It’s time to talk about hygiene.
We have all been there. The myriad demands of juggling work, family and the pressures of life tax your time, and after a while some of your good habits begin to break down. You are better than this most of the time. Yet now you find yourself looking upon your reflection in the dark gloss of your laptop screen as you reuse a password because it’s easier to remember, versus making a new one. You just want this account creation process to be over so that you can play Settlers of Catan online. In the dark gloss, your eyes appear black and empty, the eyes of someone who knows they are doing something wrong. Your hand feels icy cold on the mouse. You are tired. It’s just one password…you click.
Later, you receive a notification that your password was changed on your Instagram account. You are confused; you don’t even know your password for Instagram. How could someone else? While you are trying to figure out the next move, you get a text from a friend who thinks you may have been hacked. Salacious DMs are coming from your Instagram account. You haven’t been hacked. You’ve been reusing passwords. In life, as in Catan, you have rolled a seven and the thief has come to your hex.
Alas, if only the surveillance state was leveraged for benevolence instead of malevolence. In such a world, perhaps the moment you clicked OK when reusing a password, a buzzer would go off on your computer and warn you that you should not do this. I’m imagining a kind, familiar tone, such as the sound you would hear after confidently answering a question wrong on Jeopardy!.
“Best practices” are two easy-to-read words which minimize the importance of their recommendations, and you ignore them at your peril, as in the situation above. It has been nearly 30 years since the mainstream internet first opened its eyes and screamed “FEED ME!” in the form of AOL free dialup CDs, category-based search, and chat rooms. The man from the ‘under construction’ .gif has been busy digging since. Over the years, we have been indoctrinated in password strategies though a combination of memes, bitter experience, and evolving ‘best practices’.
And what are those best practices now? At 29, the mainstream internet is no longer adolescent, and we should all make sure our passwords and philosophy towards them are as grown-up as possible. A lot has changed since 1991. Let’s review!
If you must remember your password instead of pasting it in from an encrypted database, consider this: These days, passwords are OUT and passphrases are IN. What does this mean? A passphrase is easy for you to remember, but longer than a conventional password, which makes it hard for a computer to guess. The key is they are LONG (longer than 9 characters), which turns out to be one of the only things to actually matter. Some good examples of passphrases which make good passwords would be lyrics to songs you like (“ActL1keTheyForgotAboutDre”), random sentences from this blog post, “4AOLfreeDial-upCDs!”, anything but your name, family members names, your birthday, your pets name, or other freely available information you may have provided to the world via a facebook trivia quiz (Don’t take these! Ever!). Or something going through your garbage, such as a raccoon looking to supplement their income. At Steel Root, we use a generator to make our passwords (not this one, but it’s a good example).
The next important thing to know: Don’t reuse passwords. There are many estimates for how many millions of people there are out there who took the easy way out and created a good, long password which they committed to memory. They then used this great password for their email and bank, but also for their Settlers of Catan Online account which was storing the passwords in plaintext, leaking it to the word. Don’t join their ranks. If you leave enough copies of the same key around, eventually one of them will find its way into the hands of someone who you don’t want to come through the door. You are only as secure as the least secure service you have an account on, so if you keep your passwords separated and unique, then you will be a step ahead.
Next up: you should use a password manager. Many people allow their browser to save their passwords. This is convenient, but it’s not secure. However, don’t fret. Even if you have already settled into the comfortable couch of saving all your passwords in your browser, you are very close to being able to adopt them all into a real password manager of your choice (the lack of security in your browser makes for a seamless and easy data import!). Once your passwords are adopted into a password manager, you can shut this feature/security hole of your browser off and clear the saved passwords out.
Most importantly if you can, deploy 2FA/MFA. There are multiple ways to do this, but if the service you are using supports MFA, you should use it. Common services which support MFA/2FA include Gmail, Amazon, Bank of America, and others. If you are unsure if you can enable MFA/2FA for your particular account, try googling the name of the service with “2FA” after it.
In general, what I wish for everyone to remember about passwords are these four things:
- Make it long (greater than 10 characters),
- Make it unique (don’t reuse it),
- Don’t keep it in plaintext or written down (use a password manager)
- Make it secondary! (Use two-factor/2FA)
One day, we will live in a passwordless society. That day is not today. Until hardware tokens are delivered to/inserted into US, the masses, there will be some effort involved in securing your accounts. I assure you this effort is worth it. There are few words which capture the feeling of helplessness and exposure which results if someone commandeers your email account. Bad body hygiene leads to social pressure from our peers, and bad password hygiene should be no different. Shave those post it notes off your monitor bezel and scrub out your browser autofill! Just as your hair is worth washing, your nails are worth clipping, your passwords are worth improving and storing correctly.