Passwords are still essential in our digital lives. Strong and secure passwords should be used. Follow these rules and you will be fine.
And password strong is essential for your online security, and you need a unique one for each of your accounts. But with all these accounts, it’s very tempting to succumb to the bad habit of using the same password (and the same username) everywhere. If your data is compromised, a weak password exposes you to, for example, identity theft. Until passwords are a thing of the past, it’s time to take the right steps.
Use a password manager
Strong passwords are long, hard to guess, with lots of special characters and numbers. This is where password managers come in handy. A good password manager like 1Password or Bitwarden can create strong passwords for you and these solutions work on desktop and mobile.
The only drawback, finally, is that you have to remember a single password, the master password, which unlocks access to all the others. This must be very strong. Also, remember that even password managers can be hacked.
yes you can write your credentials
This recommendation goes against everything you have been told about online protection. But password managers aren’t for everyone. Some security experts, like the Electronic Frontier Foundation, say keeping your credentials on a piece of paper or in a notebook is a viable method.
Of course, by doing so, someone could break into your home and walk away with all your passwords, but that’s highly unlikely. In the office or at home, keep this sheet in a safe or well-hidden place. And let a minimum of people know where it is.
If you see often, carrying your passwords with you will however increase the risk of loss.
Get notified if your passwords are compromised
It is not always possible to prevent your passwords from being compromised, but you can find out if this is the case. Mozilla Firefox Monitor or Google Password Checkup can tell you if such email address and/or password are compromised. Have I Been Pwned offers the same function.
Avoid overly common words and character combinations in your passwords
The goal is to create a password that a third party could not easily guess. Avoid common words and other predictable character sequences. Also avoid using your first and last name, your pet’s, your date of birth, street number or anything directly associated with you. A fortiori if it is public information.
Long passwords are better: 8 characters, no less
8 characters is a good length to start talking about strong passwords. But longer is better. The Electronic Frontier Foundation and security expert Brian Krebs, among many others, recommend using a passphrase consisting of three or four random “words”. It’s harder to remember, though, hence the need for a password manager.
Do not recycle your passwords
Reusing passwords on different sites is a very bad idea. If someone gets their hands on a password, they will have access to your other accounts. The same is true by proceeding with very simple modifications. For example, PasswordOne and PasswordTwo are forbidden! By using a unique password for each of your accounts, in the event that a hacker gets their hands on a password, they will only have access to this single account.
Avoid using already compromised passwords
Hackers use dictionaries when trying to log into accounts. And these are notably made up of passwords that have already been compromised. To check if your password has been compromised, go to the Have I Been Pwned site and enter your password.
No need to change your password regularly
For years, changing your password every 60 or 90 days was an accepted practice, because people thought that was about the time needed to crack a password. But Microsoft recommend today not to do so, unless of course you suspect compromise. Why ? By being forced to change frequently, many of us would get into the bad habit of opting for easy-to-remember passwords or writing them on a post-it note stuck on the screen.
Use two-factor authentication… but avoid SMS codes
If thieves get their hands on your password, you can still prevent access to your account if you’ve opted in for two-factor authentication (2FA). The system will then ask you to enter a second proof, an ephemeral unique code, before granting you access. Thus, if a hacker obtains your password, without your trusted device (often your smartphone), he will not be able to log into your account.
Most often, the unique code is sent by SMS or directly via a phone call. Unfortunately, today’s hackers can easily spoof your line (via SIM swap) and intercept the code.
The safest way is to use an authentication application such as Authy, Google Authenticator or Microsoft Authenticator. And once setup, you can register your device or browser so you don’t have to double-authenticate every time you want to connect somewhere.