Passwords provide access to many of the websites and online services that we use on a daily basis. It is, therefore, vitally important to ensure that our passwords are secure and less prone to attack by anyone who may wish to do you harm.
This post will discuss nine common mistakes that you or others may be making when it comes to setting and using passwords.
By understanding why ignoring these risk factors can get you into trouble, you will be able to take action to improve your online security and feel more confident when registering your details.
Using Words That Are Just Too Easy to Guess
We’ve all heard about the naive old grandma and grandpa who just bought their first computer and set all their passwords to
But using other words can be almost as insecure as that most obvious one. Research has found that some passwords tend to be used again and again by millions of different users.
There are lists online of the most commonly set passwords, such as this one produced by the UK’s National Cyber Security Centre or this Github file containing the ten thousand most frequently used passwords.
You should try to avoid using any English-language words in your passwords at all, since hackers can use dictionaries with hundreds of thousands of words and work their way through each one, perhaps even creating combinations of multiple words in an attempt to discover real-world passwords.
Being Blinded by Sentiment
We all care about our family and friends, but sometimes we should think twice before letting that love influence important decisions that affect our online security. Using sentimental dates or names of people and places can help to make your passwords more memorable, but it can also make them more insecure.
Companies sometimes will ask you to answer recovery questions, about such things as where you were born or what your mother’s maiden name was, but the answers to these questions should never be incorporated into your password.
Anyone who knows you will easily be able to guess them. Even people who don’t know you can look at your social media accounts and potentially discover this information, since so many of us willingly share details about so many aspects of our lives with the wider world.
Sharing Your Passwords With Too Many People
Just as you shouldn’t let personal relationships influence your choice of password, it’s also important not to place your trust in others who haven’t earned it.
If you give your Netflix password to a friend, so that they can watch a favourite show you enjoyed, you may be breaking the company’s terms and conditions, but you may also be giving your friend access to all kinds of information that you hadn’t considered. This is especially the case if you use the same password for multiple services online.
Even giving your passwords to an intimate partner — a wife, husband, boyfriend or girlfriend — can pose a problem if the relationship ever breaks down. They can lock you out of your own accounts or delete important files that you have stored in the cloud just to spite you.
If you shouldn’t use words that can be found in a dictionary as part of your password, it follows that you should attempt to make your passwords as “unintelligible” as possible. One of the best ways to do this is through randomness.
Even if you just stick to the basic ASCII character set (rather than including a wider range of Unicode characters), that gives you 128 different characters that can be combined in literally quadrillions or quintillions of different ways, depending on how long you want your password to be.
We have discussed in a previous post how you can use Go code to generate a fixed-length password from an arbitrary collection of characters.
Lacking Some Length
Life is too short, but your passwords needn’t be. One of the most important factors in cybersecurity is ensuring that all your passwords are of sufficient length.
If you choose a password with four random lower-case letters (i.e. from
z), then there is a total of around five quintillion possible choices you could have selected.
This is a huge number, but computers are very powerful — and becoming increasingly powerful by the year — so it’s possible that many of the available options could be automatically generated and used to attempt entry to your accounts.
On the other hand, if you choose a password with twenty random lower-case letters, there are decillions of options you could have chosen.
That’s greater than the number of grains of sand on Earth, and it’s hard to believe that any machine could simply iterate through all the options.
All other things being equal, a longer password will always be better than a shorter one, but, as a minimum, you should aim for a length of at least sixteen characters.
Neglecting Numbers and Symbols
Just because humans prefer working with combinations of letters and numbers, that doesn’t mean that you should neglect to use other characters (like punctuation marks and accented letters) in your passwords.
The wider the range of different characters that your password can potentially be made up from, the harder it will be for a hacker to crack.
If you stick to using commonly used characters, you are needlessly shifting the odds in favour of an adversary who wishes to commit a brute-force attack against you.
Reusing the Same Password Across Multiple Sites and Servers
We mentioned earlier that if you share a password for one website with a friend, you could also be unintentionally providing them access to other sites that you’ve used, if the password has been reused.
This is why you should never use the same password for more than one online service.
Of course, this causes an obvious problem: if you’re registered with hundreds of sites and you have to create a different password for each one, how can you possibly be expected to remember all of those weird and wonderful passwords?
One solution would be to write the passwords down on a piece of paper and keep them somewhere secure in your house, such as in a physical safe. You could also keep your passwords stored in a text file on your computer or on a USB drive.
However, a better solution would be to use a password manager, which is a piece of software that will only store your passwords in an encrypted format that won’t be easily viewable by others even if they gain unauthorized access to your computer.
You will need to set a master password, and this will allow the password manager to decrypt its storage in order to provide access to all your other passwords. Doing this means that you will only ever need to remember one password, no matter how many you actually have.
Clinging to Stability
The ancient Greek philosopher Heraclitus said that change flows through life like a river, and he encouraged us to embrace this fact, rather than vainly try to fight it.
Change is the only constant in life, and we should be prepared to change our passwords at regular intervals.
This ensures that even if hackers gain access to our passwords, they won’t be able to use them unless they log in to our accounts within a certain amount of time, before we’re able to reset the passwords.
Some cybersecurity experts recommend that we should change our passwords at least once every three months.
however, if you have reason to believe that your accounts have already been compromised or your passwords have already been leaked online, then you should change them immediately, in order to reduce the risk of your privacy being invaded.
Refusing to Adopt Two-Factor Authentication
Sometimes you just have to accept defeat. Maybe using passwords to secure your data online isn’t the best approach after all.
Using Two-Factor Authentication (2FA) adds an entirely separate layer of protection on top of the original one. With this approach, you still need to use a password to login, but you also have to provide another avenue of security, such as a phone number where you can receive SMS text messages.
When you enter your password into the login interface, your phone will receive a message that contains a randomly generated code. You will also need to provide the website with this code in order to login successfully.
This ensures that no one who has managed to steal or hack your password can access your accounts, unless they also have access to your mobile phone. Likewise, someone who has stolen your phone will not be able to use the device to log in to your online services unless they also have access to your passwords.
So the two separate methods work together to enhance overall security. Using Two-Factor Authentication doesn’t mean that you no longer need to use passwords online, but it does mean that you can do so more confidently and safely.