There really is a day for everything and today it’s World Password Day! With the beautiful weather we’ve been having lately you’re probably thinking about cleaning, gardening, and all of the other renewal-driven projects that this time of year brings. Though we’d rather be outside, spending a few minutes to “spring clean” your digital security is well worth it.
This is also a good time to remind yourself to be on the lookout for fraud – I’ve received email scams recently related to the Canada Revenue Agency and tax time. Stay alert, and don’t fall for it!
According to the annual fraud survey commissioned by the Chartered Professional Accountants of Canada, “more than seven-in-ten (71 per cent) of those surveyed agreed that they are concerned about identity theft.” Almost four in ten respondents fear their personal information has already been compromised! Protecting your personal information is important, but with so much of our lives online now, it can be difficult.
Having strong passwords (and password hints, security questions, etc.) and good password management practices are critical for protecting yourself. Unfortunately, too many people simply don’t pay enough attention to this. It doesn’t have to be difficult or time consuming to make some simple changes that will really make a difference.
Here are my tips!
Use strong passwords and change them semi-regularly
According to Troy Hunt, a security expert who built and operates Have I Been Pwned (more on that in a minute), most passwords are terrible. “In other words, 86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.” The top ten includes passwords like “123456”, “qwerty”, and the ever-popular “password”.
Don’t use those passwords! Instead, generate a unique, strong password for every account you use. There are plenty of tools to help you generate passwords that are strong and that match the varied requirements that different sites have (like length, special characters, etc.). Here’s the one I use from LastPass.
It’s important to use a different password for each account. That way, if one site is compromised, your credentials can’t be used to get into other sites too. It’s also a good idea to change your passwords once or twice a year, to decrease the likelihood of a compromise. Of course, if you know a service you use has been hacked, you should change your password there right away.
Get a password manager
With a different, randomly generated password for each account, how do you remember them all? You can’t. This is where a password manager comes in! Think of it like a digital vault in which you store all of your account credentials. Then instead of remembering each one, you only need to remember the master key that you use to get into the vault.
There are a number of good password managers out there like 1Password, Dashlane, and Passpack. I use and recommend LastPass. All of them provide tools to generate strong passwords, encrypt and store them, offer browser extensions and mobile apps to make logging in easier, and typically provide ways to securely share passwords with others. One of the cool features LastPass offers is Security Challenge, which analyzes your passwords and gives you a score along with step-by-step instructions on how to improve your passwords.
While there are pros and cons to each service and their various philosophical approaches to storing your data, I don’t think you should spend too much time worrying about that. You can get a more secure solution if you’re willing to do some work and give up some convenience, but if it becomes too cumbersome to use, then what’s the point?
Use a passphrase for your password manager
With a password manager you only need to remember one password – the one to get into the password manager! So you should make it as strong as you can. One way to do that, while still ensuring it is memorable and easy to type, is to use a passphrase instead. Whereas a password is a random list of letters, numbers, and symbols combined, a passphrase is more like a sentence, though it can still have those elements.
So a passphrase might look like: “trusted walrus shows off 500 petty limes”. I generated that using this Passphrase Generator, but there are plenty of other tools you can use. The key is to not use a phrase or sentence that is common or easily guessable. It should be nonsense! You can also consider running it through the Pwned Passwords tool to see if it has ever been exposed in a data breach.
Don’t use real answers for security questions
So now you have strong passwords and a password manager to help you organize them. The front door to your digital home is secure, but what about the back door or the side doors? Many sites will require you to set some security questions in case you forget your password or sometimes to confirm you are who you say you are when logging in from a new location. Don’t answer them!
Well, don’t answer them factually. Instead, generate a new random response for each question and store them in your password manager! This way, if an attacker figures out your mother’s maiden name or your favorite school teacher or your first car, the information won’t help them break into your accounts.
Turn on multi-factor authentication
Another thing you can do to improve your online security is to use multi-factor or two-factor authentication wherever possible. This means that in addition to your username and password you need another piece of information to login, usually a generated code of some kind. Most of the big sites like Facebook and Google support this, and it only takes a few minutes to enable. If you have the option of using SMS or an app, go with the app. I recommend the Microsoft Authenticator app which you can download for Android, iOS, and Windows Phone.
You can see a full list of websites that support two-factor authentication here. If nothing else, turn this on for your email accounts (Gmail, Outlook, etc.) and Facebook or any other site you often use to login to other sites. Of course, you should also enable this for your password manager!
Get educated and stay informed
Once you have done the above, stay informed. It doesn’t have to be all boring technical stuff, a lot of great information has been made available that is much more accessible. Here are some suggestions:
- TED Talks, like this one: What’s wrong with your pa$$w0rd?
- Websites like Lock Down Your Login
- Blogs like Troy Hunt‘s on security
- Podcasts like Smashing Security – here is their World Password Day episode!
- Tools like Have I Been Pwned which can tell you if you have an account that has been compromised in a data breach
That’s it! Happy World Password Day – stay safe!