Welcome to Bits & Bytes! My name is Steve Shannon, and I’m the IT Director and Lead Developer here at PromoCorner. This new monthly blog will explore a range of tech topics that are applicable to both the promotional products industry and the world at large. The first topic I want to start with is one I’ve had quite a lot of professional experience with and is pretty universal to everyone. Specifically, let’s talk a bit about passwords.
We all use them. We all forget them from time to time. And many of us (myself included) have likely committed at least one of the cardinal sins of online security:
Never write down your password in a publicly accessible area
Never use passwords that are easily guessable through social engineering
Never, under any circumstances, reuse the same password over and over
But with so many accounts and logins to keep track of these days, remembering and maintaining our passwords can feel like quite a burden without resorting to bad habits like the ones listed above. As such, it’s easy to forget that we use passwords for a reason: they are our first (and sometimes only) line of defense in protecting our digital well-being.
The repercussions of having your account hacked or your personal information stolen should be obvious, so I won’t rehash them here. Instead, I want to go over some easy solutions for lessening the burden of password management.
What is a “good” password?
First off, it’s important to understand what distinguishes a good password from a bad one. The key to a good password isn’t complexity; it’s size. Simply put, the longer the password, the better it is. Not long ago passwords with 8 characters were considered good enough, but things have changed. Computers are faster and more powerful, which means hackers and other bad actors are better equipped than ever to crack passwords through simple trial-and-error. Every extra character you include in your password decreases the likelihood of it being cracked exponentially, so the point is to make it long enough that there are so many possibilities that even multiple computers working in tandem wouldn’t be able to guess them all. Most online services with login requirements now permit passwords with 32 characters or more.
Now, 32 characters sounds like a lot to remember, but who said they have to be random characters? A computer trying to guess your password through brute force can’t by itself distinguish between any of the following potential 8-character passwords:
As far as a computer is concerned, each one of those passwords (even the word “password”) has the same statistical chance of being the correct one. Seriously! Mathematically speaking, each of those passwords is equally secure. But the problem is that not all of those passwords are as easy for a human user to remember. And, of course, we wouldn’t actually use “password” because it’s on a list of the most commonly used passwords and thus is way too easy to guess.
With that in mind though, let’s now generate some potential 32-character passwords:
dragon horse manatee whale zebra
You probably see where I’m going with this. Each of these 32-character passwords holds up well against a brute force attack, but the last two examples are much easier to remember for a human user, to the point that you may not even need to write them down.
It’s a common misconception that a good password must be a complex mix of uppercase and lowercase letters, numbers and special characters like exclamation points. Certainly, good passwords can include those things, but in truth a good password should be one that best exemplifies the adage of “security through obscurity” for everyone except its creator. Arguably, the best way to get there is by increasing your password’s length, not just its complexity.
But even if we know what makes a good, secure password, how do we then apply that knowledge to a thousand different login accounts without reusing the same password?
A Possible Solution: Password Managers
A common solution to help avoid password reuse is to employ a password manager service like Dashlane, BitWarden, or even Google. These services store all your login information and secure it behind a single, super-secure “master” password; you can then use the various plugins or apps these services offer to automatically pull up and/or prefill your login info for any account you need access to.
There are many benefits to using a password manager: they limit the number of passwords you need to remember to just one; they’re computer and browser independent so you can access your passwords from anywhere; and they often include backups of your data, and usually allow easy exports if you also want to maintain a localized hard copy.
However, there are some downsides. Not every service offers a free solution, and installing browser plugins or phone apps may be a hassle for some users. Additionally, using a password manager means storing a copy of all your passwords in one single place. This of course requires a certain degree of trust for the service you choose, not just that they’re reputable but that they’re adequately equipped to protect your data against hackers. Unfortunately, recent events prove that even the most trusted and popular password managers aren’t immune to security threats.
One such password manager called LastPass has been around since 2008. If you’ve seen their name in the news lately, it’s likely because LastPass announced that they had been hacked and had their users’ personal data stolen by someone who tricked one of their employees into giving up their password. It’s just one of a growing list of large corporate data breaches in recent years; it’s also an unfortunate example of how even having a good password as a first line of defense isn’t always enough to protect yourself.
That aside, if you, like me, sour at the idea of outsourcing your password management, then I have another (arguably better) solution for you.
A Better Solution
To quickly reiterate, the following passwords are all equally secure, mathematically speaking:
The only thing that we changed is the number at the end, but as far as a computer trying to crack passwords is concerned, those passwords are all different.
So, let’s say you have two email accounts, one for personal use and one for business. You’re anxious to start using good passwords, and you’re resisting the temptation to make the passwords for these accounts the same, but you’re worried about constantly forgetting them. How about this?:
They’re both 32-characters long, easy to remember, and yet different from each other. Better still, the passwords themselves tell you which email account they’re for, so there’s no confusion as to which is which. Conveniently for this example, the words “personal” and “business” have the same number of letters, but it’s not about having passwords that are all the same length; it’s about having passwords that are all different but still secure. By applying this concept, you can create any number of secure passwords that are easy for you to remember by using your own personal mnemonics or phrases.
Personally, when I’m creating a new password, I like to construct them from two parts. The first part is a random-looking string of 12 characters that is actually very easy for me to remember, and the second part is a word or phrase relevant to the account it’s being created for, typically a pun or something that I’m reminded of when thinking about whatever it is I’m logging into. It essentially looks like this (but not exactly this):
Twitter account: 3j9ErLp12nW elon sucks
Instagram account: 3j9ErLp12nW instamash potatoes
Bank account: 3j9ErLp12nW money is a double-edged sword
And so forth. That’s just my system, but the idea is to come up with a system that works best for you. If you use a consistent method to construct your passwords, you won’t have to commit any more of those cardinal sins of online security, and you’ll never have to worry about forgetting a password ever again.