Passwords are a bit of a problem. Everyday I hear new horror stories about massive website breaches, and the theft of millions of username and password pairs. Some of the major sites that have been hit and have been in the news are LinkedIn, MySpace and Twitter.
Passwords are not the best / ultimate solution to security, but they are the best compromise we currently have in the debate of security vs. ease of use. I highly recommend my clients, family and friends use reliable password management software.
Here are the most basic, universal guidelines for password use in today's current climate of data security.
- Use a password manager! It will make the rest of the items on this list easier to accomplish. I need to track thousands of passwords and I also need to follow the very best practices as an IT expert. I have been using LastPass for 4 years and I highly recommend it. I used KeePass before that, it is also highly recommended and I still use it for certain things.
- Do not use the same password at multiple sites - in fact use a different password for each and every website / login you use. This is particularly true for email accounts, social media, and banking, the top targets for hackers. The reason behind this is that if you use the same username and/or password at multiple sites, if one becomes compromised, they are all compromisd.
- Length is more important than complexity! A 16 character password that is all lowercase numbers is several orders of magnitude more secure than a 10 character password that uses lowercase, uppercase, numbers and punctuation. This is due to the way passwords are cracked. The longer the password, the better. I recommend using the max allowable length at each site, where possible.
- Passwords should be hard to remember and impossible to guess. A long string of randomly generated characters is far safer than a short phrase and certainly more safe than your dog's name.
- Changing your password occasionally is a good practice, though not as important as it used to be.
- Use multi-factor authentication wherever possible and feasible, this is especially true for sensitive sites such as your password manager, email, banking and social media.