West Virginia University Logo

Passwords: We're Doing It Wrong, but Still Need 'Em

Monday, June 3, 2019

For those who haven't heard it before: you should have a unique password for every single thing you log into. You also should NOT reuse passwords.

Let's start by discussing why unique passwords are important.

If someone is going to try to hack into an account, the first thing they are going to do is try one of the common passwords people use. If you are using any of the passwords on the below website, then you should just assume that account is hacked and everything you have given that site is exposed.

Most Common Passwords of 2017

http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/ 

Information scraped can include your email address, your full name, everything you've looked at on that site, and any information that can be gleaned from your browsing--which is far more than you'd think.

Next, let's look at why not reusing passwords is important.

If a website is hacked, the first thing that the thieves will do is try your usename / email address with your password on a variety of websites--including bank, credit card, and shopping websites.

If you reuse passwords, you've given a hacker access to another account, where they can then collect more information about you.

Third thing to consider is password strength.

Websites and services make you follow all kinds of ridiculous rules when creating passwords: capital letters, lower case letters, numbers, special characters but not THOSE special characters… it's miserable to create passwords, and even more miserable to remember them, which is why we fall into the trap of reusing passwords.

What's even more frustrating is that, to quote Randall Munroe. "we've trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."

Unfortunately, most services will not allow you to create a simply four word passphrase with spaces. So you need to follow all the complicated rules. My advice here is to set up a pattern and always follow it, for example, always put the special character at a specific point in your password. Or, just use a password manager and don't worry about your password strength.

If you'd like to know how strong your passwords are, enter them into a password strength checker. For example, the phrase "All my exes live in Texas" would take 15 octillion years to break, while P4ssw0rd would take only two hours.

Password Strength Checkers

https://lastpass.com/howsecure.php
http://www.passwordmeter.com/
https://howsecureismypassword.net/

Password Managers

If you're now convinced you need better passwords, you are going to need a password manager.

What IS a password manager? It's an encrypted app / website that stores your credentials and allows them to be pasted into a web browser (or program) so you never need to type them in.

There are two primary types of password managers: web based and device based.

Web based password managers are primarily subscription services--you pay the company to use their service and keep your data safe.

Device based password managers live on your computer (or phone) so you control them, however, if you would like that safe to be accessible on all your devices, you must either place it on a portable thumb drive or in a cloud service.

1Password https://1password.com/ online
Dashlane https://www.dashlane.com online
LastPass https://www.lastpass.com online
Roboform https://www.roboform.com/ online
KeePass https://keepass.info/ device

So that's the lowdown on good passwords: get a password safe, and never reuse passwords.

xkcd passwords

https://xkcd.com/936/