I am a very sharing kind of guy and firmly believe that sharing is caring. I am happy to share absolutely anything and everything, with literally only two exceptions. I am not big on sharing my toothbrush, and I absolutely do not share my passwords under any circumstances. There are two kinds of password sharing that I am totally against. The first is sharing a password between sites. I make sure every site I have an account on has a totally unique password. This means that my password for Facebook, Gmail, Twitter, my bank, etc., have nothing in common. If there is a single character in common, it would be a random fluke.
The second type of sharing I am against is sharing passwords with anyone else. No one has any of my passwords, not even my spouse, absolutely no one.
Before you start to ask about “but what about …” I will provide a blanket answer. I am just making the rules and providing guidance. Whether you follow them is on you. I will try to explain the reasons, so you understand the risk. You understand your risk model the best and can best judge if taking that risk is worth it to you. If you need help with your risk model, I have another article on that.
You are probably thinking to yourself, that sounds like a lot of passwords to keep track of, and you would be correct in that thinking. I have several hundred passwords in active use. How do I keep track of all those passwords, you ask? Do I have them all memorized? Absolutely not. I am lucky if I can remember two passwords. I use a password manager to keep track of my passwords.
A password manager is an application that is specifically designed to track passwords securely. Care needs to be taken when choosing a password manager. Many applications out there that claim to be password managers and may even operate like one, but in reality, are malware design to harvest all your credentials. Make sure to choose one that fits your needs, is well respected, and well known to be highly secure. When looking for a password manager, look for the following:
- Strong data encryption, ideally using at least AES 256-bit level of encryption or stronger
- Multifactor Authentication (MFA). The best ones offer multiple options to choose from
- Is the solution monitored for access, data corruption, and operational issues?
- Can you access the password manager anytime and everywhere you need to?
One example to look at is a product called LastPass from LogMeIn.
I know I promised you details behind my recommendations, so here goes. When you use the same passwords on multiple sites, all the sites that use the same password are compromised if one of those sites is compromised. This can become a massive headache. While maintaining 100’s of passwords is a bit of pain, it is nowhere near the pain of changing passwords across hundreds of sites when one of those sites has a cyber incident. Also, having data from one site in the hands of cybercriminals is bad enough. Enabling them to access ten sites because they all share the same password is ten times as bad.
Another thing regarding password management that is important is choosing a good password. In the past, there was a lot of talk about the complexity of the password being essential. Passwords needed to have upper case, lower case, number, and a special character. This ended up everyone choosing something like Fall2020! as their password. This is a horrible password and can be breached in a fraction of a second. The US National Institute of Standards and Technology (US NIST) even recanted earlier advice on this and has totally changed course in their account management standard.
Recent research shows that length is the most important aspect of a password. Do not think of a password as a single word, instead as a phrase that is at least 15 characters long. I try to make all my passwords at least 20 characters long. Many password managers also have a password generator function that will generate just a random string of characters. This is most secure but impossible to remember. Since I am using a password manager, 99% of my passwords are randomly generated and stored in my manager.
For a more memorable phrase, think of a phrase that no one is likely to guess. Avoid site or app name and well-known aspects of you or your life. It is a plus if it is not grammatically correct or even does not makes sense. Something along the lines of “NittingCowDancesMoon!” would be a good password except for the fact that it is published here as an example. It is both strong because of length and matches complex rules for sites that are still stuck on the old advice of password complexities. Feel free to experiment with spacing, punctuation, etc. Sites and applications vary greatly in what they allow in a password. The most secure ones have no restriction, except for not allowing short passwords.
That is it for this installment. As always, feel free to reach out if there are questions.