World Password Day

Every year the first Thursday in May is World Password Day, which is intended to raise awareness of poor password habits and encourage more thoughtfulness in maintaining identity safety online. Below are myths, facts, and tips for dealing with passwords.

Myth – You need to change your password frequently. Yes, some places will require you to change your password at regular intervals, but the truth here is if you create a complex password and protect it, then you are not going to need to change it that often. But, be aware to change it if you feel it may have been compromised, especially if…

Fact – Companies that get hacked are required to disclose security breaches that expose personal information, including passwords. If you see a news story or receive communication from a company you do business with and are informed that your password has possibly been stolen, you must change the password at the site, and any other that you used the same password at, to protect it. Also, be aware that archived data can be included in these breaches, so even if you used to have an account and have since deleted or inactivated it, your data may still have been on a back-up server.

Tips – Keep a list of places that you have had to create an account for, that way you will know if you may have had a password exposed on the site. Another best practice here is, just before deleting an account or deactivating one, change the password to something you would never use, that way if it gets stolen you are not using it on an active account somewhere.

Myth – Passwords need to be a combination of random symbols, letters, and numbers that have no meaning to you. Not really true, they just need to be complex and match the requirements of the company asking for a password.

Fact - Complex can indeed mean a mixture of different types of characters because it more than doubles the available number of options from a standard 26 letters. I once used a license key I had memorized for a piece of software I had to install hundreds of times here at the library – no way anyone would guess that. But it can also mean a passphrase as opposed to a password. If there is no character limit, a favorite phrase can, “waitforitlegendary” when setting up your security.

Tips - Think of a favorite poem stanza, song lyric, or quote from a movie, TV show, or book. You want to stay away from the yadayadayada obvious here, but longer is one way to be complex since a rosesareredvioletsareblue password is a tad harder to guess then redrose12. Once you add in some numbers and symbols, it becomes even more complex. One really neat website to check out for help here is Password Monster. The site lets you enter in combinations and tells you how strong the password is and how long it will take to hack it. Take my How I Met Your Mother phrase above – that can be hacked in 2 hours. If I change the o to a zero and the last e to a 3, it bumps up to 14 hours. If I add an exclamation point, it will take someone 7 days. And the best option here – drop part of the phrase. If I use waitf0ritleg3ndar – it will take about 14 days. Making one of those letters a capital means it is strong and at 21 days for a hack. The point here – it can be something you relate to, just be creative about it and realize length, altered letters, and incomplete thoughts can go a long way. If someone is really determined, they will still hack it. If it takes 21 days, most nefarious types will get bored and give up if you aren’t Jeff Bezos, the U.S. Treasury, or the local lottery machine. Another good idea here is to create a list of possible passwords for future use. If you are on a roll, keep going and have some spares so you can grab one in a hurry if need be.

Myth – Password saving software and apps are the safest security.

Fact – The safest way to protect your passwords other then committing them to memory is to use paper. If you insist on saving to the device, do not create a document that is called passwords.

Tips - The key here is the reputation of the company and what you plan to save in a password program or app. If the software or app has high encryption, it is relatively safe. Keep in mind you get what you pay for and a free or low-cost solution may not be as secure as you think. The device is also online and therefore always prone to viruses, malware, or theft. If you just need something to save passwords for “harmless” sites, those that don’t have financial or identity information, then these apps are fine to use. I would still advise you to look for a paper solution. Many places sell password keepers, they look like old address books that have alphabet tabs and a place to put in the website address, username, and password. Your tip here – use pencil so you can erase it if any of that information changes.

Myth – you can create one really super password and use it everywhere.

Fact – While you do want to avoid using something like password123, you have to live with the fact that the same password cannot, and should not, be used everywhere. For one thing, not all password requirements are the same. You may have a lovely ten character password with a letter, capital number and symbol that works really well. Until you come up against a requirement for a twelve character password.

Tips – One thing you want to be mindful of is if you use the same or a similar password all the time and it gets stolen or hacked from a company’s security breach, then you have to change it everywhere. One idea to consider here is having category passwords/phrases. For example, maybe your bank, credit cards, insurance companies, and loans all get a financial password. If that gets hacked or stolen, then you just have to change it at the financial institutions. Have another for social media, one for streaming services, one for shopping sites, and another for utilities. Passive items should have their own password as well. The WiFi router, TV, and washing machine all like to email you. My car reminds me when it needs an oil change. I literally drive around all day in a device that is logged on to an account. With its own unique password. It may seem like a pain to have so many passwords, but it is worth it to keep these passive items walled off from your normal activities.

Myth – Aside from changing your password, there is nothing you can do to prevent password theft.

Fact – Many password hacks are actually outside of your control because they are stolen in data breaches and not from you. But, the majority of the time they are stolen from an individual it is because of carelessness on the part of the end user.

Tips – Follow the tips above for dealing with the passwords themselves, but do not shirk on device management and exhibit carelessness. It goes without saying that if you share a password with someone then they have the password. Think about that person who uses the same password for everything and then lets a friend use their Spotify or Netflix account – now the friend can probably get into their Facebook, Visa, and Amazon accounts. Don’t leave passwords on pieces of paper in obvious places, in files on the device, or verbally tell them to someone else where they can be overheard. On the device, keep your security up-to-date. This means making sure you have a reputable, updated antivirus solution as well as applying all updates to the device and any apps or software as soon as possible so you have the latest security patches. Clean your browser cache frequently and do not use it to save passwords in the first place. You can look into cleaning software that will automatically run periodically for you to accomplish this task. You also want to avoid the option to remember this device for certain types of sites you always want to be secure, such as banking sites, so the information isn’t even stored on the device.

Parting thoughts – Password security is important but not impossible or even inconvenient. Establishing good password practices from the start will assure you have fewer headaches in the long-run. Exercising care in storing and sharing passwords is key to preventing them from getting into the wrong hands. In the inevitable case a company you do business with gets hacked, having an organized password plan in place means an easy transition to a new password and reduced possible points of further breaches of other accounts. Another thing to make sure to use if offered is two-factor authentication since it should at least delay anyone getting into your account with a stolen password. Unless your device is stolen or your email is also hacked, then you at least prevent unauthorized use by getting a text or email with a code indicating someone tried to get into the account.

- by Laura N., Information Technology Department