3 Ways Your Passwords Suck

Good password hygiene is the most effective way for anyone to protect their identity – online AND offline. We come across far too many people who have a rather laissez faire approach to their online accounts. In most cases, we find that it’s a simple matter of being unaware, or assuming that they’re a small fish in a big digital sea: “Who’d wanna steal my identity?“, or “I don’t have anything worth stealing, anyway.” Many people assume there isn’t a high likelihood that they’re being targeted. But here’s the thing:

Nameless, faceless hackers aren’t necessarily trying to steal your money. They’re trying to steal your information – any of it, and Big Bad is looking for the easiest target it can find.

They’re often looking for things like log-in credentials for literally any online account you’ve ever created, even accounts that don’t have any credit card information attached to them. Why? Because there exists an entire underground market for that seemingly innocuous information: nefarious dark-web baddies who purchase bulk lists of usernames and passwords for their evil internet dealings.

What follows are 3 ways your passwords suck, as well as a solution to (most) of your password issues. For the love of puppies and Christmas, break these nasty habits ASAP.

1. Your passwords are weak

We’ll start with the simplest piece of advice: use stronger passwords. Big Bad Hackers have gotten incredibly sophisticated in their ability to crack passwords. A few minutes of targeted research on your social media profiles, or those of your friends, can provide Big Bad with the name of your dog, kid, or spouse, as well as your anniversary, birthday, place of employment, favorite soda…heck, even your favorite swear word probably isn’t too difficult to guess. Failing the personal research angle, Big Bad has access to a wealth of tools that programmatically generate passwords based on dictionary words, keyboard patterns, or commonly used password combinations.

Example:

Jack uses the password 1Dakota2. Jack’s instagram feed shows, amongst other things, pictures of a hunting trip in the Black Hills (of South Dakota) with his dog, Dakota. From here, Big Bad has a handful of words (Black, Hills, South, Dakota, Hunting) that they can use with a password cracking tool to create a variety of combinations to try. It would probably take all of 5 minutes to guess Jack’s password.

So, what is a strong password?

A strong password is:

• Random
  • Try to break away from patterns of numbers or keystrokes, as these are easily guessable by a dictionary-based password cracking tool. 
• Complex
  • Using letters, numbers, and symbols, and arranging them randomly in a string will make for a much less predictable password combination.
• Long
  • Obviously, the more characters that exist in your password, the more character combinations Big Bad will have to go through. Longer is stronger. And if an online account limits you to less than 20 characters for a password, take it as a sign that the service doesn’t take user security very seriously. Then take your business elsewhere.

Spend a few minutes playing with the various tools offered by Random.org to get a feel for what a strong password will look like.

2. Your passwords aren’t unique

When you use the same password for every online account, you’re putting yourself at risk – even if that password is a 30 character, completely randomized string with letters and numbers and symbols. 

Example:

Timmy’s email address is [email protected] (see what I did there? gMALE? Like gmail?, but masculine? Ha!)
Let’s pretend there’s an online book club called Library Stuff. Library Stuff is just an online community of book readers. They don’t sell anything and there is no membership fee.
Timmy has an account on Library Stuff. Timmy logs into this account using his email address and his super good password Rxigmm23*. 
Now, let’s pretend Library Stuff’s website was hacked into by an Internet Baddie. This hacker gained access to Library Stuff’s entire user database.

Okay, that stinks, but since Library Stuff is a free service, the hacker didn’t get anyone’s credit card information or anything. No big deal, right?

Wrong. Big deal.

Library Stuff’s user database included Timmy’s email address, password, city and state. Remember, Timmy’s quite proud of his super good password. That’s why he uses it on most of his accounts.
He uses his super good password on his online banking account.
Timmy also uses his email address to log into his online banking account.

Okay, but the hacker doesn’t know where Timmy does his banking. He’s safe, right?

Wrong again.

The hacker has Timmy’s address and his ip address. Using this, the hacker can find all of the banks local to Timmy, and just start trying username and password combinations.
And what if Timmy uses his super good password for his EMAIL ACCOUNT? Think about the variety of security items that exist in your email account. Not only would the hacker have access to all of that, but the hacker could also use that access to reset Timmy’s account passwords anywhere that he uses his email address to log in.

Imagine that you have one key to unlock your home, your car, and your safety deposit box at the bank. If someone stole that key out of your pocket, it’d put your home, your car, and your safety deposit box at risk, right?

Use a different password for each of your online accounts.

3. You share your passwords.

Do.Not.Share.Passwords.

When you share your passwords, you open yourself up to the vulnerabilities of whoever you’re sharing it with. What if they use an insecure Wi-Fi connection or have a computer virus or spyware installed on their phone? Your password now exists on these compromised devices.

How are you sending your friend that password? Text, email, Facebook Messenger? Snapchat? IM?  None of these (even if you use disappearing messages) are secure channels. When you send a password in plain text (over email, text, snapchat, IM, whatever) you’re opening up a giant vulnerability. At any point on your password’s journey from your device to your friend’s device, Big Bad could snatch it out of the internet tunnel. 

How does your friend store your password? Did they just save the text message you sent? Write it on a sticky note? Save it in their browser? None of these are good ways to store a password. 

Get A Password Manager!

The most straightforward way to make your passwords less sucky is to BUY a password manager. Purchase it. You don’t blink at buying that latte in the morning, or renting a movie on Google Play. A good password manager is 100% worth the investment. 

Native (Free) Password Managers Fall Short

There are plenty of password managers that come installed on devices: Apple’s iCloud Keychain, Samsung Pass, Google Smart Lock. These are all perfectly secure, from a technical standpoint, but as mentioned earlier, even the most secure password will fail you if it’s not used correctly. All of these native, free password managers have the same glaring hole: they don’t work across all devices.

For instance, I work on an iMac and a MacBook Pro. I carry a Samsung Galaxy S9, and I share a Samsung Galaxy Tablet with my husband. I also have an older iPad that I use for testing. I need to be able to securely log into a variety of accounts on all of these devices. I could use iCloud Keychain on my computers and the iPad, and either Samsung Pass or Google Smart Lock on my phone. Google Smart Lock will also work when I’m using Chrome on any device…but I don’t use Chrome exclusively. And I couldn’t use iCloud Keychain on my beloved Samsungs. 

So how do I transfer my long, randomly generated, ultra-secure passwords around? Do I text them from one device to the other? IM? Email? Try to focus my old eyes long enough to type in each 20+ character password by hand? No, no, nope. 

One Password Manager for Every Device

My official advice is to use a device-agnostic password manager. Something that works across any device, and in any operating system. There are a handful out there and I’ve tried tons of them. In my professional opinion, the best available is 1Password. 

1Password is user-friendly, ultra-secure, and incredibly convenient. It exists simply and beautifully on all of my devices and syncs in real time. It boasts a password generator, the ability to keep encrypted notes, credit cards, id cards, membership information, bank account numbers…all of it. It also supports sharing logins and passwords – securely. No more sticky notes or insecure text messages.

1Password offers a couple of different types of accounts, depending on how you operate. Options for individuals, families, or businesses keep it extremely flexible. Pricing is far more flexible than any other paid password manager I’ve ever seen, as well. The monthly cost per user falls around the price of a very small fancy coffee. Maybe less.

Expert Recommendation

In the spirit of full disclosure, you should be aware of a couple of things:

1.  I haven’t been to a coffee house in years. I drink a lot of coffee, but it’s all brewed on-site.
2. Goatshark Enterprises has applied to partner with 1Password in an affiliate capacity; our application is still being processed. Frankly, even if the kind Canadians behind the company choose to deny us that application, I’d be singing their praises. This is the single most useful tool I’ve found in a very long time. Possibly ever. Update: Goatshark Enterprises is now an approved affiliate partner of 1Password.

We never give advice we don’t believe in. Moreover, we NEVER make a product recommendation for something we haven’t used ourselves. This guide will provide you with a solid roadmap to less sucky passwords, even if you don’t take our Password Manager recommendations.

If nothing else, these tips will make you look like the most tech savvy person in your office. 😉