Let’s set the scene. You’re logging in to your company’s website, when you get an ominous message –
“ATTENTION! IT HAS BEEN MORE THAN 90 DAYS SINCE YOU HAVE RESET YOUR PASSWORD. PLEASE RESET PASSWORD NOW TO CONTINUE THE LOG-IN PROCESS.”
Annoyed, you dutifully change your password from “password” to “password1”, after the system informs you that you can’t enter a previously used password.
What’s going on here? No one really thinks that “password1” is a safe password, so why all the fuss over changing it? Let’s take a look at what makes a password safe, and if changing your password frequently is really the right answer.
Well until we get retina scanners on every computer, passwords are here to stay. Think of passwords as the key to a house, and each of your online accounts is its own house. For most of us, that means we’ve got a bunch of houses, so lucky us! The problem is though, your key can easily be found. If the people looking for your key can’t find it, well, they can replicate it. If they see that the key fits in one of your houses, you can bet they’ll try the same key in all your other houses too. So why not find another, more secure way to lock your accounts? That’s because more intense security measures (like retina scanners) are just impractical and expensive. Simple passwords aren’t the best way to protect your computer activity, but they sure are convenient. Unfortunately, this convenience comes with a price.
Why Do I Have To Change My Password?
There are two main issues with using a password to protect an account. The first is that passwords are stored by the company that requires them. If that company’s data were to be breached, anyone could find the password to your account. The logic behind changing your password is that if someone got access to your password, they can’t use it to get in to your account, because you’ve changed it by now. Changing your password doesn’t actually make your account secure, it’s just insurance for the worst-case scenario.
The second problem with using a password is that simple passwords are easy to guess. All too often, people will choose things that are easy to remember, like “password” or “123456”. Back in the day, if someone wanted to break into your computer, they would have had to manually input each guessed password if they wanted access to your stuff. These days, sophisticated programs will generate thousands of passwords a second in order to guess the right combination.
Clearly, people who use any of these passwords are putting themselves at risk. Make sure you pick a password that isn’t common!
If you do use a password with a certain service (like your bank) and they report that their data has been breached and customer information exposed, you should immediately change your password. The people who exposed the data will likely try your password on other sites as well. It’s better to
How Does My Password Get Hacked?
Let’s say a computer wanted to guess your password, and it does this by randomly combining letters and number together. First, it will try all letters and numbers, a-z and 1-9. If none of these work, it then knows your password is at least two characters, so it then tries all possible two character combinations. This goes on and on until the right password is entered. So why does making a complex password help defeat these malicious programs? The reason is simple – time. You see, even though a computer can enter thousands of passwords in a short amount of time, it still takes time to do so. If you have a very long password, then the computer is going to have to take a very long time until it guesses the right one. How long does it take? Let’s take a look:
As you can see, having a longer password means that it’s harder to crack. In fact, since the password strength rises exponentially with length, adding just one character to your password makes it significantly stronger than one that’s one character shorter. Bottom line – when making a password, longer is best.
But just how long should it be? You could argue that a 30 character password, with a mix of upper and lower case letters, number, and special characters is best, but there’s no way you’re going to memorize it.
What’s the solution? A password manager.
Why Password Managers Offer The Best Protection
First, what is a password manager? A password manager is a service that creates a unique password for you to log in to your various accounts. The password that the manager generates can be something like “2gH%trHV@ee8Bd”, but you don’t have to remember that. Instead, you just memorize something simple like “bestpasswordever!” and use that as a master password for every account you have.
How does this work? Let’s say you are signing in to your email. Your password manager generated a complex password for your email that you didn’t memorize, but you enter your easy to remember master password into the browser extension. Assuming you remember the "simple" master password, the password manager will automatically populate the “password” box on the page with the correct, complex password.
“Wait a minute”, you might be thinking. “This sounds really similar to using a regular password, but it’s just got a step in the middle – what’s the point of that?”
The point is that if hackers got a copy of all the passwords used by your email, then it only has a copy of your email password, not the password to other sites you use. Hopefully, a good password manager will use unique passwords for all your accounts, so even if one is compromised, the effect doesn’t snowball. The other great thing about a password manager is that you don’t end up using the same easy to remember password for all your accounts (easy to hack), but instead have a long (secure) password for all your accounts - and you don’t have to memorize it! ...like your password should be
If you’re a small business owner, having a password manager can be a lifesaver. The average person might only have to memorize a few passwords for their online account, but business owners often subscribe to so many services that remembering all those passwords can get out of hand. In this day and age, when so many services are being taken to the cloud (we’re looking at you, Office 365!), having a strong password manager is more critical than ever.
Sure, there are some downsides to using a password manager. Just like a computer can guess your password by using brute force, it could do the same to guess your master password. The upside to this is that a hacker would have to know what password manager you use before they tried this tactic. Also, password managers have built-in security methods to discourage this sort of attack.
Another potential downside to using a password manager is that someone could theoretically hack in to the manager database and steal your password. Fortunately, password managers thoroughly encrypt their data, and are constantly on the defensive to protect your passwords. Using a password manager might not be perfect, but it’s the best we’ve got!
CC license by Lulu Hoeller
Another great way to protect yourself (and your business!) is to use two-factor authentication. What’s two-factor authentication? You’re probably already familiar with it, if you’ve used a debit card at the checkout counter recently. We all know the drill – first, you stick your credit card into the slot (first step), then you enter your pin (second step). This method is more secure because even if someone can fake their way past one secure step, they might get stymied on the second step. If you’re a business owner, speak to your IT team about setting up two-factor authentication on your most sensitive data.
Photo by Brian Ronald
Alright, I’m Convinced. What Password Manager Should I Use?
That really depends on your needs. If you’re using a manager for your personal needs, many companies offer free versions of their software, though the features are somewhat limited. If you’re a business owner and want to use the password manager with multiple users on multiple devices, as well as dedicated customer support and priority tech support, you might have to spring for the premium plans. Don’t worry, the cost is negligible in terms of how much peace of mind you’ll get from using it. We recommend going with well-established companies for password management, so take a look at LastPass, Dashlane, and 1Password.