Everyone knows that one needs to have a strong password in this day and age.
So if you haven’t got one already, what can you do about it?
The first thing you should know is that passwords are very important.
There is a good chance that you have set up your passwords in a way that they act as a gateway to all of your online services/accounts.
This includes things we readily take for granted such as,
- Email platforms
- Social networks
But how can an online user know whether his/her password that he/she is using is strong?
Or at least strong enough to actually stand up to hackers who repeatedly try to hurt online users with their hacking attempts.
Users who want to really understand how to properly perform a self-audit on their password security, as well as the best kind of combinations to use in order to keep one’s data safe, should keep reading.
We’ll also quote some of the things that different experts have said on the matter.
A lot of users may already have familiarity with what we have said above.
These are the simple things that usually flash up whenever a user creates a new account on any given platform.
The general advice goes something along the lines of,
- Keep one’s password reasonably long
- It should be hard to guess
- It should be complicated
But what a lot of users may not know is that why do these services want us folks following these rules in order to make a stronger password.
This guide will also talk about how even after using these best password strategies users can expect problems while trying to protect their accounts.
A Refresher on Password Cracking
Hackers nowadays have a ton of methods at their disposal to expose user passwords.
This is what Bruce Marshall tries to explain to regular online users.
Who is Bruce Marshall?
He is a security consultant.
He is also the founder of PasswordResearch.com.
According to Bruce Marshall, hackers around the world sometimes make use of pretty simple techniques in order to crack open passwords.
Some of these techniques are,
- A hacker simply trying to guess the password
- Launching a phishing attack in order to tempt the user into entering his/her password directly into a compromised website.
- Using old-school techniques such as brute-force attacks in order to try an extremely large number of password combinations and that too in rapid succession.
This last technique is something that many websites and apps have guarded against with some new security features.
But there are many other methods as well.
One cannot simply ignore that invisible thing we know as malware.
Malware of today can silently watch as the user takes his/her time to enter his/her password.
Of course, the malware first has to establish its roots in the user’s computer system.
You also have to add to that the very real threat possibility of all those password database breaches that hackers cause on online services that have inadequate online security measures.
All of this means that no matter how prudent an approach a user takes his/her personal collection of special characters, digits and numbers is always under threat from hackers.
Consequently, readers need to learn how to keep their computer systems secure.
The first step in doing that is making sure that one only engages in business with various online services that have put some effort in maintaining strong security measures.
Users should also give some thought to coming up with passwords that aren’t terribly,
- Or easy crackable
This is what Bruce Marshall advises to people looking to have a secure online life.
According to Bruce Marshall, this is also the reason why people come across that oft-quoted advice about how users should always go with complicated and long passwords.
A password that has 4 characters offers hackers a very limited number of combinations to try out when compared to a password that makes use of 14 characters.
Continuing from there, users should never use their own name as their password.
They should also never make use of their birth dates as their password.
This is especially important for users who like to proudly display their birthday on their Facebook profile pages.
Moreover, users should also stay away from using their own pet’s name as their password.
Again, this advice is especially relevant for people who have pictures of their pet all over their public Instagram account.
With that said, it is also true that the length of the password is very important.
And for that reason, most security experts agree that users should go with 14 character passwords at the very least.
Users are free to choose longer passwords as well if they want more security.
Now, the length of the password is important.
But keeping one’s password very hard to guess is probably more important than that.
Jeffrey Goldberg, who works as a security guru for the 1Password password manager, believes that hackers are smart.
They don’t just go in there blindly and start to try out all eight letter user passwords.
Or even all nine letter passwords.
First, they go the route of guessing.
And basically, try to guess passwords which they think are likely to match the user’s password.
These type of hackers know a lot about how people work.
They also know how they create their passwords.
Possibly, they know it better than anyone else.
To put it another way, password hackers are talented people who know that everyone is telling everyone to add complexity to their passwords.
They know people now add uppercase letters as well as lowercase letters along with symbols to their passwords.
Hence, it has become slightly easier for them to know the actual patterns of password characters that online users like to default to.
Let’s take a few examples to further clarify how all of this should tie together.
If you think that instead of using LetMeIn, you’ll use something like LetMe1n as your password will grant you extra security then think again.
Your password isn’t that much stronger from LetMeIn.
Some users go with passwords such as “Password!” instead of the frankly awful choice of password.
Well, these users should know that Password! Isn’t actually much of an upgrade over “password”.
Some users may think that they are really smart for using such passwords.
But they should remember that a ton of other online users are also following a similar route to them.
Carnegie Mellon University Cylab Usable Privacy and Security Laboratory has done a lot of research on the matter.
And the lab has shown that humans actually fell into some very predictable types.
That’s why the lab found it very hard to judge the actual effectiveness of any type of password policy.
If someone tells everyone to make use of a number in their password then everyone would tend to gravitate towards using a similar number.
And too in the same position in their passwords.
If a site tells users to add capitalizations in their passwords then it is very likely that everyone will put these capitalizations in the same positions as well.
Of course, that does not mean that there is no way to make sure that one’s password is as secure as it can be.
The general rule does work to some extent:
Longer passwords are considerably more difficult to guess than shorters passwords.
The more unique one’s password is, the more safety it will provide to the user.
To help people in determining the strength of their password, the faculty working at Carnegie Mellon University have uploaded a user password strength tester.
This tester works online.
Everyone is free to use the tester so this is a great opportunity for people to know the real strength of their password.
To use the tool all you have to do is to type out an example password.
After that, the tool will analyze the password.
Then it will give you a warning if it finds out that you are also putting most of your uppercase letters and even your symbols where everyone else is placing them.
It will also warn you to not use dictionary words.
Because hackers find them easier to guess, that’s why.
This is a great online testing tool.
Especially for those online users who want a detailed feedback on how their passwords are doing based on a large neural network which consists of millions of samples.
With that said, it is also true that even if a user comes up with the strongest password in the world, it still would prove no match against hackers that roam the online world nowadays.
This is something that you will hear from all security experts.
Which is strange because security experts rarely agree on something.
The thing is, if a user is only coming up with passwords that the user himself/herself has come up with then that user is effectively the low-hanging fruit for modern hackers.
The Simple Problem With User Passwords
You don’t need us to tell you that the single biggest problem with using strong passwords is that they are very long.
And because of that, many users find it hard to remember them.
But that is also the reason why hackers find them tough to crack.
That only pushes online users to write their difficult passwords somewhere.
Usually, that somewhere is on a piece of paper.
Now, there is nothing wrong with writing on paper.
But the problem is, anyone who can see the paper can see the password.
Some users have the habit of reusing their difficult passwords across many of their online accounts.
That is a very big problem.
Because that means if a hacker breaks into the least protected account, he/she gets access to all of the other accounts as well no matter how strong security measures they had protecting them.
He told reporters from Gizmodo that memorizing difficult, unique and complex passwords for each and every online account just wasn’t natural.
Moreover, such an approach can result in online users cutting important corners but only at the expense of their own online security.
What did he mean by “users cutting corners”?
How do you cut corners?
You cut corners by,
- Reusing passwords
- Using identifiable information in your online passwords
- Using different variations of the same difficult passwords.
To put it in simpler terms, you have these rules that govern how users should go about creating strong passwords.
But those rules aren’t natural enough for us humans to stick to them consistently.
At least they are difficult enough for users to compromise their own online security in some other way.
Sometimes these same rules which are supposed to protect user’s security end up forcing users to use such difficult passwords that they themselves can’t remember their passwords.
And hence end up using the recovery features of various services on a daily basis.
Another example of how humans don’t really like what experts say on creating strong passwords is changing them.
This is another example.
People don’t like to change their passwords regularly.
Theoretically speaking, it is probably a great idea for any user to keep on changing his/her passwords.
That can keep hackers guessing.
Moreover, such habits can also protect users from data breaches that compromise old accounts.
Now, if the user has changed passwords for his/her new accounts, the compromised old accounts would not affect new ones.
However, things are slightly different in the practical world.
In practice, users find that changing passwords actually compounds the irritating problem of having to deal with and handle so many different passwords.
And what does this lead to?
This leads to users picking weaker and weaker passwords for their accounts.
There is a lot of research that shows that even the way users modify their current passwords is pretty predictable.
Basically, related research says that people usually have the habit of changing 1s in their passwords to 2s.
They also make other changes on a similar pattern.
The other thing users need to keep in mind is that hackers are smart.
They are like really smart.
In other words, they are now using the same computer processing power to generate passwords for their hacking objectives as services like Netflix and Google which are trying to recognize user voices and then serve up relevant and useful recommendations.
Many security experts agree that the strong possible password option is to simply use a passphrase.
What is a passphrase then?
A passphrase is a random collection of different words.
Most of the time it is usually sprinkled with strategically placed capitalizations and of course, symbols.
Passphrases don’t follow generally known patterns.
What are these generally known or typical patterns?
Well, these are patterns where users go with capitalizing the first letter of their password and then use a symbol as the last character of their password.
Not hard to guess that or is it?
In short, readers should know that if they are serious about their online security then they need to have a passphrase for all their online accounts.
And by that, we do mean all online accounts.
Each and every one of them.
According to Goldberg, any user password that the user has selected for use with multiple services and websites is only as safe as the least secure of those services and websites.
Any password that a user reuses makes the password a weak password by default.
Goldberg also mentioned to Gizmodo that users had the option of coming up with a seemingly very strong password.
They could use it for sensitive tasks such as for accessing their online banking account.
Users could also use the same password for MyKittyPics.net.
And they could do the same with a dozen other services and sites.
But if services and sites such as MyKittyPicks.net don’t bother to make use of secure connection, then the user gets into trouble.
In other words, the user’s passwords go flying over the particular network.
And when they do fly anyone with enough skills, and happens to be at the same coffee shop that the user is in, can see the password.
There are other such cases as well.
If the user does not take the pain to store his//her passwords in a form that is secured, then hackers can easily steal that password.
Troy Hunt, the man who gave us Have I Been Pwned? And a web security author has also come up with its own opinion.
According to Hunt, Passphrases can form geat passwords.
But only if they contain several random words.
Users may have a passphrase that contains nothing but lowercase words.
They may also have a passphrase that does not have any symbols and/or numbers.
Such passphrases would still work.
But since hackers have set the bar so high, Troy believes that users should add uniqueness to their passphrases as well.
Because users should not make use of the same passphrase on each and every website that they come across.
And since modern users all have dozens and sometimes even hundreds of online accounts, their brain can’t possibly take care of all the passwords.
So what’s the solution then?
Let’s Go Beyond The Password
The internet has two kinds of users when it comes to security.
There are users who don’t care much about their security because they don’t do anything important on the internet.
And then there are those users who are security-conscious about how they protect their data.
The second group of these users would already know that the only real and practical answer to all their password problems is a simple password manager.
A password manager is a perfect tool for users who desire maximum security.
And are serious about taking steps that will get them that maximum security.
Password managers allow users to stay secure all the time.
Every single reputable security expert will tell you that a password manager is the only way to manage your passwords in this day and age.
With that said, readers should also know that some security experts do work with password managers themselves hence this is a point that one needs note down somewhere.
Of course, there are lots of other tools apart from password managers to secure your data.
Modern users are lucky because they have multiple security tools at their disposal.
And that too for free.
We have mentioned several times that users should set up two-factor authentication for all their important accounts.
It is not optional anymore.
It is an absolute must.
With two-factor authentication, you cannot possibly begin to develop your personal security online.
That doesn’t mean two-factor authentication is infallible.
It is not.
But at least it obstructs hackers who then need to overcome something new.
If you have enabled two-factor authentication on your important accounts then the hacker would usually require access to an application that you have installed on your personal smartphone device.
Of course, the hacker will additionally also need your password and username in order to truly break into your online account.
But beyond two-factor authentication, it is also about password managers.
Make sure that you sign up for one that has a good reputation.
A password manager doesn’t just help users to remember their multiple complex and length passwords.
It also creates new difficult passwords for users who need them when they are signing up for new services.
All the while, the password manager keeps everything belonging to the user safe and secure.
How does it do that?
It does that via one master password.
This master password is something that only the account’s owner knows.
Hence, it is a must for users to make sure that they have applied all the password principles that we have talked about till now when they are creating their master password for their password manager.
According to Hunt, users have only one option.
And this option is a password manager.
A password manager is the only real and practical solution out of password problems for users.
And once the user has signed up for a password manager and starts to get comfortable with it, then the user has started his/her journey towards generating real random passwords for his/her online accounts.
Password managers can generate 30 characters worth of passwords.
They also enable users to stop worrying about the uniqueness and strength of their password.
Well, according to Hunt, their password manager has already taken care of such things for them.
As mentioned before as well, hackers are an intelligent bunch of people.
They now have the skills to leverage the power of algorithms.
And they use that power to try and crack user passwords.
The best way to guard against that is to use the same type of computer science techniques in order to make sure that the user passphrases are as unguessable and randomized as possible.
No one should understand that to mean that after using a password manager one can just suddenly forget everything about his/her online security.
Password manager apps are only there to make user password manager less bothersome.
According to Marshall, the safest and the quickest approach to coming up with (or creating) great passwords is to simply drop the idea of creating them oneself.
He also said that by users should always use a password manager to generate a random password and store it somewhere safe.
Because most of the time users don’t have the ability to distinguish between a weak password and a strong password.
Hence it is better if users don’t solely rely on their own judgment when they want to choose a strong password.
If you don’t want to take the advice of security experts then how about the advice of computer scientists.
And not just computer scientists.
Take the advice of computer scientists that work at Carnegie Mellon.
Many of them have described a password manager as something of a crucial aid for users.
That is, for only those users who want to keep their security in check when they surf the web.
Developers have designed password managers in such a way that they gladly take care of things such as having to remember all those complex and long passwords.
You know those long passwords.
Those long passwords where the user has to make use of notes which are stuck on the user’s computer monitor.
Also, password managers are great for users who are just tired of using passwords that as basically their wedding anniversary followed closely by the actual name of their dog.
Previously on Security Gladiators, we have talked about some of the best current password managers in the world of online business.
These include some household names such as (and of course, in no particular order),
- Keepass, which is open source
- LastPass, which LogMeIn acquired a while ago
Users who don’t want to spend a lot of money should try out these password managers.
Because these will do a great job of securing and managing their online passwords and identities.
As far as pricing goes, it varies.
With the only exception of the open-source KeePass, users usually have to hand over a couple of dollars (or more!) every month to use a password manager.
Paid password managers can manage user passwords across multiple different services and devices.
Password manager developers have also come up with official apps for desktop and mobile.
Modern password managers can also take care of two-factor authentication automatically.
If you want to take one thing away from all of this, it is that according to the majority of the people who actually work in this industry and also study it as a part of their job, all online users would do well to take the help of password managers.
According to Goldberg, a strong password isn’t just a long password.
It is a password that you (or something else) can generate randomly.
We have already mentioned that generally speaking, people are pretty terrible at coming up with random passwords.
So you need to make sure that you keep your passwords safe and secure.
Well, you already know that you need a password manager for that.
But what if remembering a master password is too bothersome for you?
What if you don’t have the luxury of using a password manager?
But still, want to know how to appropriately secure your online accounts in an event where you forget your password or even your master password (assuming you use a password manager)?
Well, all you need to do is to read on.
How To Guard Against Forgetting A Password And Not Losing All Your Accounts.
At this point, it should be pretty clear to you that you have to choose a strong enough password.
And then you have to make sure that you have set up that two-factor authentication that we talked about before.
The problem with two-factor authentication is that it requires the user to have an additional device.
The user then has to use this additional device in order to authenticate a given login credential.
Readers may understand that once they set up two-factor authentication, they have secured their accounts.
You see, there is always a chance you might forget your password.
Okay, so not a big deal right?
All online services and websites along with apps have these what you call recovery processes.
These processes help users when they lock themselves out of their accounts.
So doesn’t it make sense that you should take measures to shore these up against potential threats and exposure as well?
What we mean to say here is that, user accounts are safe most of the time.
But they are only as safe as the weakest link in the user’s account recovery option.
So hypothetically speaking, if an unwelcomed visitor or a hacker gets through, let’s say, the back door, then that actor doesn’t really need to bother with other stuff such as locks and all the other security equipment such as a camera that one might have fixed on the front door.
In any case, now we will present to you the most common and useful alternative login options.
Remember, that in each case, we’ll also show you how to keep those alternative options safe and sound.
Password Recovery Emails.
This is perhaps the old favorite on this list.
Users are quite used to sending a kind of a reset code to their email address when they forget their password for a given account.
That should be safe right?
No one other than the user usually has access to that particular email account.
So all is good right?
You really need to think about it to understand the problem.
The problem is not your recovery email address.
The problem may arise if you have used a recovery email address of an account that you have not made use of in years.
Usually, for such accounts, users make use of some very basic passwords and don’t update the security features on these accounts.
If that is the kind of password recovery email address you have then you are in a little bit of trouble.
Users who want to secure their email address should make sure that their recovery email address isn’t accessible from any other device and/or computer that they are not actively using.
The great thing about modern email accounts is that they do furnish users with the ability where users can do an actual global sign out.
The global sign out signs out the user from all devices instantaneously.
Users should also take the trouble of double-checking whether or not someone has set up filtering and/or forwarding rules in their inbox without their knowledge.
Often times users will find that bad actors design these to pass on their account reset links before they actually get the chance of seeing them first.
This feature is extensively used by the likes of Google and others.
Backup codes allow users to get back their online account if they have tried other login methods and have failed.
All that users have to do in order to recover their account is to enter the backup codes instead of their passwords.
That is great.
But not quite.
Because anyone else who can see the backup codes can use them as well.
So users who are in the habit of writing those codes down on a piece of paper and then stick it on their computer screen or desk are in trouble here.
Stop doing that.
Don’t think about printing them either.
Moreover, do not try to store those backup codes as temporary draft files in another one of your email accounts which someone else can easily access.
It is pretty unfair to users that they may have to remember so many backup codes.
Sometimes these are several.
Other times they go into the dozens.
So it isn’t exactly easy remembering all of them.
Users who can’t help themselves taking note of their backup codes, should at least try to make sure that their note is secure.
By that, we mean that they should lock the backup codes away in a safe somewhere.
Other examples include storing these codes inside a separate and different application that the user is sure is well protected.
We are talking about using digital vaults.
Or taking advantage of your password manager’s extra features.
You have to keep these backup codes somewhere.
And that somewhere should represent a place that you can access relatively easily.
All the while, that place should lock out everyone else from reading the backup codes.
Perhaps the best protection against all sorts of unauthorized access is when the user can specify some of his/her trusted friends who can let the user get back into his/her account.
Facebook currently has this feature.
And many users have signed up for it.
This will provide you with great security.
Now, no one can guarantee that someone won’t come in and kidnap four or five of the user’s trusted friends along with family and then hold them against their will someplace secret in order to get your account.
But short of that, once you make use of this feature it becomes very hard for anyone else to try and get around it.
However, when you use this feature, make sure you educate your friend.
On the need to exercise care and guard against any type of event where someone tries to impersonate you.
It goes without saying that your friends need to do their best to protect their accounts in the best possible manner as well.
If we’re talking about Facebook here, then know that they have installed several verification checks.
These are present in order to counter such problems.
In other words, the user actually has to make a call to the trusted contact if he/she wants to get their help.
With that said, users would do well if they pick contacts based on their tech savviness.
In other words, the user’s contacts should know what they are supposed to do and what they are actually doing while in the online world.
Trusted Phone Numbers
Some websites and applications want the user to input a phone number.
Because they want to use the phone number for account recovery codes.
These apps and sites sent recovery codes via an automated phone call and/or SMS.
Hence it is imperative that users should have numbers that stay current.
And of course, they should be well-protected.
Users should always look out for signs of unusual activity on their mobile accounts.
What unusual activity?
Well, like unexpected support requests.
And or reset messages.
In a case where the user does get a recovery code sent to his/her phone number then he/she has to make sure that no one apart from them knows about it.
But that’s not all.
For an extra bit of protection, the user must also try his/her best to destroy old phone numbers if they change their phone number.
Or even when they get a new SIM.
Users should update their details inside all other relevant apps as well.
At this point, we should mention that please, don’t make the mistake of leaving your previous and old account recovery phone number on a smartphone device that you actually sold on eBay months ago.
Some of you might say, that is pretty common sense.
But our research shows that it does happen.
One of the most popular fall-back options when users desperately want to get back into their accounts.
Security questions are great.
But again, users need to put some thought and consideration into security questions so that they can do their job.
Never choose questions and answers that you know some other people can guess with ease.
What does that mean?
We mean, don’t use the name of your pet as your security question and answer.
Because most of the time, users have plastered their pet name all over their Instagram and Twitter accounts.
Someone who has seriously malicious motives will go to great lengths to take your account.
You must make things difficult for that malicious actor.
And the best way to do that is to never use the middle name of one’s relatives.
Don’t use the first school that you went too.
These are pretty easy.
And stay away from using your old address as well.
These details don’t provide you meaningful protection.
Users who just don’t have the time nor the interest to come up with their own questions, should select difficult ones from the pre-approved list of good security questions.
But here too, users must look for security questions that related to the kind of information that doesn’t have any presence in the public domain.
Another good practice is to use security questions that others may find impossible to guess.
Is There Any Good News In All This Talk About Password Managers and Alternative Recovery Options?
Yes, there is.
Almost all the big apps and sites are spending a lot of money on improving their security measures.
They have become a lot better at detecting various kinds of suspicious activities on user accounts.
These big sites and apps now also make sure that users are able to get back to their account without having to spend the whole evening trying.
To take an example, let’s talk about Google.
Google can actually recognize when the user is on a device and/or web browser that the user typically uses.
It can also know when that isn’t the case.
Moreover, Google can also remember the user’s passwords.
In other words, if a user has found out that his/her password has suddenly changed, then the user has the opportunity to help the company to prove his/her identity.
The way Google wants the user to do that is by entering an older password.
But Google has all the resources in the world.
Other companies will not take such drastic security measures as Google.
We have already explained that online accounts that have weak security are the ones hackers try to compromise.
These are also the accounts that provide these hackers route to the user’s bigger and perhaps more important online accounts.
We recommend to all users that they should take some time and review their current account recovery options.
Who knows, one day they might come in handy and you’ll pat yourself on the back that you did do something about your account recovery options and password manager after reading this guide.