This is a guest blog from Wendy Zamora at Malwarebytes, first published here.
Passwords. The bane of modern existence. To celebrate this nuisance, the holiday gods have given us World Password Day, where thousands of people come together online and pledge to improve their password habits. How many of those pledges do you think stick? According to the 2017 Verizon Data Breach Investigation Report, not many. A little over 50 percent of all breaches in the last year leveraged either stolen or weak passwords.
Coincidentally, today is also Star Wars Day (May the 4th Be with You). And while we all wouldn’t mind having a lovable droid guard our passwords as loyally as R2D2 guarded the blueprints for the Death Star, the reality is we’ve got to do the guarding ourselves. And that has become burdensome enough to send Yoda himself over to the Dark Side.
Current state of affairs
According to a poll by Intel Security, the average person has 27 discrete online logins. From social media accounts to banking to online shopping to utilities, credentials—which usually include a username and password—are required for each. And if people are practicing good password hygiene, they’re engaging in the following recommended practices:
- DO: Use a different password for each account.
- DO: Use a long password. In fact, the longer, the better.
- DO: Use special characters, numbers, and capital letters.
- DO: Change your passwords every couple of months.
- DO NOT: Write down your password, whether that’s on a piece of paper or stored electronically.
- DO NOT: Share passwords via text, email, or chat.
- DO NOT: Use easily identifiable information, such as a birthday or a child’s name.
- DO NOT: Use an incredibly generic password such as 12345. (That’s the combination an idiot would use on his luggage.)
All of this, for 27 different logins, is simply unmanageable. In fact, the Intel study found that 37 percent of its respondents forgot a password at least once a week. And people are so sick of juggling dozens of different passwords, that 20 percent said they would give up ESPN if it meant never having to remember another one. Six percent said they’d give up pizza. PIZZA.
This level of discontent and security fatigue means that very likely, most users are falling back on bad habits: writing passwords down in a notebook or a Google sheet, for example, or using the same password across multiple logins. (A study by the National Institute of Standards and Technology confirms this: 91 percent of its respondents admitted to reusing passwords.)
So this is why we say: stop it. Stop the bad habits, yes, but stop the “good” ones, too. Having 27 different passwords that are lengthy and full of characters and numbers and need to be changed every few months and can’t be written down—you’d need the memory of an eidetic elephant to keep up. Online services will only multiply, so what should you do?
It’s very simple. Get a password manager.
Password manager 101
For those who might not be familiar, password managers assist in generating, storing, and retrieving passwords from an encrypted database. They typically require that users create and remember one master password to rule them all. One master password to find them. One master password to bring them all, and in the darkness bind them.
One master password to stand at the precipice and shout gallantly, “YOU SHALL NOT PASS!”
Sorry, it couldn’t be helped. As we were saying. Generally, most password managers work the same way. You’ll be asked to create a strong master password during setup (and here’s where you’ll use those password best practices, such as generating a long passphrase with numbers and capitals that steers away from guessable personal info). From there, you’ll add your other credentials to the password manager either manually or through tools that can automatically find and upload passwords for you.
While most password managers have similar setups, they secure passwords in different ways. Web-based password managers store your passwords encrypted in the cloud. Some are built into browsers, such as Safari, Firefox, and Chrome. Others may store your passwords locally in an encrypted file on your computer, tablet, or phone.
In addition, some password managers have features that help you audit your credentials, allowing you to weed out duplicate login info and remove sites you don’t use, or alerting you to breaches that have happened to the companies you log into. Many have customizations that allow increased security, such as regional lockout and two-factor authentication (which we highly recommend taking advantage of).
But aren’t I just asking to be hacked by storing everything in one place?
While some folks might be wary of using a single point of access for all their sites, remember that password managers still use your individual passwords to log in to your accounts. Those passwords are locked in an encrypted database, which is way more secure than a post-it on your office desk or a faulty memory. Ask yourself this: is it safer to store all your money in one bank or to hide it in piles underneath several mattresses?
As for fear of password managers being breached—sure, it’s possible. In fact, it’s already happened, as was the case in 2015 when LastPass was breached. However, even though cybercriminals got their hands on some email addresses, they were unable to crack master passwords. This is because master passwords are protected with military-grade security, hidden behind thousands of rounds of hashing, or algorithms that convert strings of text into longer strings of text. So far, no reputable password manager has leaked consumer master passwords (that we know of).
So which password manager should I use?
The following password managers come highly recommended by our staff and tech reviewers from The New York Times, Lifehacker, and PCMag:
If you don’t trust third-party apps with all of your personal information, you can try an open-source password manager such as KeePassX, though it requires a fair bit of technical know-how to set up.
I am absolutely opposed to a password manager. What else can I do?
While we stand by our recommendation to use password managers, we understand the urge to reject placing all your trust in the hands of another company. So here are a few alternate methods for choosing more secure passwords than the random hodgepodge you’re likely working with now.
- Split up your online services into major groups, such as bills, entertainment, shopping, and social media. Assign a single password to each group according to a theme. For example, you could choose movies as your theme and assign quotes from one movie to one group, or character names from a second movie to the second group. Rotate these passwords every 90 days by incrementally adding a number or changing a character. This requires a lot more effort but is still preferable to using the same password across all accounts or having to reset forgotten passwords every week.
- Choose one semi-difficult password for all accounts but insert a naming convention in the middle of the password to denote which account you are signing into. For example, if your password is L3tme1npleaz, your Gmail password could be L3tme1nGMAILpleaz. Your Amazon password could be L3tme1nAMAZONpleaz, and so on and so forth.
- When possible, choose a service that has two-factor authentication over one that does not. More than 150 applications currently implement two-factor authentication. You can check them out here.
Passwords don’t have to rule your life. You can lock them up behind a password manager and worry about remembering a single, slightly complex phrase instead of 27. You can relax knowing how well guarded your passwords are. And you can go ahead and burn that secret list of passwords you keep in your address book even though you’re not supposed to.