09/25/2015
How to Tell if Your Passwords Are Secure (Our Ultimate Guide to Passwords.)
How to go from this... | to this...1 | |
---|---|---|
1without giving up your sanity |
Ah, the password.
Everyone has their own technique for making a password. Most suck.
Today you'll learn how to make passwords that:
- are easy to make
- are easy to remember
- help turn your PC into a steel-reinforced vault
Q. Is there a way to tell if I have a good password?
A. Yes. There are a few online tools, including one at Microsoft to check your password strength.
It's available for free here:
A better one in our view is this one:
The Microsoft one relies largely on the length of your password, which is in our view less important than its complexity.
Q. How do you make a good password?
A. There are a lot of good password tutorials out there. Here are a couple:
Microsoft has a fairly good tutorial here:
It's reasonably good, buuuut if you're interested in an even better way, here's an article from renowned security guru Bruce Schneier:
Here's our own short 3-step version of how to make a secure password:
- Start with a phrase or sentence that means something to you.
- Take the first letter of each word. Leave the punctuation.
- Swap out a letter or two with numbers, leaving everything else:
Here's what it looks like in action:
- That's a winner! A World Series winner for the Cardinals!
- Taw!AWSwftC!
- Taw!AWSw4tC!
First, it's memorable. It's a phrase important to you. Maybe it's a movie quote, like:
"I made him an offer he couldn't refuse."
Whatever the case, since it's important to you, it's memorable.
Second, you have a password that's very hard to guess (or crack.)
Last, it has all of these things:
- upper case
- lower case
- number
- special characters
- +8 characters
...which many passwords these days require.
Q. Now that I've made a good password, can I reuse it?
A. No. No. No. No. Aaaaand... No. Not if it's for anything the least bit important.
Most importantly, neverreusepasswords usedfor your email account(s). Ever.
And, don't store 'emin your browsers "autosave" feature either.
Why?
Reuse a password even once--or have it stolen from your browser's "autosave"--and you risk giving the bad guys access to everything.
Let's say you reuse it at a highlytrusted online merchant, perhaps Target, after all, they'll never get hacked, right?
(Oh, wait, they did, and sadly, millions of credit card numbers and other customer info were exposed.)
If you reuse your password, assume the bad guys will try to login to your email account with the same password they stole from the online store.
Mind you, they're notgoing to be testing email accounts by hand. They don't have time for that.
They have little programs to automatically test passwords. Sure, they're not going to get everyone, nor do they care.
They just need some to work, and they've now turned their initial break-in into even more.
Q. Should I use two-factor authentication?
A. Yes. A loud and thunderous, YES.
Two-factor authentication (sometimes called "2-Step Verification" or TFA) is an easy way to make your account security stronger... even if the bad guys have stolen your username AND password.
It's a bit like needing two different keys to open a safe deposit box. One key you have, one key you have to ask someone else for.
Without both, you can't access the box.
Same goes for the bad guys, if they only have one key (your password), they can't get in without the other key that you have.
Two-factor authentication can put the kibosh on someone breaking into your accounts.
Here's how it works at sites that support two-factor authentication:
- Enter in your username and password like normal.
- Upon seeing your username and password, the site sends a random secret code via text message to your cell phone.
- Enter this code into the site you're logging into.
Without that random secret code, you can't get in.
The other benefit: if someone tries hacking your account, you get text messages with the secret codes, letting you know someone is trying to muck with your account.
Sadly, not enough banks support two-factor authentication, but gmail, zoho, twitter, and a lot of other places do.
The bottom line with TFA: if you can use it, you should.
Here's Google's documentation on two-step verification:
https://www.google.com/landing/2step/
As always we welcome questions by email or phone.