I’m not usually a big fan of business-sponsored special days, but World Password Day is an exception. The four recommendations provided on the website are all good ones, and they are presented clearly and succinctly.
Step 1. Create strong passwords.
Rich Shay of MIT, who was involved in Carnegie Mellon’s research into passwords, told The Washington Post, “There is no perfect password.” And while there are some guidelines that many experts recommend, some of Shay’s research (PDF) indicated that “participants generally wished to create strong passwords, at least for some accounts; they just did not always know how to do so.” In some cases, “weak passwords resulted from misconceptions, such as the belief that adding ‘!’ to the end of a password instantly makes it secure.”
The World Password Day guidance places an emphasis on password length, although other strategies are also noted. Many experts are now recommending long passwords, which can be based on a phrase (as long as it’s not something like a published poem or song lyric). The Washington Post gives the following example:
- Bad password: [email protected]
- Better password: boughtthejackalopeatwalldrugstoreinsouthdakota
Step 2. Use a different password for each account.
As I’ve noted before on Unclutterer, different passwords might not be necessary for accounts where you aren’t concerned about the security — if you happen to have any like that. But any website that has your medical or financial information or provides access to critical services such as your email should certainly have a unique password. That way if the passwords at one site get compromised your other accounts will still be secure.
Step 3: Get a password manager.
It’s a lot easier to comply with steps 1 and 2 if you’re using a password manager. Tools such as 1Password, LastPass, and KeePass are what people usually think of when it comes to a password manager, and they are the type of password manager that World Password Day has in mind. Besides storing your passwords, many of these tools can also generate random passwords for you — and some can do auto logins for you, too.
However, a piece of paper can also serve as a password manager, as explained on the Crash Override Network website:
You’ve likely read advice telling you to “never write down your passwords.” This is because we, as human beings, have a bad habit of leaving the password to a secure computer sitting on the desk next to the computer that is being secured. Physical copies of passwords can be kept secure just like any small, valuable item you own. Treat passwords in paper form the same as money, passports, legal documents, your great grandmother’s antique pearl earrings, the deed to old man Withers’ silver mine, and of course, the keys to your house. Don’t leave passwords on the desk at work or taped to your monitor.
The piece-of-paper approach doesn’t have the added features a digital password manager might have, and it’s something that could be lost in a disaster like a fire. Still, it might be the best solution for those who are uncomfortable with other tools.
Step 4: Turn on multi-factor authentication.
The World Password Day site states: “In 2017, our call to action … is to #LayerUp Your Login by enabling multifactor authentication. A password alone is no longer enough to protect online accounts.” You’ve probably seen news stories about people whose passwords were discovered, sometimes because they were tricked by a fake email message. With multi-factor authentication, your account stays secure even if your password becomes known.
What exactly is multi-factor authentication? Parker Higgins, writing on the Electronic Frontier Foundation website, explained that there are three factors that can be used to authenticate your access to an account:
- A knowledge factor, like a password or PIN. Something you know.
- A possession factor, like a key or a hardware dongle. Something you have.
- An inherence factor, like a fingerprint or an iris. Something you are.
The way this often works on a computer is that you enter your login and password (something you know) and then a code gets sent to your smartphone (something you own) in a text message. You enter that code into the computer, and you’re set.
Not all sites allow for multi-factor (or two-factor) authentication — but many do, although it might go by a different name. As Gennie Gebhart wrote on the EFF website: “Different platforms sometimes call 2FA different things, making it hard to find: Facebook calls it ‘login approvals,’ Twitter ‘login verification,’ Bank of America ‘SafePass,’ and Google and others ‘2-step verification.'”
So if you want to be fully security-conscious, search for this option on the websites that provide it.