When your password doesn’t work just as your about to get something done - now that’s a special frustration. So many sites and services and apps - each with a different set of rules for password expiration, complexity and additional authentication methods. Should you fail guessing your password you must grit your teeth and reset it which can involve remembering obtuse security questions you picked a year ago like your high school mascot’s best friends name in the town your parents met and which email did you use when you registered and GAH!

Passwords continue to get more complicated to counter faster computers and techniques to crack passwords as well as data breaches. Take a look at https://haveibeenpwned.com to get a sense of this and see if your email has been in any known data breaches. For example, Duolingo just this month had 2.6M account records scraped and published on a hacking forum. Now don’t freak out on this - passwords aren’t typically included in leaks like this but they are a common source of phishing emails (don’t click those links! Read my last post) and they have other info on you the bad guys can use to get into your accounts.

Don’t despair, there is a simple solution:

Lololol … there actually is a simple solution in sight that I’ll talk about if you make it to the end of the article! For now, here are three things you need to do to keep your stuff safe online:

Share

1. Use Complex Passwords

First thing is use complex passwords - not as simple as ‘Kenny!’ Ones that are impossible to guess and hard to crack. If you like Kenny, head over to https://www.kennylog-in.com and you can generate complex passwords based on his lyrics🎶

Any site that gives a hoot about securing your account asks for increasingly complex passwords - longer, mixed case and with numbers and special characters. Here’s why:

Take a close look at this chart. Brute force means using a computer program to try all possible password combinations.  Purple combos take zero time to crack, red under a year. So even a 10-character password that includes all the different character variants can be cracked in 2 weeks! That’s the last red entry in the far-right column. Let’s shoot for the orange box in the middle in the 12-character row - 6 years is pretty ok right? 6 years means your password needs to be at least 12 characters and it needs to at least have Upper and Lowercase letters.

How do you come up with complex passwords that you can remember or find? You may have come up with a pattern of names/places/numbers that work in your brain and if so that’s great. Here are some other options. Your browser or phone will offer a strong password and save it for you. That’s good, but if you’re using a different device then the one you created the password on you can get stuck. You can switch to using a technique called password phrases which use multiple words and spaces in a sentence structure that make complex passwords easier to remember. Much like a dedicated password manager, Google and Edge browsers will save your passwords for you and sync them across devices if you have a Google or Microsoft account. Apple has it’s iCloud Keychain to store passwords across your Apple devices which works great if you use all Apple products. Finally, there are password managers that generate complex passwords and save them all for you under one master password. Maybe I’ll cover those in a future article.

2. Multi-Factor Authentication

Second thing is setting up multi-factor authentication or MFA. This is an additional security layer and doesn’t require changing your password so in most cases it’s easier than #1 - do it! What are these factors you speak of? Cybersecurity defines 3 factors for authenticating a person or making sure you’re really you:

1. Something you know - like a password

2. Something you have - like your cellphone

3. Something you are - like your fingerprint

Passwords fall under the first factor - something you know. Multi-factor authentication adds either something you have or something you are to the mix. Often sites/services will refer to this as two-factor authentication or 2FA. The most common examples use something you have and usually that’s your phone. Simplest method here is sending a text or SMS message to your phone with a code you enter after your password. That’s an excellent first step but there are known SMS exploits so alternatives to this are installing an Authenticator app which generates a 6-digit code for you on demand or a companion app on the phone to confirm a login is legit. Something you are falls under the category of biometrics - so facial recognition or a fingerprint. Biometrics are less common when authenticating to a service (versus device) but more effective.

Adding either something you have or something you are as a second factor with a complex password will give you a HUGE boost in security and you should do that right away to any accounts where $$ are involved or are critical to your business. Social media platforms also offer 2FA. They don’t broadcast it as they’re all about easy access to your feed - but it’s worth digging a bit to find and set up 2FA if you have business accounts. Do it today - if your social account gets hacked, chances of getting it back are slim.

3 Don’t reuse passwords

Last thing and tbh I’m bad at this myself and really, it’s hard nay impossible to have every password unique unless you embrace a password manager to create and save a unique password for every service. Understand what’s going on here though; this is a weakest common denominator scenario. Say your favorite password is MyMyMy&@7 (thanks Kenny-login.com password generator!) You use it everywhere since forever including that chat board you signed up for years ago that you don’t even use anymore. Say that chat board gets hacked in a data leak including passwords using an older cryptographic scheme that’s easy to crack like MD5 hashing. So now your password is out on the internets and if it’s the same one you use for your bank that’s trouble. If you want to understand more on hashes and cryptography read the backstory behind the password complexity chart here. Moral of this story - be particularly careful with sites that may not care a lot about your security or don’t have the resources to properly protect your information - like message boards or smaller sites. Don’t reuse any passwords from those sites!

So. For all your important accounts - use complex passwords, enable 2FA and limit reuse!

4 A New Hope - Passkeys

The tech industry will solve the password problem, but it can’t come soon enough.  Passwords today introduce too much friction to using online services along with a ton of reputational risk for each data breach and hack. The trick is getting everyone onboard. There is a nascent standard that’s already out for certain devices and much of the industry is behind it. Hopefully it’ll catch on. Basically, it allows sites/services to leverage the credentials you use to login to a device. So, for example if you use Face ID on your iPhone, that authentication can become a single passkey trusted across all your other services. More here https://fidoalliance.org/passkeys/