Proper password habits feel like data security’s equivalent of flossing. Yes, we all need to do better with both. But if we’re pressed on how it’s going, most of us admit that we don’t even know where the floss is and that we keep most of our passwords on three sticky notes hidden under our keyboard.
We get it. Most days feel like a constant obstacle course of passwords and PINS, whether we’re trying to withdraw cash at the ATM, check a retirement account balance, use a retailers’ reward card or just stream a movie. The average American has 50+ passwords—many of which you use once or twice a year. (“Yes, specialty spice retailer, it looks like I DID forget the password that I created for Christmas of 2018!”)
Even the password’s inventor, the late MIT professor Fernando Corbato, turned antagonistic to the monster he created. He told the Wall Street Journal in 2014 that passwords have “become kind of a nightmare on the World Wide Web.”
Isn’t There A Better Option?
Password alternatives keep turning up, but no one has quite mastered the alchemy of an easily remembered, hackproof password. The “knock codes” LG added to its phones excited a lot of people, for example. Users simply tap out a chosen sequence on a blank screen to unlock the phone. But it turns out that 20% of participants forget their new codes within 10 minutes. So most people use very predictable patterns for their codes.
Biometrics are an easy-to-use option, but only if a company wants to pay to install fingerprint or retinal scanners on every device.
So the password abides. If we’re following the IT department’s advice, each password contains a different scramble of uppercase letters, lowercase letters, numbers and symbols. No wonder most of us give up and take the easy routes; 59% of us use one password everywhere, according to the password management company LastPass. Most people are willing to gamble convenience against the chance that a hacker will get the keys to their digital life.
As for writing every password down in one place…well, even Professor Corbato, Father of the Password, admitted that he kept a written cheat sheet of 150 passwords he was trying to manage. But the risk of that move isn’t going away. In June 2020, the “hacktivist” group Anonymous broke into the Minnesota Senate’s servers and hacked a file that Senate officials literally called “The Passwords File.”
And one more thing just to make the challenge even bigger: Experts advise against using the “Remember Me” function to log into web pages automatically. If someone gains access to your computer, they will have an open door into any password-protected website you use.
Real-World Password Solutions
But enough venting about password headaches. What are the current best practices for managing passwords in a way that’s secure and actually practical? Here are guidelines recommended by Pratum’s experts:
- Use multifactor authentication whenever possible. This is the increasingly familiar approach that adds another layer of protection through steps such as texting you a verification code along with requiring a password. MFA involves two of the following three elements: something you know (password or PIN), something you have (a badge or a device) and something you are (fingerprint or voice recognition).
- Use more complex passwords. Most of us use obvious phrases to make memorization easier. But when hackers’ software runs through thousands of password combinations per minute, they’ll eventually figure out “ILovePizza!”. Use more random combinations such as “1lovePws!”.
- Keep rotating passwords. Yes, it’s a hassle when the IT team makes you change passwords every 90 days, and you may have seen news that this standard is falling from favor. But permanent passwords are actually recommended only for organizations that have extra protections in place such as multifactor authentication.
- Use a browser plug-in such as LastPass. It stores all your passwords in one spot and lets you easily log into websites by choosing the appropriate passwords from your list. The plug-in requires its own password, so that no one can access your sites just by getting access to your computer. You also can use a password app to generate random, virtually uncrackable passwords for yourself. Do note that if you’re planning to use your workplace computer for this, you may not be permitted to install the plugin. And be sure to use a password manager that is encrypted and protected with MFA.
- Log in to sites via a big, trusted company. You typically see this option as “Log in with Google.” This makes things simpler, and you’re using the expertise of a major company. But your password to that service obviously should be bulletproof.
If you’re wondering whether your password game is in the sweet spot of security and usability, a Pratum expert can help. To discuss a review of your policies, reach out to our cybersecurity team.