The internet is big. Really, really big.
The latest estimate of “size” of the internet is overwhelming. Each day, over 6 billion people access enough information to circle the world a few times – literally, the amount of data transmitted, if put onto DVDs, would stack high enough to circle the world 220 times!
With all of that data moving, needing to be stored, retrieved, altered, updated, added and deleted, security is an issue as well.
Passwords are the gatekeeper of information.
But, not every gate is the proper strength for what it protects. And not every person securing those gates knows what they are doing.
In fact, 30% of global internet users have experienced a data breach due to poor password health. Among United States internet users, 2 out of every 3 use the same password for multiple logins. And, 13% of Americans use the same password for EVERY account.
But, passwords, while possibly problematic, are also the kryptonite of most hackers.
In fact, they can turn hackers away if you follow a few simple rules for choosing and using passwords online.
What Makes a Password Strong?
Passwords are the lock, key and the gate in protecting your information.
There are three characteristics of “good” passwords that we should cover: size, quality and uniqueness.
Password Size
Think of a number from 1 to 5.
Was it 3? 4? 1? 2? 5?
Within 5 guesses I can accurately choose your number. Now, that might not seem like a true measure of password strength. But, what if instead of 1 to 5, I ask you to choose a number from 1 to 1,000,000,000,000,000,000? Now is it harder?
A password that reads like “hW43kTb” is far easier to guess than “hW43kTb2AvI84Fm”.
In passwords, size matters.
For many, they use a password on average of about 8 characters. This is usually small enough to remember, but the person usually feels it’s long enough to not guess. Instead, creating a password of at least 14 characters increases your password strength by a magnitude of 15000X.
Password Quality Matters, Too
Passwords shouldn’t only be longer, they should also use numbers, letters and special characters. These letters should not be readable words.
For instance, “mypasswordis123” is not a good password – it’s not even an “ok” password, let’s be honest.
But if your password is “coral245horses”, moving it to something like “CuRhL2WoR4SeE5a” can and will save you.
By what magnitude?
The first password, “coral245horses” will take a basic cracker about 4 days to infiltrate. If using cloud technology and other tools (scripting, dictionaries, etc), this number could be as little as 6 hours.
For the second password, “CuRhL2WoR4SeE5a”, will take a basic cracker nearly 1000 years to crack. For advanced tools as mentioned above, this number could be as little as 4 years.
The quality of your password matters just like the size. And when you mix the two, you get a fairly decent result that makes cracking your password difficult, improbable; and possibly even impossible.
Unique Passwords, And Their Value
Ok, so you’ve created this TERRIFIC password. It would take someone years, centuries, even a millenia to crack… but it does no good, because you used it everywhere.
You used the same password for your Netflix account as you did for your bank login, all of your credit card logins and your login to the IRS. Now, if some cracker, hacker or fraudster gets one login, they have them all.
Sounds crappy, right?
But it happens all of the time.
Nearly 13% of Americans use the same password, for every single login they have. This means when someone guesses or receives one of your passwords, they have access to everything!
Instead, it is better to have unique passwords for each login.
This means that your login to First Choice is different from your login to GMail. And those logins are different from your login to the IRS website. And those logins are different from your login to Amazon.
If you do this, and someone infiltrates your Facebook password, as an example, they cannot go into your credit card or banking accounts and drain you blind.
A Final Tip: RANDOM is the best way!
The fourth, and unspoken attribute of a good password is its randomness.
A random password has no significance for sequence, no readable characters, no association to the user… nothing.
For many Americans, they use associations for making passwords.
For instance, almost 60% of US adults use birthdays and/or names in their passwords.
This means, in some cases, I simply need to visit your Facebook, Instagram or TikTok profiles to start formulating some possible passwords for you.
Not good.
Instead, using a random password generator makes the most sense.
Not only will you have a strong password based on the settings you choose, but you will have a random password. Now, any attacker won’t be able to simply guess the password based on you.
Try out our random password generator below. You will see how a random password can far outweigh the security you think you can have in creating your own.
Tools to Help You Manage Passwords
With the changes to your passwords, you likely need some help. After all, we talked about not only changing your passwords to make them more secure, but we want them to be longer, have more characters and special characters in them and for them to be unique AND random.
WOW!
How do you do all of this?
For many, they turn to creating a password file in EXCEL. Or, they may use a more low-tech option like the dreaded “password on a sticky note” - ouch!
Instead, there is a tool that will help you never have to track nor remember a password, while keeping them impossible to guess, unique and random - a password manager.
A password manager literally does what it says; it manages your passwords for you.
A password manager will allow you to securely store all of your passwords and logins. You will not have to remember them, at all. You simply remember your ‘master password’ to log into the application, and from there, it does all of the heavy lifting.
In many cases, your password manager will come with additional tools. These can include browser extensions, password generators, darkweb scans(to see if your current login details are publicly traded and available) and more.
The most popular password managers, and our choices, are:
- Dashlane
- Nordpass
- 1Password
- Keeper
- Bitwarden
These all have various pricing plans and features. However, in the end, they do one thing very effectively: protect your data with real password management.
As said, your password manager doesn’t need to only exist on your PC. Instead, it needs to interact with your web browsers, your phone and your tablet. Many password managers do just that, securing your logins and passwords wherever you are.
The Real Myths About Passwords
Passwords carry with them an overwhelming sense of rules and standards and issues… and myths.
Over the years, password health has meant different things to different organizations and private individuals. Where once a recommendation might be to only use a random password, the rules changed to a password over 8 characters. Now the suggestion is over 14 characters where possible.
What are some of the biggest myths about passwords and security right now?
"I only need one password"
As we’ve stated before, having one, grand and awesome password might seem like the path - after all, you can remember it, and it is difficult for anyone to guess.
But, having one password means that if anyone, whether you know they have it or not, gets that password, then they get everything that is you - email, banking information, private data and more.
"I don’t need to change passwords."
Changing your passwords is a controversial topic at this time. However, changing your passwords, especially when they are weaker, makes sense. Due to some compliance and regulatory standards, changing your passwords every 30 days, 90 days or yearly is a reality.
“Passwords don’t matter if the website is secure.”
Password security and website security are two completely different things. Website security involves protecting the transmission of data on that website - storage, transmission, and metadata of visits.
Password security allows your key to enter the gate to be secured. A website could have NSA-level security features on it, but if your password is ‘pass123’, you are likely as good as hacked from day one!
“I am not that important and don’t have a lot of money, so my passwords don’t need to be as secure.”
You might not think that you would be a target of a hacker or a scammer because of many parts of your life. You might think this because you don’t have a lot of money. Or because you don’t have an important job. Or because your credit isn’t great.
But data is priceless. The more data someone can collect on you, specifically private and sensitive data, the more valuable you become.
Plus, there are vertical attacks that can be performed. Meaning, after an attacker gets your sensitive details, they could target your friends, family, co-workers, parents, children - ANYONE. And, they could do it as you, which really is painful for those impacted.
“Password strength is irrelevant if you reset your passwords often.”
Some people believe that if they change their passwords constantly, they don’t need to follow any rules for password health and password strength.
But, remember what we said above. A password like “coral245horses” might be guessed in a few hours or a few days. Imagine trying to beat out a hacker who is running automated software to beat you to the next reset.
It's not a sustainable practice.
“You can share passwords with people you trust.”
You trust your kids, or your spouse, or your brother, or your sister, right?
So, you give them your password to log into something. A few weeks later, you discover that you were hacked. How? Did they do it? Why did they do this???
Nope. It wasn’t them stealing your identity, your bank records or your health information.
Instead, them being hacked exposed your password and led to you being hacked.
Or, what’s worse, that little sticky-note that had your login details was seen or picked up by someone who knows someone who knows someone and THEY took your data!
One more thing to help protect your passwords
As a deeper note on password security, we should talk about two additions to your password health and password strength activities - 2FA and TOTP.
2FA, or two-factor authentication, is usually done when you enter a password and are sent a code. This code comes to your phone as a text or to your email. You then enter the code to verify this user is indeed you, and then you are allowed to login fully.
XOTP, or (various like time-based) one-time passwords, are usually a security action that makes use of an authenticator. Popular authenticator tools are Google Authenticator and Microsoft Authenticator. These tools use time-based code resets to verify the true identity of the person logging into a system.
These are two additional methods of securing your logins. When teaming up these methods with solid password strength and password health, your cybersecurity is incredibly difficult to penetrate. Even with a login, using 2FA or TOTP, means that there is another layer of verification that anyone logging into your accounts must go through first.
Security is about layers. And these two additional measures help to complete your security health online.