Like it or not, passwords have become the bane of using technology. They’re the backbone of every facet of technology life and they are simultaneously a complete pain to manage. An average user has at least 10 different passwords to maintain, and that’s a very low estimate when considering a user may have accounts for work and personal life.
We get calls several times a week asking us to provide someone with their username and/or password to something. And it gets worse every year as more services launch and more passwords are needed. Couple that with what we’ve witnessed to be the continued use of inadequate passwords and practices and quickly becomes obvious why we recommend using a password manager.
Password Managers
What are password managers? The answer may seem obvious by the name, but the need for them must not seem as obvious as so few users use them and, conversely, so many users need them.
A password manager is a secure list of credentials (usernames, passwords, and the medium they apply to). Secure means they are stored in an encrypted file or files and locked to anyone without the password needed to unlock them.
But if you have to remember the password, doesn’t that negate the need for a password manager in the first place? Of course not. At the moment, until biometric methods for unlocking content become more readily available (and they are getting there), we must assume the responsibility of having to remember one – ideally complex – password that we can use to unlock the myriad of other passwords we have in our lives. And let’s face it, the list of passwords we have running our lives increases seemingly every day. The more new services we agree to try and/or use, the more passwords we’re going to have to remember. And ironically, it isn’t always the password that is hard to remember.
It’s More Than Just the Password
Every login has at least two values of information to fill in…a username or email address and the password. While you might be positive you’re using the right password for a particular login, you may not have the correct username! While it be nice if we could use the same username and password for every login, that is risky. Keep in mind that hacks and data breaches occur all the time. And when one of these hacks makes the front page news, other companies take notice and compare the exposed information to their own accounts. And if the exposed information even closely resembles the credentials they have on file for the same account, they send out requests for a password change as well. So one hack can result in having to reset your passwords in multiple resources. Not fun.
Best Practices for Passwords
We all know by now that a password shouldn’t be obvious or simple, such as “password” or “123456”. But few know that passwords should contain capital and lowercase letters as well as symbols to make them less likely to be guessed by a human or a computer. Unfortunately, hacking attempts have become relentless and we are constantly forced to up our game in password complexity. Therefore, the current best practice for passwords is the following…
- passwords should be at least 8-13 characters long. The longer the better. I know it’s inconvenient.
- passwords should still contain a mix of upper and lower-case letters, numbers, and symbols.
- passwords should NOT be the same across many or all resources. Do not use the same password for every site and service. They should each be different.
- Use two-factor authentication whenever available.
Two-Factor (or Multi-Factor Authentication)
What is two-factor (or Multi-Factor) Authentication? It is simultaneously a great way to help secure yourself against hacking and a positive drag to use. Two-Factor Authentication is simply providing a secondary method of contacting you to confirm a log in…each and every time you do so. For example, traditionally you would enter your email address and password to log in to your email. Nothing further needed. But if someone were to guess your password, they could log in as you, change your password, and lock you out of your own account, access your email, and begin all kinds of nefarious actions. So how could you prevent this?
By enabling Two-Factor Authentication in your email account (if it’s available), you simply provide a secondary means of contact (your email address being the primary method) such as a mobile number. By doing so, the email provider will send a confirmation code to the contact method on file. In this case, sending something like a 6 digit code to a mobile number that you would then type in to the login after providing your username and password. This assures the email provider that you are indeed who you claim to be. It’s using the practice of using “something you know” (your login and password) with “something you have” (your mobile phone). It isn’t likely a hacker would have both.
By validating your identity with two methods, you decrease the likelihood that your account will be hacked. While it isn’t always a desirable approach, there’s no denying that it makes an account MUCH less susceptible to hacking. And this brings us back around to password managers.
Back to Password Managers
By utilizing password managers, you can easily implement every best practice method described here with very little inconvenience. How? Many of the more popular password managers can actually recommend a strong password for each resource login. Letting the manager create a password for you ensures that a strong, unique password is used for each login. By having the password manager apply the credentials, the only input you enter is the secondary confirmation sent to your phone. You’ve decreased your input from 2 lines (username and password) to 1 (confirmation code) and making yourself and your accounts safer.
There are several options for password manager available…one of them making their basic services completely free. So there’s little reason to not employ one of these services.
So which password managers do we recommend?
Consider that the best password manager for you is one that will work across all platforms that you use. If you have a Windows computer and an Android phone, make sure that a password manager works across both devices so your passwords are always available.