Password Recommendations

Creating and remembering strong passwords is really difficult if you are not using a password manager. This guide will help you understand how to create strong passwords as well as the benefits and peace of mind that comes with using a password manager.

What makes a strong password?

What makes a password strong is actually a combination of factors. To keep it really simple though, a strong password is unique (only used with one site/account), long enough to be hard for a computer to guess (four random words is great), and easy enough for you to remember if you’re not using a password manager. An example of a good password is altoids mirror sharks whiteboard. Many people like to use their own formula for creating passwords with a common pattern such as one4ebay!, one4facebook!, etc. But with formulas like that it is easy to guess what this person’s password would be for Twitter right? Also, a completely random and complex passwords like .2HJg%,]L]mu, while good as far as being hard for a computer to guess, is extremely difficult for a human to remember. Your best option is to use a password manager and let it do all the hard work for you so you only need to remember a few strong passwords and not dozens or hundreds.

A very important factor that cannot be over-emphasized is that you need to use unique passwords for each and every website and account you have. The reason for this is if one website where you’ve used a password is hacked, the bad guys will attempt to use that same password on every other website on the internet until they find an active and valid account. This happens all the time and according to security reports, as of April 2019 there are almost 8 billion compromised accounts for sale on the black market.

Using a password manager

Password managers are applications that can generate strong, unique passwords and store them in a safe and secure manner so that you only need to remember the master password. The password manager most recommended by security professionals is 1Password. 1Password has the best user experience and most comprehensive features, however it does cost $36/year. If paying for a password manager is not an option for you, LastPass and KeePass2 are suitable solutions with free options.

Password managers are not just for tech-savvy users. They are for everyone. Testimonies from novice users who struggle with computers consistently but have adopted the use of password managers have reported that password managers are invaluable and they could not imagine life without them.

Subscribe to data breach alerts

An industry-respected security researcher named Troy Hunt runs a service that monitors data breaches and notifies people when their email addresses are included in a data breach. The service is free and easy to sign up for at https://haveibeenpwned.com/. As a quick note, the word “pwned” is internet slang for being “owned”, meaning someone has taken ownership of your account.

By providing your email addresses to this site, you will receive an email alert any time your email address shows up in a data breach. This could mean that your username and password were stolen from a website you’ve done business with, or it could just mean your email address was included in a marketing email list that was sold on the black market. Each report includes details as to what types of information were included in the breach. Whenever you are alerted you should go to the service that was compromised and change your password. If you used the same password on any other site you should also update them, but be sure to use unique passwords.

Here is an example from a report with major services providers who were compromised (Dropbox and LinkedIn):

As you can see in these examples, both email addresses and passwords were stolen. Anyone who used the same password on either of these sites and any other site is at a very high risk of having their accounts on the other sites hacked as well.

Preventing use of passwords previously exposed

In an effort to increase the security of accounts, our corporate identity systems will no longer allow the use of a password that has been exposed in a data breach. When changing your corporate identity password, a secure process is used to check if the password provided is already in bad guys’ databases, and if so it will not allow it. Rest assured that the password entered is never sent to or shared with anyone. The process is quite complex, but if you’d like to read up on the details read this article.

If you received a message while changing your corporate password, that the password you entered has been previously compromised in a breach, you should take care to not use that password anywhere. You should also visit https://haveibeenpwned.com and enter your email addresses to determine whether the password you entered was discovered in relation to any of your own accounts, or whether someone else happened to use the same password. This will help you know the urgency with regard to changing your password on various websites.