Ah, the password. Probably the only thing we have to protect our accounts and yet we put so little into creating one that will actually do its job.
In this article, we’ll give you 10 password best practices that will help keep your email (and other online accounts) secure, so let’s dig in straight away.
Before we start, remember that the password is not the only email security best practice you should employ to keep it safe.
For instance, according to Finance Online, 44% of workers reuse their passwords across personal and work accounts.
Would you use the same key for your house, car and any other lock? Of course you wouldn’t, even though it’s a hassle to carry a bunch of keys in your pocket, just like it’s a hassle to remember a bunch of passwords.
So stop reusing your passwords as well.
- United States of [email protected]$ report published by Google and Harris Poll in October 2019, 59% of US adults use a piece of personal information like a name or birthday in their passwords.
This, of course, is another bad habit people have when it comes to passwords and one you should ditch immediately if you’re doing it.
Stuff like your children’s name(s), your partner’s or spouse’s name, or your pet’s name is something that people normally love to share as they naturally love these, the caveat to sharing such information on social media is that someone with less honest intentions might see this.
For instance, if someone wants to guess your email password and they see that you post a lot of photos of your children, they might come to the conclusion that your children mean so much to you that you might even use their name in a password.
Stop using common passwords like “12345678”, “qwertyuiop”, or “password”!
According to NordPass Top 200 Most Common Passwords, it takes less than 1 second to crack each of these passwords.
That’s even easier than just telling them the password!
And those are not the only common types of passwords people love to use.
Are you a fan of a sports team like Liverpool and thinking of using their name as a password? Around 500 million had the same idea, according to Cybernews.
Or, is your name Alex and you think that it would be a perfect password? So do 7+ billion other password users.
Look, the only way passwords like these can protect your account is if the hacker is absolutely sure there is no way in hell you would be so dumb using them, so don’t be.
So why are you using just one of those in your passwords? Because it’s more convenient? So is using only one when writing and still you wouldn’t think of doing this.
Your passwords should ideally use all of these (capital letters, small letters, numbers and special characters).
For example, if you’re so keen on using the word “password” as an actual password (we still don’t recommend this), you might mix it up a bit and use something like “P4$$w0rd” instead, which would be at least a little harder to crack.
So, for instance, you might get something like “password1”, “password2”, “password3” and so on.
Hey, they haven’t reused the password but they might have as well.
But let’s say they followed the advice to use every type of character in their password. That’s great. Except that in most cases, it will look something like this “Password#1”.
I mean, look, everything is there. There’s the capital letter “P”, some small caps, a special character “#” and a number “1”. So what’s the problem?
Well, the problem is that most people write this way and it’s highly predictable. That’s not something you want when it comes to passwords at all.
Instead, you want to mix it up a little and maybe make a password look more like this “p4$$W0rδ”.
The minimum accepted password length for most websites is 8 characters long, but even this is often not sufficient to protect your account from a determined password cracker.
According to LMG Security penetration testers, any 8-character password can be cracked in less than 8 hours. And that goes for passwords that properly use uppercase, lowercase, symbols and numbers as well.
Now, add just two characters and it now takes 8 years to crack such a password. Two more and it’s 77,000 years and so on.
So, what’s the logical conclusion here?
That the longer the password, the more time it takes to crack it, right?
But there’s a disadvantage to this that you need to consider.
Long passwords are more difficult for hackers to crack, but they’re also more difficult for the user to remember.
So, while a 30-character password, for example, might take I don’t know how many quadrillion years to crack, it will be useless to you if you forget it, so keep password length at an optimal 12-16 character length.
But the one thing that you shouldn’t be sharing is your password.
And still, that’s something that 43% of Americans do according to the Google/Harris Poll report.
“But I’ve only shared my password with my significant other”, I hear you say. Yes, but would you remember to change the password if you two break up? Because only 11% of those who shared a password with a significant other remembered to do that.
Share a bottle of wine, a nice chocolate cake, or just your time with them, but maybe not your email password, or at least remember to change it if things don’t work out between you two.
Of course, this isn’t the only reason to update your passwords periodically.
Give a hacker enough time and resources and they will eventually crack that password you made 5 years ago.
So, how often should this be?
Well, for a long time, the common advice you’d get would be to change the password every 1-3 months. However, that’s actually counterproductive for your account security.
Why? Well, if you frequently change passwords, there’s also less chance for you to remember them and that might mean that you’ll use weaker passwords.
The NIST (National Institute of Standards and Technology) discourages frequently changing passwords in their recommendations.
Instead, they recommend doing it only if the password might be compromised, saying:
“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.”
One way to know if your email or other accounts have been in a data breach is to check HaveIbeenpwned. Simply enter your email and it will tell you if it’s been in any data breaches. If it was, then change the password.
Simply put, relying solely on passwords won’t do the job.
Instead, you should add another layer of protection in the form of a verification method known as “two-factor authentication” or 2FA.
This can be a PIN, token, SMS message, biometric scan or something else that only you would either possess or know. By adding this on top of your username/password, you will greatly increase your account security even in situations where the password is compromised.
That’s okay, you can just write them all in a notepad file labeled “Passwords” and keep everything nicely organized.
Or you can allow your browser to remember the passwords for you.
Wrong on both of these.
Look, I have trouble remembering 5 passwords, let alone 50 or 100 and I keep forgetting passwords all the time just like you, but the last thing you should be doing is to keep your passwords on an unsecured notepad file or written on a piece of paper or letting your browser remember them.
One study conducted by OnePoll revealed that 65% of people will forget a password unless they write it down somewhere.
Another interesting study, led by Rutgers University and Aalto University, published in August, 2018, went into the psychological reasons why people forget their passwords.
The study proposes that:
“Human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten.”
If this is you (and I bet you are), there’s a better way to store your passwords and it’s called a password manager.
The idea of a word or a phrase that you would use to access something is as old as human history itself.
Back in the days of ancient Rome, different units had their unique “watchwords” that proved you were their member.
In the 1920s, during the prohibition, the only way to enter a “speakeasy” and get a glass of “The Bees’ Knees” was to know a particular password or you’d get the “don’t know what you’re talking about, see” from the pinstripe suit-wearing guy a the door.
The first digital password was made in 1961 by Fernando Corbato, a science computer professor at the time at MIT, who devised this as a way to give students access to a private terminal on the time-sharing computer he built at the time.
Of course, it was a lot easier for the Roman legionarius, the 1920 guy who wanted to show his “gal” some good time, or the 1961 MIT student. They only had that one password to remember, while we today have dozens.
But it’s much more important for us today to keep our passwords safe as they are often tied to accounts that contain our sensitive information, like our email.
For this reason, I hope these 10 password best practices will help keep your email and other online accounts secure.