Your Passwords Are Worse Than You Think (and the Easiest Ways to Fix Them)

Your Passwords Are Worse Than You Think (and the Easiest Ways to Fix Them)
Photo: Vitalii Vodolazskyi, Shutterstock

Rejoice, for today is World Password Day! You don’t get a day off work, but you do get a reminder that your security is likely at great risk. If you recycle the same password for multiple accounts (don’t lie, I know you do), or you use simple passwords because they’re “easy to remember,” you need World Password Day.

Google ran a survey of 4,000 American adults in an effort to understand the steps they take to keep their digital lives secure. In short, they don’t. The survey found that while almost 40% of Americans have dealt with a personal data breach, 20% admit they use basic passwords anyone could guess. Want to be a hacker? Pick five people: One of them uses something like “password” for their login.

Worse yet, more than half of respondents have used personal information for their password, such as their name, birthday, the name of their partner, child, friend, family member, or pet, while 65% say they reuse passwords for various accounts. This is bad news.

What makes a great password?

Let’s start with the passwords themselves, which should be two things: strong and unique. A strong password is one that is hard for both a human and a computer to guess. It’s much more obvious how to make a tricky password to keep your roommate out than it is to keep out a hacker via brute force (simply, the act of throwing password after password at the system until there’s a match).

A computer is going to guess your password if it’s made up of common dictionary words, even if you’ve ever-so-cleverly replaced some of those letters with numbers or special characters. A hacker will figure out “t3l3v!s!0n” about as quickly as they will “television,” because their computer knows to look for those tricks.

Traditionally, a large, randomised password is recommended as the best approach. No one’s guessing a password like “Sj12#8)23&$k51*as.x*[email protected]*23,” and it would likely take a computer quite some time to crack it.

But you actually don’t need to make a password that sucks to remember. Passwords that use a short string of random words can be effectively difficult to crack for your use case. XKCD has a famous webcomic about this topic: “correcthorsebatterystaple” is a strong password that isn’t too hard to memorise. A human certainly wouldn’t guess a password like this one, and a computer would take far too long running through dictionary words before it could crack it.

I’m a big fan of Computerphile’s video expanding on these ideas:

A password manager can do all the hard work for you

A strong password is just one part of the equation, though. You need to use a unique, strong password for each of your accounts. While your new password is certainly hard to crack, you should never use it more than once. Cracking your password isn’t the only way to figure it out. If a clumsy company gets hacked, your password could be leaked. Once that happens, hackers will test your password with all the accounts they can think of, and, if you’ve reused it, there goes your security.

Using a unique password for all accounts, therefore, is the best approach. You don’t need to go through the steps above for all of your logins, though. If you use a password manager, you only need to worry about this password procedure once. A password manager, like Bitwarden or LastPass, can create strong, unique passwords for each of your accounts automatically, and store them in an encrypted folder only accessible by a master password. You just need to make one strong, unique password to remember, and you’ll have access to your entire library of passwords at any time.

If you’re looking for recommendations to get started, check out our list here.

A password is only good until someone figures it out

OK, so we know to keep our strong, unique passwords in a password manager, protected by one strong and unique master password. However, those passwords shouldn’t just sit there forever. As we’ve mentioned, your password could eventually be cracked or leaked in a company hack. That certainly highlights the importance of not reusing passwords (seriously, please do not reuse your passwords), but it also emphasises the need to change your passwords every now and then.

It’s not a fun process, but it’s the only way to guarantee a compromised password can’t be used against you. If a bad actor somehow gets a hold of your banking password, it won’t do them any good if you changed that credential during a routine checkup. Many password managers will have a link to the website in question so you can quickly change your password, but some, like Dashlane, are even better, and will change your password on the website for you whenever you want.

Always use 2FA when available

In addition to good password practice, you should also be using 2FA (two-factor authentication) whenever it is offered. More and more accounts and services are using 2FA as a second line of defence in your security, and for good reason.

We’ve covered 2FA in great detail before, but here’s a refresher: After you correctly enter your password to an account using 2FA, you will need to present a code from a trusted device in order to fully authenticate yourself. This code is usually sent either via SMS, or generator from an authenticator app. Some password managers even have this code generator built-in, allowing you to keep your security practices in one convenient location. Enter the code, and you’re in — without the code, you’re out.

Using 2FA helps ensure a password leak doesn’t fully compromise your account: A hacker can enter your correct password all they want, but if they don’t have access to the 2FA code, they’re sunk. That’s why 2FA scams are on the rise, and why you should never share your 2FA code with anyone. The companies and services you use 2FA with will never ask you for these codes unprompted. If you receive a phone call or an email from these “organisations” out of the blue asking you to confirm your 2FA code to prove your identity, ignore it.

We could go on all day about the various steps you can take to keep your digital life secure. Following these password and 2FA tips, however, goes a long way, and puts you at a great advantage. Use strong, unique passwords, set up 2FA, and share none of those credentials with anyone, and you’ll be celebrating World Password Day every day.

Log in to comment on this story!