Typing in a password to access one of the tens or hundreds of services that we use has become such an everyday part of our lives that we rarely give it a second thought.
Quite often we try to keep our passwords simple and easy to remember so we can move quickly past logging in and get on with what matters. That is just one of the many mistakes we make when it comes to something that we rely on to secure a part of our digital identity.
Tips for Selecting & Managing Passwords
Never reveal your passwords to others.
Use different passwords for different accounts.
Use multi-factor authentication (MFA).
Length trumps complexity.
Make passwords that are hard to guess but easy to remember.
Complexity still counts.
Use a password manager.
5 common password mistakes you should avoid
1. Password recycling
One of the most common and prevalent mistakes is password recycling. The problem often starts with the creation of the password itself. Often, people create passwords that are easy to remember, which usually means that they are short and simple, although now most services have requirements for a minimum length and the types of characters that must be included.
Once we have memorized the password and then sign up for another service, and another, and another, we don’t want to have to remember another one, and another one, and another one, so we reuse the password we have already committed to memory.
According to a Google survey, 52% of respondents reuse the same password for multiple accounts, while a surprising 13% use the same password for all their accounts.
Substituting letters for numbers or lower case for upper case and vice versa is also considered password recycling, although some might consider it to be a slight improvement.
The gravest problem with password recycling is that it opens you up to credential stuffing. That is an account takeover attack that leverages bots to hammer sites with login attempts using stolen access credentials from data breaches at other sites until they stumble upon the right combination of new site and “old” credentials. As you can see, diversifying your passwords is in your best interest.
2. Creating simple passwords
As we have already mentioned, a lot of the problems begin when the passwords are created. Simple ones tend to lead the pack. You may have seen the movie Wrongfully Accused, where Leslie Nielsen attempts to hack a computer by guessing the login credentials, which simply turn out to be Login and Password.
If you think that in real-life people are more careful about their choice of passwords, sadly you would be wrong. An annually compiled list goes to show that when it comes to passwords, people make questionable choices, with 12345 and password ranking in the top five most popular passwords.
Aside from simple patterns and obvious words, a frequent mistake you may be making when creating passwords is incorporating details into the password from our personal lives that can be easily guessed or found.
Six of ten US adults have incorporated a name (theirs, their spouse’s, children’s or pet’s name) or a birthday into their passwords.
Ideally, switching to a strong passphrase is preferable to using a password. Two-factor authentication (2FA) should also be activated when possible, since it adds an extra layer of security against various types of attacks aimed at revealing your login credentials.
3. Storing passwords in plain text.
Another oft-occurring mistake is writing down our passwords. This takes two forms: jotting them down on paper or sticky notes, or saving them in spreadsheets or text documents on our computers or smartphones.
In the case of the former: unless the bad actor wants to add breaking and entering onto their record, there is no way to access it.
That’s not saying that you should write them down or have them just lying about; if you do (but don’t!), they should be more of hints that help you remember, and should be stored in a place safe from prying eyes. In the case of storing them on your devices, you have a series of challenges you are contending with.
If hackers hack your device and rummage through it, they will have access, with little to no effort, to a whole trove of sensitive data, including your passwords that you stored in plain text.
Alternatively, if your device gets compromised by malware that copies your data and sends them to a remote server, a bad actor can access all your accounts before you have a chance to notice.
Or, in some cases, they can just go through your device with a fine-toothed comb to see if they can find any exploitable data on it, including the file with the passwords. It suffices to say that storing passwords in plain text on any connected device is a bad idea.
4. Sharing passwords
“Sharing is caring” does apply to a lot of areas in life, but passwords are an exception. Yet some would beg to differ, like the 43% of US respondents who admitted to sharing their passwords in the past with someone else.
Those included passwords to streaming services, email accounts, social media accounts, and even online shopping accounts. Over half of them said they shared their password with their significant others. While sharing a password to a streaming service account is a widespread phenomenon, it is less dangerous than the rest of the mentioned choices.
Once you share your password with someone else, the security of your account plummets dangerously, since you’ve lost your tight grip on it. You cannot be sure how it will be handled and if the person you trusted with it won’t share it with someone else.
A lot of rides on how you shared the password: did you type it in for them into your account and save it? Or did you perhaps send it to them by email or through an instant messaging app in plain text form?
In the case of the latter, you are at the mercy of their discretion and you must hope that their devices are secure, since we have discussed the implications of saving a password in plain text form in the previous section.
Another important thing to remember is that if you shared your password to any communication platforms you use, the people you shared them with can wreak havoc on your relationships, be it business or personal, since they can now log in under your identity.
If you shared your credentials to any of your online shopping platforms and your payment methods are saved, then the party you shared with can easily rack up a bill on your credit card, which you may live to regret.
Even if the person you’re sharing your credentials with is your spouse, keeping all your eggs in one basket is ill-advised.
5. Changing passwords periodically (without giving it much thought)
Some organizations force their users to change their passwords every two or three months “for security reasons”. But contrary to popular belief, changing your password regularly – without evidence of a password breach – doesn’t automatically make your account more secure or harder to hack.
Make it long — This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.
Use a mix of characters — The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it.
Avoid common substitutions — Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (*leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
Don’t use memorable keyboard paths — Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed.
Strong Password with Examples
A strong hacker will have a dictionary-based system that cracks this type of password. If you must use a single word, misspell it as best as you can or insert numbers for letters.
Use a word or phrase and mix it with shortcuts, nicknames, and acronyms. abbreviations, upper- and lower-case letters provide easy to remember but secure passwords.
“Pass Go and collect $200”– p@$$GOandCLCt$200
“Humpty Dumpty sat on a wall” — humTdumt$@t0nAwa11
“It is raining cats and dogs!”– 1tsrAIn1NGcts&DGS!
You may also find remembering a sentence for your password if it refers to something easy for you, but complex for others, such as; “The first house I ever lived in was 601 Lake Street. Rent was $300 per month.” You could use “TfhIeliw601lS.Rw$3pm.” You took the first letters of each word, and you created a powerful password with 21 digits.
If you want to reuse passwords across numerous accounts, this technique is particularly useful as it makes them easy to remember. Even though, as already mentioned, you really should use separate passwords, you can customize each per account.
Utilizing the same phrase as above, “Humpty Dumpty sat on a wall” we created a secure and reliable password, and now you can use it on Amazon, Netflix, or Google accounts:
Here are good password examples using this technique.
Here are some of the best password managers:
The free version of Dashlane is a capable password manager for a single device, capable of storing logins for up to 50 accounts in a secure vault with multi-factor authentication, Like LastPass, it can do much more than just fill in passwords for you; it can also store all kinds of information and fill out forms with delivery addresses and contact details automatically.
So far so good, but Dashlane's premium service is even more impressive. Not only does it let you synchronize all your passwords across all your devices (both desktop and mobile), it also monitors the dark web for data breaches and sends you personalized alerts if any of your stored details appear in a batch of stolen data.
There's secure file storage too (ideal for scanned ID documents, insurance policies and receipts) and even a VPN for browsing the web more securely via Wi-Fi hotspots.
Unsurprisingly, all of this comes at a price, and Dashlane's premium plan is one of the most expensive options around, but the extra services (plus remote account access and priority support) do justify the cost.
The free version of LastPass is superb, but premium accounts are very reasonably priced and offer an extremely useful extra feature: the ability to log into apps on your phone. Very few password managers offer this, and it could prove invaluable if you ever lose your phone, preventing people accessing your emails and social media.
LastPass is easy to use, super secure, packed with features, and offers both free and premium tiers so you can choose the option that suits you best.
All data is stored using AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to keep them secure - and it's not limited to passwords either. You can also store credit card details and delivery addresses so they can be entered automatically when you're shopping online, plus encrypted notes, details of insurance policies and much more besides.
One of the best features is its support for multi-factor authentication, which helps protect you from phishing attempts by requiring an additional form of authorization to log into your accounts, such as a code generated by a mobile app or a fingerprint scan. Although it's becoming more widespread, not all sites and services offer this yet, so having all your logins secured in a vault that's protected this way is a real boon.
Keeper Password Manager
There's no free version of Keeper Password Manager, but you can try it for 30 days before deciding whether to commit to a subscription.
As you'd expect from a purely premium product, Keeper is one of the most sophisticated password managers around. Not only does it offer plugins for every major browser, plus mobile apps for iOS and Android, it's also available as a desktop app for Windows, macOS and Linux. There's support for biometric authentication on mobile devices too, and syncs your data across an unlimited number of devices.
Like the paid-for version of Dashlane, Keeper will warn you if any of your passwords appear in a data breach. It will also alert you if any of your passwords are particularly weak, or have been re-used, and help you create strong replacements.
There's an excellent family plan as well. This not only protects the login details of everyone in your household, it also lets you share files securely between one another and offers an encrypted messaging tool that's a solid alternative to WhatsApp if you'd prefer to avoid Facebook products.
Features packed into this excellent password management tool include a strong password generator, username and password storage, secure sharing, and an intuitive user interface. It even includes a built-in “watchtower” service designed to notify you of ongoing website breaches.
The software’s digital wallet securely saves everything from logins and credit card information to sticky notes and network passwords. The developers are so confident in this tool’s security that they offered a $100,000 prize for anyone who could break it.
1Password’s biggest drawback is the lack of a free version, the subscription not only allows you to sync everything locally, but sync your info between computers too via Dropbox, iCloud, or another convenient method.
Is a very capable password manager with browser plugins for Chrome, Firefox, Edge, and Opera, as well as desktop apps for Windows, macOS, and Linux, plus iOs and Android mobile devices.
As well as storing encrypted passwords, NordPass can also suggest strong passwords as well as offer to safely and securely store credit card and banking details for faster checkouts on ecommerce websites.
With the premium edition, you can then sync this information across up to 6 devices per licence. The free version only allows one, but you get to try out other premium features for a week.
Another positive is that there is no limitation to the number of passwords you can save, unlike some others that have restrictions. However, one limitation is that it won't autofill forms such as for your name and address and email, like some other password managers offer.
Overall, though, Nordpass is a very capable password manager that does a little more than would be expected, and though the missing autofill is annoying, apparently, it's currently in development for a future release.
The free version is superb, providing you with a secure vault for your logins (though you also have the option of only storing your data on your device if you prefer), an auditing tool to help you identify weak or duplicated passwords, and a password generator for replacing them with strong, unguessable combinations of numbers, letters and special characters.
RoboForm is another versatile password manager, with plugins for all the major browsers and mobile apps for both iOS and Android.
Unlike LastPass, the free version of RoboForm doesn't sync your passwords across multiple devices. For that you'll need a premium subscription, but prices are very reasonable. You'll also get a host of other useful features, including the ability to share logins securely, multi-factor authentication, and priority 24/7 support.