The most important thing you can do to protect yourself today is to use a different password for each account. No excuses, no exceptions: every password needs to be different.
It’s even more important than using hyper-complex 24-character passwords full of upper-case letters and numbers and symbols, although you should do that too.
This takes a short explanation. If you’d rather move on, just remember: do not reuse the same password, ever, amen.
Hackers will learn one of your passwords someday. Just accept that.
Maybe you’ll be tricked by a phishing email message and you’ll type your password online and the bad guys will run off cackling with laughter.
Even if you’re careful, though, at some point hackers will steal an encrypted database with a gazillion passwords on some service you use. It happened to RockYou (2009, 32 million users) and LinkedIn (2016, 100 million users). There have been many, many other similar hacks and there are many more to come.
When the hackers get an encrypted database, they have a number of increasingly effective tactics to decrypt everyone’s passwords. They’re not doing hard quantum math, although computers are certainly crunching some algorithms.
They’re guessing. Each password is a separate puzzle; the computers are really fast at using well-known tricks to solve the puzzles.
How do they do that? What are the tricks?
You have some system for creating passwords. Chances are a lot of other people use a similar system.
This is from an interview with a renowned password cracker.
“With password complexity policies that require an uppercase character and a number, 99 percent of the people on this planet are going to put the uppercase character in the first position and the number in the last position. . . . Armed with a bit of knowledge, such as a common dictionary, famous landmarks, sports teams, first names, last names, and pets’ names, we can crack 99 percent of a password database in less than a week.”
It took about a week for the hackers to crack 96% of the LinkedIn passwords in 2016.
Maybe your passwords aren’t easy to guess. You might use a password manager like 1Password or LastPass to generate alpha-numeric gibberish. Or maybe you have a super-cool system for generating random-ish passwords that you can remember. I suggested a system here.
That doesn’t mean you can use the same password everywhere. A lot of passwords are stolen in plain text through phishing attacks or malware or reading it over your shoulder or from a poorly designed database.
The next thing they do is attempt to use the password with other services. They’ll rattle the bars at Amazon and Wells Fargo and Google and Microsoft and a thousand other places.
If you used the same password anywhere else, then the bad guys are now in control of those accounts too, and that could be very bad indeed.
Do not reuse passwords.
We are moving slowly to a world without passwords. Slowly. Agonizingly slowly. There is progress!
Microsoft is furthest ahead in creating ways to authenticate you without a password. Windows computers use a mix of PINs, fingerprints, or facial recognition whenever possible. In some cases, Windows turns off password access by default and only lets you log in with one of those alternatives, which it calls “Windows Hello.” I explained why the password option might be missing from your Windows computer here. It’s actually possible to remove the password entirely from a personal Microsoft account and use the Microsoft Authenticator app instead.
Google is working on removing the need to type in a Google account password from Android and Chrome. Once set up, you would be logged in merely by unlocking your phone.
Apple is working on implementing the same technology on iPhones. You would be able to sign into an app or website on a computer by supplying your fingerprint on your phone.
More and more phone apps have biometrics built into them so they can be unlocked with a fingerprint instead of a password – finance apps like Wells Fargo & Chase, password apps like 1Password and LastPass, medical apps like Kaiser, lots more.
Those are promising advances but we will be stuck with passwords for a long time. A password manager has a learning curve but many advantages over a notebook in your drawer. I use (and pay for) 1Password. (Here’s the story of why I switched to it from LastPass.) There are many others.
Google keeps improving the password manager built into Chrome, linked to your Google account. It is a fine option, free and reliable. Here’s an article to get you started with it. Once you’re set up with it, you can access your stored passwords at https://passwords.google.com.
Let’s review your progress.
1) Bypassing password prompts wherever that can be done by substituting biometrics (fingerprint, facial recognition, PIN) or a link to a nearby phone.
2) Unique passwords, different for each account.
3) Complex passwords, preferably not just an upper case letter at the beginning and an exclamation point at the end of your pet’s name.
You’re not done.
Two-factor authentication improves the security of password-protected accounts in deep and profound ways. If you set up 2FA, your account is still secure even if your password is hacked. Here’s your introduction to 2FA. It’s really important.
Be careful out there!