We all should know that decent passwords are all that stand between us and a potential security incident. Yet many people end up infected with a virus or with a massive credit card bill because they failed to follow the basics of password security. Here are the 10 things that people keep getting wrong, and ways to make sure you get them right.
Picture by Eric Schmuttenmaer
M#10. Using an obvious password
Security firms regularly generate lists of the most obvious passwords, and the same suspects always pop up. ‘Password’ is perennially popular, as is ‘123456’ and ‘iloveyou’. Your own name is also a common choice. Anyone trying to hack your account will check for these ‘easy win’ options.
M#9. Writing your password down
No matter how clever your password is, it provides essentially no protection if it is written out for all to see on a Post-It note stuck to your monitor. And don’t presume that anywhere else in your cubicle is a better choice: IT workers and potential felons know all the obvious places to look. Remember: your password is basically useless once you write it down. You need to remember it.
M#8. Using the same password everywhere
Using exactly the same password on every site or service that needs one means you’ve only got one password to remember. But that minor benefit is entirely offset by the unpleasant corollary: if someone cracks your password for one service, they’ll have access to everything. It’s a dumb move, and you simply shouldn’t do it.
Many people adopt a multi-tiered password strategy: keeping unique passwords for crucial services, but using a basic disposable password for sites which force you to sign up but which you don’t expect to use continually. This is better than just having one password, but still not as secure as having a different password for every service.
M#7. Not using additional security features
Many services offer two-factor authentication, where as well as needing a fixed password, you also need a second one-time password, which can be sent via text message or generated via a hardware security token. Google offers that option when signing into your account; many banks also gave this feature. If it’s available, you should take advantage of it. That way, even if someone discovers your main password, they still won’t be able to access the service.
M#6. Making passwords too short
The longer your password, the more secure it is. Many sites now enforce a minimum password length, and often add additional requirements (such as including a mixture of lower-case and upper-case letters, numbers and punctuation). But remember: just because it’s the minimum doesn’t mean you have to stick with it. Every extra character makes the password harder to crack. A 20-character password might be hard to memorise, but 12 characters is definitely achievable.
M#5. Sharing passwords with others
When we asked readers last year if they shared passwords with their partners, more than half of you said you did. It’s lovely that you trust your partners, but we feel sorry for those of you who suddenly discover that love doesn’t always last forever. We’ll say it again: a password someone else knows is much less effective.
If you feel you need to know a family member’s password, there are other tactics you can adopt. If you want to keep track of your kids’ passwords in case of an emergency, a piggy bank can be handy. If you want to make sure family members can sort your online affairs by accessing your accounts after you die, there are services to handle that.
M#4. Not using secure browsing sessions
Especially on public networks, it’s dangerously easy for those with evil intent to steal your passwords if you don’t use HTTPS. Make sure it’s your default choice and you won’t have to stress whenever you’re using an unfamiliar network. Also check out the HTTPS Everywhere extension to maximise your security.
M#3. Not securing your machine when others use it
So someone asks if they can quickly use your machine to go online, and you say “sure”. We applaud your sociability, but we implore you to make sure you protect your privacy. Otherwise, your “friend” might discover something you’d rather they didn’t.
M#2. Not changing passwords regularly
Everyone knows they should change their passwords regularly. Very few people do. Even if you’re using every other strategy in this list, regularly changing passwords ensures that you’re less vulnerable. Set yourself a calendar appointment to update your passwords and stick to it.
M#1. Not using a password manager
Using a password management system ensures that you can achieve most of the other goals on this list easily. We’ve detailed how to set up an any-browser solution, how to audit the system and how to use a USB drive for even more security. There are many password management systems out there; find one you’re comfortable with and use it.
Lifehacker 101 is a weekly feature covering fundamental techniques that Lifehacker constantly refers to, explaining them step-by-step. Hey, we were all newbies once, right?