Importance of passwords
Though passwords have been shown to, in practice, be a terrible security concept, they're still heavily used today.
They're everywhere, even as they may phased out in the next few years. However, as it stands now, passwords are the keys to your digital kingdom.
Think about it - you more than likely don't want to hand over the keys to either your house or your car to some person on the street. They could steal all the valuables from your home or drive off with your car. Well, in this increasingly digitally connected world, the same goes for your passwords.
Your passwords give access to your accounts, which frequently contain sensitive data. Compromised passwords can give unauthorized access to your accounts - which in turn is ultimately detrimental to your privacy.
When it comes to your passwords, you'll want to be sure that you're implementing solid password management practices. Good password practices typically mean that you are:
- Using strong passwords (Are your passwords weak?)
- Using unique passwords
Properly managing your passwords is essential to the security of your passwords themselves, which in turn is crucial for the security of your online accounts.
While strong passwords are indeed essential, good all around password management is about more than just creating a "strong password." It also includes:
1. Secure storage
Long story short, your passwords should be stored in a secure location.
Secure locations do not include common methods people store passwords such as:
- Your smartphone notes - your phone can be stolen, compromised, and its clipboard can store your password for easy access by other nosy apps.
- Web browsers - browsers frequently store login information unencrypted.
- Word/PDF/TXT document - your method of storage can be compromised, which also compromises your document and its data
Perhaps the most secure (and easiest) method for storing your passwords in this day and age is within a password manager. A password manager stores your login information within an encrypted vault that should be near impossible to crack.
More information on why these methods aren't secure.
2. Creating and maintaining strong passwords
Naturally, since passwords act as the main gate against unauthorized access of your online accounts, you want them to be as strong as possible.
It's important not to fall into the common trap of thinking a "complex" password directly equates to a "strong password" for this is simply not the case.
The number one factor in password strength is password length. Complexity does help, but it does not play as much of a role as password length does.
A good password manager can generate truly strong passwords using both length and complexity. Furthermore, a password manager makes this far easier than even creating a "strong" password yourself - most allow you to set a number of parameters and then after a button click, you have a randomly generated strong password.
3. Eliminating password reuse
Good password management practices should eliminate password reuse. Reusing passwords has zero security benefit for you, but of course it's highly convenient - especially considering your average person has more than a few dozen online accounts today.
Unfortunately, when it comes to password reuse in today's environment, reusing a password is near the same as having a substantially weak password. This holds true even if the password you're reusing is a fundamentally "strong password."
Now, you may be thinking "why is that?"
Two words: Data breaches.
How? Let's take a quick example:
Say you use the same exact password across Account A, Account B, and Account C.
Account B gives you notification that they've had a data breach. In this data breach, password data of customer accounts were leaked. Yours included - so you change your password for this account and only this account. Good on you.
However, you don't change the passwords for either Account A or Account C because they weren't breached. This makes some straightforward sense considering neither Account A or Account C experienced a data breach themselves.
Unfortunately, you're left wide open for a credential stuffing attack.
This is the term used when malicious attackers take leaked/breached/cracked/common passwords and try them across multiple different services.
So ultimately, by not changing the compromised password for Account A and Account C, both accounts are at risk of being compromised as well.
As demonstrated in this example, you can easily see that the more you reuse a given password, the more you are creating a single point of failure.
A good password manager eliminates password reuse, since it can (1) generate truly strong passwords and (2) remember these passwords for you. This is critical because password reuse is born out of human heuristics and convenience - a trusted password manager is still convenient but takes the human part that makes password reuse rampant, out.
4. Review breached passwords
A part of password management includes reviewing your passwords and addressing those which have been exposed in a data breach.
After notification of a data breach, it's highly recommended to change your password for that specific web account or service. You should change your password even if the breached website claims that no passwords were compromised.
Additionally, you should make sure that you don't use that password again across any online account you have. Especially if the password itself has either been exposed or is found on any readily available "compromised list."
A good password manager makes changing compromised password easy.