How many passwords do you think you have? Whatever your guess, the actual number is probably a lot higher. That’s because you have passwords for both personal and professional platforms, apps, and websites, and you’re likely forgetting about passwords that you set up on websites you no longer visit. Chances are, those old passwords aren’t long, random, and unique. Even the passwords you’ve set up most recently may not be as secure as you think they are.
Why does this matter? Because password hacks can happen when your passwords can be easily guessed or you’ve used them before. In this article, we’ll talk about what that means for you and your business, and we’ll outline the tools and best practices you can use to help you manage your passwords, generate better passwords, and remember them when you need to.
The facts about password security
There’s a lot of competing information these days about passwords. In general, you can use the following facts to guide you when establishing a personal password or educating employees about password security at the office:
- Password length is more important than complexity. When you’re creating a password, you should aim for a longer password. We often think that for passwords to be hard to crack, they also need to be hard for us to remember. That’s not true. Choosing a string of random yet common words (such as “surprise house gum dress”1) or a passphrase (such as “The blue banana danced with Peter Pan” 1) can be easier for you to remember but take a long time for a computer to guess.
- If you use a commonly used password or reuse a password, it can be easily hacked. Most of the compromised passwords that small businesses or individuals experience are from hackers utilizing lists of known passwords from previous breaches. By utilizing known passwords, and our habit to use easy-to-remember passwords, fraudsters have a much easier time hacking unsecure passwords. Also, some passwords are just easily guessable, such as “Password” or “12345.” Passwords that are short, such as “Summer2022,” are commonly used and easily hacked. Additionally, if a hacker gets your password, and you’ve used that password for multiple accounts, it’s easily hacked, and all associated accounts will be compromised.
- Using random letters, numbers, and characters isn’t as random as we think. When we create a password that includes a string of letters, numbers, and special characters, it may not actually be a random password at all. That’s because we unknowingly use sequential keystrokes that are easy for a computer to guess. Computers are much better than humans at generating truly random passwords, so you should let a computer do it for you. That’s one of the many benefits of using a password manager.
The benefits of a password manager
The reality is that you have a lot of passwords, and it’s an impossible task to remember them all. That’s where a password manager comes in handy. A password manager is software than can create and store secure passwords for you, as well as store and sync those login credentials across multiple devices. It is an extra layer of security beyond your username and password to protect against account hijacking. There are many password manager options, each with slightly different features and price-points.2 Read through this Password Managers article from SANS for important features you’ll likely want to consider.
- Password managers are much better than humans at creating secure, unique passwords. As mentioned, when we create what we believe is a random password, we are likely using common keystrokes that are easy for our fingers to replicate. A password manager uses complex algorithms to generate a password that does not use common keystrokes, so the resulting password will be more unique, more complex, and more secure. Many password managers allow you to enter the password requirements of the site (such as uppercase and lowercase letters, numbers, or special characters) before generating the password, to ensure it meets the requirements of the website or application.
- You will gain greater convenience and security using a password manager. Your password manager requires a master password to access your password database (sometimes called a vault). When you visit a website that requires a password, you will access your password manager, enter your master password, and select from your database the password required for that site. Many platforms have convenient features that auto-recognize websites for which you have stored a password, and you can quickly access your vault to enter the password without leaving the website or your browser. With a password manager, you will still be required to memorize a few passwords, such as your master password, which should be very strong. But you can put your effort into memorizing a couple of really secure passwords instead of trying to remember numerous, less secure passwords.
- Expand your protection with multi-factor authorization. Multi-factor authentication is a security process that requires multiple forms of identification for access. An example is when you log into an app on your phone, and you’re required to enter a code that is texted to you before logging in. The most secure version of multi-factor authentication is a hardware token. Another secure option is an authenticator app on your phone, so that only the person with the phone can authorize the multi-factor process. Texts and emails are a somewhat less secure authentication option but still add a layer of security. Using multi-factor authentication along with a password manager exponentially expands the security of your accounts.
Password best practices
While cybersecurity is a complex topic, the steps to protect yourself from password compromise are relatively simple. Below we outline four best practices to protect your passwords.
- Use a password manager. Available for individual and business use, a password manager can generate, store, and sync your passwords to make your passwords stronger, more secure, and conveniently accessible to you. It can also assist in securely facilitating password sharing with family members. Businesses should encourage employees to utilize a password manager. It is possible to purchase an enterprise license and provide access to employees for free – ensuring your business passwords are more secure.
- Use multi-factor authentication on all of your accounts. When possible, enable multi-factor authentication to make it harder for a cybercriminal to access your accounts. Taking a moment to add that one additional step before logging in could help you or your company avoid devastating consequences related to password compromise.
- Don’t reuse passwords. If one account is compromised, all accounts using that same password are immediately compromised. Reusing passwords is dangerous to your security since you cannot control when a website will be hacked and your single password will get out. Create a strong, unique password for every account you access. Utilizing a password manager makes this process much easier.
- Never share your password. While “never” is ideal, it’s likely you’re already sharing some passwords, such as your Wi-Fi network or streaming services with a spouse. Some password sharing is unavoidable, but it is still a risk. You should do so cautiously, and make sure these shared passwords are not used on any other accounts. When possible, each user should establish a secure, unique password to access any accounts, especially financial accounts. Shared passwords could result in loss of account ownership, inability to track user activity, and account compromise. A password manager can aid in secure sharing of passwords with trusted individuals.
Password security is your first line of defense against cybercriminals for yourself and for your company. But scammers and hackers are always seeking new ways to steal your information, so it is important to stay vigilant and updated on common security risks. Visit our Security Center for more information on protecting yourself from fraud, including how to avoid business email compromise.
1 This is an example password. Do not use this password.
2 “Demystifying Passwords.” Security Awareness News. February 2022. The Security Awareness Company. Accessed 26 July. 2022.