Our posts on password security span the entire period of our (Evans on Marketing) existence. In each case, our goal is for you to build stronger passwords NOW. Today’s post is a MUST READ.
These are some of our prior posts. They are presented in reverse chronological order. Password security is not a new or recent concern!!
- Avoid Risky Password Behavior.
- Managing Passwords Right?
- Be Safe with Online Passwords.
- An Alternative to User IDs and Passwords.
- Hacker-Proof Passwords.
- Is Your PIN Secure?
- Are Your Passwords Strong?
- OK for Employer to Request Your Facebook Password?
Old Rules to Build Stronger Passwords
For years, experts (including us) have stressed these “rules” for strong passwords. Many of them still make sense. Yet, further password security is needed!
Aside: Too few of YOU even use these tips.
Evans on Marketing: Tips for Behaving Safely Online (2012) — “What makes a good password. (a) Don’t use your name or combinations of it. (b) Use at least 6 to 8 characters. (c) Include at least one letter, number, and symbol. (d) Don’t use one password for all accounts. If one is hacked, then … .”
Microsoft: Create a Strong Password (2017) –“Strong passwords help prevent unauthorized people from accessing files, programs, and more. It should be hard to guess or crack. A good password is at least 8 characters. The password doesn’t contain your user name, real name, or firm name. It is quite different from previous passwords. You use uppercase and lowercase letters, numbers, and symbols. It doesn’t contain a complete word.”
Google Account Help: Creating a Strong Password (2017) — “To keep safe, act on these tips. Use a unique password for each important account. Use a mix of letters, numbers, and symbols. Don’t use personal information or common words. Make sure your backup password options are up-to-date and secure.”
Guidry Consulting: How To Create Strong Passwords (2017) — “Strong passwords must be not in use on any other system. They must be changed regularly. The passwords must be 12 characters or more. They must mix upper- and lowercase letters, numbers, and symbols. The passwords must not be common words or proper nouns. And they must not be names of your spouse, kids, pets, or other personal identifiers.”
Click the image to read more from Guidry Consulting.
Why Old Password Rules Aren’t Enough Today
Look at why old password rules are not enough.
Auth0: Don’t Pass on New NIST Password Guidelines (2017) — “The NIST drafted new rules to protect digital identities, published in June 2017. Substantial changes have been made since the National Institute of Standards and Technology’s 2013 report. Many concern passwords. The NIST advises dropping password complexity rules. It suggests new encryption standards. And it wants multi-factor authentication for sensitive information.”
According to Auth0, “Conventional wisdom says password complexity is good. But in reality, complex passwords can do harm. Making users’ lives easier ensures stronger passwords. A big problem for users is remembering passwords. So, they make them simple. And they re-use them. In 2016, Experian found Millennials averaged 40 services registered to one E-mail account, and only five distinct passwords. In response, some firms have required a number, or symbol, or capital letter to make passwords harder to decrypt. BUT, an earlier study found users simply capitalized the first letter and added a “1” or “!” to the end. This made the password no harder to crack. Any [decent] password cracker knows these patterns. When required to use numbers, 70% of users on rockyou.com (which contained user info for social networks) added numbers before or after their password.”
Fortune reports that the creator of many old rules has changed his mind (2017) — “The man responsible for the requirement that passwords include letters, numbers, and special characters is walking back that advice. ‘Much of what I did [for the NIST in 2003], I now regret,’ Bill Burr told the Wall Street Journal. He added that the recommendation led to complicated passwords. A re-write of ‘Special Publication 800-63’ now suggests that users create passwords with long, easy-to-remember phrases. And they should not be forced to change passwords as often. “
MUST READ: NEW Rules to Build Stronger Passwords Now
This section has a synopsis of new password advice. It includes an infographic by Evans on Marketing. It ties together tips from various sources.
XeusHack: Choosing a Strong Password in 2017 (2017) — “Password strength is a measure of password effectiveness to resist guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker would need, on average, to guess correctly. The strength of a password depends on length, complexity, and unpredictability. You must learn how passwords work, how possible attacks to break them work, and how to choose a strong password that won’t break.”
Lifewire: 5 Steps to a Good Password (2017) — “There is no such thing as a perfect password. A committed hacker can crack any password, with the right tools. But if the protection is strong enough, the hacker may become discouraged and give up before the protection fails. We suggest a password with 3 qualities. (1) It is neither a proper noun nor a word in the dictionary. (2) It is complex enough that it resists repetition attacks. (3) It is intuitive enough that you can still remember it.”
Click the infographic to see a larger version of our password tips.
MUST READ: Using a Password Manager
What is a password manager? Why should we use one as our best line of defense?
Webroot gives a good overview on this topic:
“How can we create and remember so many unique passwords? The best solution today is a password manager. It offers both convenience and security. Password managers come as lightweight plugins for Web browsers such as Google Chrome or Mozilla Firefox. First passwords are saved in an encrypted database. Second, your credentials are automatically filled in.”
“The major benefit of a password manager is that you need to remember a single master password. This allows you to use unique, strong passwords chosen for each of your online accounts. Just remember one strong password. The manager will take care of the rest.”
Take a look at this video from Vox.
In alphabetical order, these are four popular password managers. NOTE: Both LastPass and KeePass have free versions!
I should take in account these tips because most of my passwords are the same, if not all. I find it very accurate that usually we add a 1 or ! if a password asks for a number and a special character, which isn’t too effective at all. A minimum of 16 letters for a password seems a little too much but I guess it is worth it in order to secure my safety. The song idea password tip seems ideal for me ! The top secret tip seems obvious but unfortunately a lot of us give out passwords to friends/family and don’t think of the consequences of it.
At least 22 characters are now recommended
Password security is a pervasive issue that is rarely spoken about. For how many times a day we type a password, we’re disinterested in learning more about how to build effective passwords or keeping up to date with current knowledge on the topic. For example, I’ve never heard of a password manager, but learning more I understand the value of encryption and the convenience of the single strong password method. In addition, I shared on my own social media the WSJ article this August that Bill Burr’s admission that his now-common-knowledge tips on creating safe passwords were incorrect – and that there are more valuable rules to be following. The article got very little attention in my social circle on Facebook – yet the issue affects every single person that scrolled past it. Why can’t these important topics grab our attention? Are we so overwhelmed with information on what we should and shouldn’t do on the Internet that we just don’t care about it anymore? What could we be doing to get important Internet safety information out to people?
For many of us we do not think twice when we use the same password for every account we may have, it is easier to remember. In today’s society our accounts are all connected, choosing our passwords should be taken seriously. However for many, myself included, I choose the easiest thing to remember. I am use to using 8 characters and one number; I should probably change all of my accounts after learning this.
Look at a password manager
I have strong password, but to be honest, I am the one who use the same password of all accounts. The reason is convenience. It is really annoyed to remember so many passwords. I think I need to download a password manager.
I have been a victim of using convenient/easy passwords and use the same one, if not similar to it, for all my accounts. I usually do the bare minimum when making a password and should start taking these tips into account such as having more characters for my passwords. The password manager sounds very useful when making very long unique passwords if you have difficulty remembering them as the idea is to remember one single master password.
When I first started making online accounts around ten years ago, I had one password that I used for everything. This contained both my name and my birthyear, which apparently made me very susceptible to being hacked. As the year passed, a number of websites forced me to either change my password, or create a more complex one. Currently, I have about 3 or 4 different passwords which I use for any online account that I make. As someone who’s never been hacked or compromised online, the stress placed on long passwords seems like a moot point to me, even though I understand the reasoning.
Try a password manager
I along with others use passwords every day. Clearly, today with many cybercrimes and attacks, passwords play a crucial role. It is interesting to see how new suggestions have been provided in 2017. I think the idea of not setting a word in the dictionary is important. In this case, an algorithm can’t search the dictionary for potential password because it won’t be there.
Try a password manager. 🙂
Today, passwords for e-mails, social media accounts, school websites and much more are basically the key into somebody’s entire life. We don’t realize how much a simple word, number, sentence, or word combination means and how if we aren’t careful enough, how much it can ruin. I use the same two passwords for almost all of my accounts. Today, I see a lot of websites requiring numbers, letters, capitalization, and special characters. I used to easily get annoyed because I couldn’t remember how many exclamation points I added to which password, but realized that this is protecting my identity. It can be very difficult to keep track of so many passwords, however, this is crucial to our safety.
Use a password manager. 🙂
I feel like most people these days are more concerned with creating a password that is easy to remember and/or similar to a password that we have for another website; rather than choosing a password that will secure your account without risk of getting hacked. Personally, I use the same 2-3 passwords for most of my accounts but it would be smart for me to change them. It is definitely a good idea for websites to require you to make more complex passwords.
Use a password manager 🙂
My passwords have evolved over the years. There is about three or four key passwords with multiple variations of the four. My aunt like to create ones with random numbers and letters and I cant understand why. Yes, no one will be able to hack into her account but it is difficult for even her to get in to the account. My head can only store so much information. The process to change some passwords when forgotten can be very daunting as well. I was locked out of some important accounts for extended periods of time due in part to forgotten passwords.
Try a password manager
I actually hate making so many different passwords because it gets annoying having to memorize all of them. But this is a big privacy matter that i should take into consideration. There are passwords for literally anything, whether it is on your phone, computer, or even TV. I can’t imagine what is going to require a password to in the future.