat!' that stays the same for all your accounts; and then you just combine the two to get your password.

You can find more info about this system at the Safe and Savvy blogpost: How to create and remember strong passwords

Phrase Play

Another easy ‘creation system' is to base your passwords on a unique phrase. Use a phrase that you find easy to remember - a song lyric, a rhyme, or even just a nonsensical sentence - and use variations of it to create a password for each site.

For example, you could start with the phrase ‘Why on earth must I create so many passwords'. Then you can try making an acronym from it; using every second (or third or fourth) characters from it; and so on.

You can even combine the phrase with a base or pin so that the variations could be made unique to each site.

Just Generate It

Another option: many people skip trying to come up with their own passwords altogether and use password management software.

There are many programs, apps and even scripts that can save you the headache and generate a strong, unique password for all your accounts. Some will include other handy features, such as automatically filling in forms and so on. Give them a try.

Or you can play around and build a creation system of your own. Just keep the following in mind:

  • Longer passwords are better, as each extra character makes it progressively harder for a machine to crack. You should aim for at least 8 characters in the password, but 12, 18 or more is even better.
  • Though mixed character types (uppercase and lowercase, numerals and special characters) don't really make a password as strong as would be expected, many online services actually require passwords that include these.
  • An often overlooked point about passwords is that if an attacker can trick an online service into resetting the password, they don't need to bother cracking it in the first place! This means you should be just as careful about setting the answer for the password reset question. Don't use any personal information about yourself that's easy to guess or is available online. You could even use a separate password as the answer for the password

NOT THESE


The worst kind of password is one that everyone else uses. According to news reports on major database breaches in 2013, these are some of the most common passwords people use.

password
passw0rd
password1
qwerty
abc
aaaaaa
admin
master
iloveyou

letmein
work
job
shadow
princess 000000
111111
123123
654321

123
1234
12345
123456
1234567
12345678
123456789
1234567890

 

However you decide to create your passwords, at least make sure not they aren't included on this list. These are not strong passwords. Don't use them.

2FA: If they have it, use it


For an extra level of protection, check to see if your vital accounts offer two-factor authentication (2FA). This requires you to provide something you know (a password) but usually also a code from something you have – either a phone, or a dongle or an app.

Banks were among the first institutions to start offering 2FA, but today popular online services like Google, Facebook, Dropbox, and Twitter also support it.

If it's available, enable 2FA on your vital accounts so that even if someone steals your password, they still only have half of the ‘key' needed to get into your account.

Save it safely


And finally, once you've gone through all the trouble of creating your unique, strong passwords, find a way to save it safely away from prying eyes.

Some people – especially those with a password system that's easy for them to remember – can keep everything in their heads. For the rest of us, there are a myriad ways to do it. Some write them down on paper and lock it away in a safe place. Others keep them in an encrypted file on a device. Still others use a password manager.

Find a way that's safe and easy for you.