“Your passwords aren’t strong enough!”
“You have to change your password every 90 days!”
“The best passwords are a combination of letters, numbers, punctuation, a hieroglyphic symbol, your great-grandmother’s neighbor’s maiden name, your dad’s favorite color and the sum of pi plus google.”
Have you ever felt that you’re constantly being bombarded with the news that your passwords aren’t good enough, and that you aren’t managing them right or doing enough to protect your sensitive data? You keep hearing that you need to make sure your passwords are complex, but you aren’t supposed to re-use them — or write them down.
Considering that the average person has about 25 different accounts that require a password, and access an average of eight of those accounts each day, it’s become impossible for most people to not only create an adequate number of passwords, but also retain those passwords — and then start the process all over again when they are prompted to change their password.
So we don’t. Very few people actually follow “best practice” when it comes to passwords We use the same passwords over and over, use “weak” passwords and write them down to remember them. We don’t change them unless absolutely necessary.
And according to a new report from Microsoft, that might be okay.
Heartbleed and the Password Problem
Back in May 2014, the revelation of the Heartbleed bug had everyone scrambling to change all of their vital credentials. A glitch in the code that secured websites by encrypting data, Heartbleed potentially exposed millions of login credentials for major websites to hackers, who could then take that information to steal personal information, including financial data. As a result, everyone was encouraged to change their passwords on many sites, following the best practices for creating passwords.
However, Microsoft’s report suggests that all of the frenzy over creating secure, uncrackable passwords has actually done more to compromise accounts than help it. They argue this for several reasons:
- Difficult passwords are hard to remember, meaning people may write them down — making them less secure.
- Difficult passwords make it more likely that one will remain logged in to an account or save the password, leaving it vulnerable to hacking.
- Hackers aren’t generally interested in low-value targets, like news sites, which don’t contain any personal information.
- Forgetting passwords often requires a reset, which involves exposing more personal information.
The solution, they say, isn’t in more difficult passwords, but in better password management.
The More Important the Account, the Harder the Password
It’s important to note that Microsoft’s new password guidelines aren’t suggesting that everyone change their passwords to “abc123” or “password” and hope for the best. There are still hackers out there engaged in brute force attacks aimed at stealing login credentials, and more.
However, what this new research suggests is that we should prioritize our passwords, and save the unique, complex codes for the highest value accounts, i.e., bank accounts, credit cards and anything that contains a great deal of personal information, like email. Lower value targets, such as your subscription to a newsletter or an account that you aren’t storing payment information in, are fine with easier passwords — and it’s okay to re-use passwords as well.
Password managers are also a viable option for handling the dozens of passwords that most of us have to deal with daily. Not only does a manager store all of your credentials so that you only have to remember one password instead of 25, it can also help you generate random codes or gauge the strength of the ones you create yourself. If you opt to go the password manager route, be sure that your login password is the absolute strongest you can come up with, and that it’s something you can remember.
If you have to write it down, do so in such a way that it doesn’t immediately appear to be a password. One common trick for creating passwords is to use the first letter of each word in a sentence, such as “My cat Whiskers is 9 years old.” A password would then be McWi9yo, which is a fairly strong password. If you need a reminder, simply write down the sentence somewhere; that way, if it falls into the wrong hands, it’s not obviously a password.
As long as hackers are trying to steal login credentials and wreak havoc on our lives, there will be a need to secure our passwords. But for the time being, it’s okay to relax and focus on protecting your most valuable, and vulnerable, information — and you don’t need to learn hieroglyphics to do it.