Best Practices For Passwords – Part 2

Better Password Management - Part 2

In our previous article Best Practices For Passwords we shared several tips and best practices on password management. After sharing that article we were challenged by our good friend Alan at Immersus Media to explain more about why these security items are important. So here we go!

Use a password manager application and let it generate and store your passwords

First off, we use 1Password for teams by AgileBits for our business and love it. Why? No more writing down passwords on paper, basecamp, asana, evernote, google docs, you name it. All our passwords are in one place and we don’t waste time tracking down passwords or trying to creatively come up with or remember long passwords. With 1Password are passwords are 1000% more difficult to crack. Also, with the teams account we have the option to share our passwords with contractors on our team with a couple clicks. It’s so easy and efficient I can’t fathom going back.

Change your passwords every so often

This could take a long time so I’m not saying you should do it every month. But, from time to time, it would be wise to change some of your most important passwords? Which ones? I would say for sure your email because that is the gateway to so many other online accounts. What do most other online services ask for? Your email. If a hacker got into your email they could reset your passwords for third party services without you knowing it and mess you up. What other accounts? I’d recommend changing your online banking and anything to do with managing your money from time to time as well as an added step. Several sites now offer 2-step authentication which I also highly recommend setting up for as many items as you can bear!

Avoid using the same password on all the sites you visit

Do I really have to explain this? Sure, why not. If someone breaks into one of your accounts then they’ll most likely try to use the same password to break into others. Most people who use the same password are doing it for convenience but don’t realize the huge risk they are creating. Switching to a password management tool helps mitigate the risk and takes the need for remembering every password away.

Do not use a word from the dictionary

One particular technique that hackers use to defeat authentication mechanisms is by trying hundreds, thousands, and sometimes millions of likely possibilities such as words from a dictionary. It’s a form of brute-force attacking where the attacker systematically attempts several passwords or passphrases until they have success. Not using a word from the dictionary can help eliminate this possibility and mitigate your chances of getting in trouble.

Avoid using names or slang terms / Do not use anything that resembles your name (first, middle, or last) or any of your family members names or initials

Using names or slang terms in a password is not a good idea but many people still do this! Just like using a word from a dictionary, names or slang terms can be guessed, and sometimes even more easily as people tend to use names or even initials of family members in their passwords. For an attacker, locating this information is not too difficult, especially if you are not mindful of how you post and share information online on social media.

Use lowercase, uppercase, and keyboard characters in your password

Many password generators actually enforce this now by default, but in case you have free reign to create your own password however you want, know that you should use a variety of lowercase, uppercase, numbers, and symbols to make your password as obfuscated as possible. I would go a step further to say that sites that don’t enforce strong passwords to some degree are behind the times and in danger of more security breaches with their users.

Do not login to websites on publicly shared computers

Many browsers have built-in mechanisms now that can save passwords. If you are not careful your information could be left vulnerable for the next user on a shared device. If you absolutely have to log into a website from a publicly shared computer do not allow the password to be saved, make sure you are completely logged out after your finished, and clear all the browsing data. In general though just avoid this if at all possible.

Sending passwords via email (BIG NO NO)

Depending on who is hosting your email, it may not be as secure as you think. Just as servers and websites face hacking attempts, so do email. What can you do? I advise you to contact your email provider and ask questions about how secure your email is on their server and what specific steps you can take to mitigate the chance of an email compromise. In general we steer clear from password sharing via email and look to other methods that don’t leave as much of a trail. Sometimes this can mean actually verbally sharing passwords or sharing via a private network over the Messages app, which we’ve heard has a good level of security. Even after sharing passwords via Messages app or other means you should go back and delete these messages if at all possible.

We hope that we’ve shed more light on why employing these best practices is important. If you have any questions or suggestions for even better password management please feel free to chime in on the comments below.