Password management is quickly evolving into biometric and two-factor authentication. I unlock my smartphone with my (biometric) fingerprint or a personally known pattern. Certainly, biometrics is very personal and very secure.
However, I haven’t changed my ATM 4-digit code in a decade! Why? The best security you have is what you have and what you know. Indeed, if a thief has your ATM card, but doesn’t know your code, then the card is useless. If a thief reads your code over your shoulder, but doesn’t have your card, the information is useless.
Therefore, we present the 5-point password checklist:
When possible and offered by a service, turn on cell phone call or text confirmation. You know and document your password. You always have and carry your cell phone. This is what you know and what you have. I have this turned on for my Google account. It works well and flawlessly — just like an ATM card.
Similarly, turn on device-centric services when possible. When Facebook asks if you want to confirm or verify devices, do so. You access web services from a handful of devices. Define those to protect yourself. our email will notify you of unrecognized access (like a new cell phone or laptop).
30-character password…or more
Due to the speed at which computers can now process information, the six- to eight-character password is now useless protection.
Make sure to steer clear of short passwords when generating new ones or updating old. Ten to 12 characters is now the minimum, but we suggest between 12 and 30. Thirty characters may seem insane, but consider creating a sentence with several different characters to help you remember. A reasonable example: Wakemeupbefore8AMin2016?!
Unique and complex for every account
Swerve as far away as you can from simple or common passwords. Plus, you cannot replace letters with numbers and think the simple becomes complex. Computers are smart and fast enough to test for substitutions in passwords, such as P@$$w0Rd. Simple, common combinations are the easiest to hack.
So when creating a sentence out of characters, make it as random as possible. Consider using quotes, inside jokes, song lyrics, and personal known information. Just make sure they are unique to you.
Lastly, do not use the same password for every account. This is the most insecure thing you can do to a very good password because if one account is hacked, the rest are immediately vulnerable.
Phishing for and changing passwords
It is unnecessary to change your password every three or six months. But you should check if your old passwords are unique, long and complex. If your website is safe and secure, there’s no need to change the password.
Never email your personal information — including passwords — to even a trusted source. These fishing/phishing expeditions are casting for unsuspecting victims to hand them the keys to their kingdom. You should phone or email your known and trusted contact to inquire about a request. Make any changes directly on the known and trusted web site.
Manage your passwords
There are several programs out there to help you manage all of your different passwords and store them securely behind a single password. This helps to create several strong, difficult passwords while only having to remember one main password to the program. Don’t carry your written passwords with you or post them on your desk at work! Do write down your single unlock password manager code in an obscure location at home.
Each password manager is a little different than the next, and there also are free ones. This article from LifeHacker provides a helpful comparison map to several popular password managing apps including LastPass, RoboForm and KeePass.
I personally use LastPass and pay the whopping $1 per month to sync to my cell phone and share common passwords with others. Out on the road and need to dig out a password to an obscure account on your cell phone? No problem, LastPass is synced.
Remember that when creating the main password for a program, always make sure the security question is not something simple like “your mother’s maiden name.” This can make a great password useless as well. Make the security question unique to only you.
It’s worth the effort to use a password manager and two-factor authentication when possible while creating long, unique and complex passwords to secure your personal identity and information when surfing online.