Password Advice For Everyone
Make your passwords secure, and keep them that way!
- Did you know that many people use the same passwords and a savvy guesser goes for these first?
- Do you know that password length can be the easiest way to be more secure?
- DO NOT RE-USE PASSWORDS ACROSS ACCOUNTS. Full stop. Don't do it.
- Seriously.
- Password conventions can help you remember as many unique passwords as you want. I'll tell you how to set one up.
- In some cases, it can keep you safe even if your password is compromised.
- TURN ON TWO-FACTOR AUTHENTIFICATION
- Change Your LinkedIn Password - Why?
- Consider signing up at https://haveibeenpwned.com/ to know be alerted your info gets leaked.
- Consider running your information through Hacked-Emails
- If you are guilty of password reuse - stop it. Change those passwords, as soon as possible.
Two-factor authentication adds another step to your security. If someone (including you) wants to log in to an account on a new device, it will generate a confirmation code only lasts a few minutes that only you will have access to. Either way, you will know if someone is trying to log on to your account using a device that you haven't logged onto it yet with.
Go to https://www.turnon2fa.com/ and follow instructions for all the platforms you wish.
You might wish to change all your passwords to more unique, secure ones. I wouldn't necessarily call that a small step, however. However, if you have being reusing passwords across different accounts, CHANGE THEM ALL.
If you'd like to see the longer version of how to create a good password, check out the post containing data from the Probable Wordlists.
Actionable Password Advice Based on the Probable Wordlists
The common minimum for password length is 8 characters, I recommend a minimum length of 12.
One way to break passwords is brute force. There are a lot of character combinations and they just try each one. Depending on length, this can take a very small or ASTRONOMICALLY ENORMOUS period of time.The time it would take an average computer to try all combinations of 16 letters and numbers is 44 Million Years.
The majority of passwords in leak files today use only letters and and numbers. Buck this trend to make your password obscenely less likely to be brute forced. The time it would take an average 2018 computer to generate all combinations of 16 letters, numbers and symbols is about than 9 times larger than the current age of the universe.
Never include the name of your hometown, High School, pets, etc. in your passwords.
Why would a cracker brute force from all possibilities when instead they could harvest common biographical information? My BEWGor Script can generate millions of passwords based on this easily found information. If it can generate that password based on your dog's name and the house number of your childhood home, so can anyone else.
Scams to steal your information run rampant. You don't need to be an idiot to fall for them, either. These scams are specially designed to fool people, and they work.
Real tech support does not send unsolicited emails or other communications that say you need to change your password and must "click here" to do so. If you are asked to do this, some one is trying to scam you.
If IT or someone other qualified entity needs access to your accounts, be careful:
- Make sure they are who they say they are. Phone numbers can be spoofed, someone might drop your boss' name, ask your manager, etc. This alone defeats many scams.
- If possible, set a temporary password for the duration of the time access is needed. When done, set the password back, or to something new.
Passwords are leaked at an alarming rate. Every day, thousands (if not tens, or hundreds of thousands) of credentials are published online. The odds are that one day, this will happen to you. It might not be due to any fault of yours, but it will happen. Run your email addresses through Hacked-Emails every once in a while to see if your address appears. There is some nuance to your address showing up on a list, however.
Hacked-Emails will show email dumps, even if they aren't paired with passwords. Your email address may already be public information. You might freely distribute it on your business card or website. While you might get an increase in spam, or phishing attempts, your email address being well known usually isn't the end of the world.
Instead of being paired with plaintext passwords, the emails may be paired with encrypted password hashes. While not uncrackable, your long, complicated password may stand up to even the most advanced hash cracking attempts.
Even if your password is published in plaintext, it might not be the password to your email itself. You might have used your email address as a username at a website, and the password given belongs only to that website. This is why you aren't reusing passwords.
It's no longer considered good advice to tell people to change their passwords every few months. In practice, this has lead to pseudo-reuse. "I'm not going to be able to remember a completely different password! I'll just add a number one at the end of my old one."
It still is wise to change your passwords once in a while, however. If somehow, someone has compromised your full credentials, they might not make this information public. If they dump the information or sell it online, the likelihood that you will be notified of the breach goes up. They might have put a lot of time and effort into cracking a list of credentials that includes yours, and a change of the credentials might render that effort useless.
If you want to go the next level and have your passwords remembered for you while still being secure, there are password managers. This has the added benefit of preventing you from the danger of keystroke capturing software and phishing attempts - which is when they try to trick you into typing in a real password at a fake website. Many managers offer Two-Factor authentication, password report cards, password age monitoring and secure password generation. Their use is recommended by Information Security professionals around the world.
