In this article, you can find advice about how to work comfortably and safe with your passwords.
Forget about the principles ordering you how many symbols your password should have and how often you should change your password.
Those principles are outdated and contra productive.
- Use a password manager
- Use a unique password for service
- Do not devise your passwords, generate them
- If you are sharing your password with anyone, verify their identity first
- If you have a suspicion your password has leaked, change it!
- Activate a multi-step verification
Use a password manager
Learn to use a password manager. You don’t have to remember your passwords anymore. It is a very comfortable way of preserving your passwords and you will get used to it fast. It is also sticking to the important principles while creating passwords.
The password manager has to be trustworthy, that is why you should be interested in reputation of the author or the operator. From our experience we can recommend f.e.: 1password.com, lastpass.com or keepass.info.
You then need to remember only one quality password, with which you are protecting the password manager and on other www websites (or mobile apps) is the password going to fill in automatically. If you want to, you can manage those synchronized on all devices which you are using (phone, pc, tablet).
It is understandable, that not everyone is putting their trust into saving all of their passwords at one place, but you should consider the following arguments.
The password managers listed above are protecting access to your thoroughly encrypted purse with the main password but also with being saved only on those devices, which you choose (1password.com or keepass.info). You can also protect your access with multi-step verification (lastpass.com)
The password manager is monitoring the URL addresses, where you are entering your password, thereby protecting you effectively against so called phishing.
Already today you have one place and one password, with which someone can get to most of your accounts. It is your mailbox and the password to it as you can reset your password using your mailbox by most services. Thats why you should protect your mailbox access twice as much, even if you would not be using password manager.
Even though the password manager has its shortcomings as every other app, it does not matter that much, if a verified organization is operating that app. They are correcting the errors by return. The manager is not and does not have to be perfect. Using the password manager on your accounts is much safer and more comfortable to use, than without it. It is fundamentally safer and more comfortable to use generated unique passwords, which are at hand and do not need to be copied than inserting memorized passwords. Memorized passwords are the same or similar on more website services. Generated passwords usage is also much better than saving your passwords as a text anywhere (even offline).
Use a unique password for every service
The most common way of misusing passwords in practice is based on the customer using same or similar passwords on several services.
As the password is commonly saved jointly with your email address, it is the worst to use the same password on other web services as you are using on your email. Using your email your password can be reset for almost every account you are using.
You never know, how your password is being dealt with. Whether the operator is saving it correctly or readable. You do not know who has access to the password (f.e. a hired summer worker working for the operator,..)
Moreover even while keeping up with the security principles leaks occur from public services, which are facing robotic attacks every day.
As the incidents listed above occur ordinarily, it is fundamentally important to limit the eventual leak of a password only to one service, so only that password could be misused and other accounts would not be in danger.
If you set a same password for ACTIVE 24 and f.e. for some eshop, the leak of the eshop password can severely endanger your domain or email services at our company.
Understandably it is not in human powers to remember dozens of unique passwords, we recommend to use a trustworthy password manager.
TIP: When you insert your email address at haveibeenpwned.com, you can verify, if there is a leaked password to your mailbox floating around the internet. You can also register at the service to receive a notification if that would happen in the future.
Do not devise your passwords, generate them
Avoid using simple passwords, those which contain well-known words, names, numeric or symbol sequences, birth dates or those which can be estimated in the context with the visited website.
If you are using a password manager, use it to generate passwords and do not be afraid to use long passwords (commonly longer than 20 symbols), as you do not need to know the password and in most cases you do not need to copy it manually.
You can select the length and complexity of the password, with regard to the requirements of the service.
If you still choose not to use a password manager despite the reasons listed above, you should know, that the length of the password is far more important than the symbols it is containing.
So you should use passwords consisting of multiple long unrelated words, ideally including diacritic and creative SpeLlinG.
There are some common situations, where it makes sense to share your access data with someone, f.e. with a webmaster, which you are trusting. On the other hand, elicitation of a password from the user is a very common way to succesfully steal someones account.
Elicitation of the password is easier than overcoming technical obstacles of a secured system.
A usual way to elicit a password is pretending to be technical support, commonly combined with invoking the feeling of urgency.
Nowadays it is favorite to elicit data on social networks, where a person is writing you, you think you know them at the first sight (same name, photos,etc.) but it is a fake profile.
If you trust the applicant, choose a suitable handover way of the password. At best use a different communicating channel, than the one, where the password was asked to be provided. For example send the password using SMS, when the request came by email etc.
Do not hand over a password, which you are using for more services! Bear in mind, that customer support should never ask for your access data – they do not need them.
An assumption for safe handovers of passwords is using unique passwords. After handover erase the password from your email/SMS history.
If you have used your password on some untrustworthy computer, send it via some untrusworthy channel, inserted it in a suspicious form (even a pro can fall for phishing) or the reason for sharing your password it with somebody has passed, change your password without any unnecessary delay!
When using a password manager generating and saving a new password is a matter of seconds and you do not need to remember anything.
Activate a multi-step verification
If a service is providing multi-step verification, you should activate it while signing in (so called 2SV or 2FA). Mostly it is about one-time numeric passwords generated by an app in a phone or verifying notification via an app in a phone.
Verifying via SMS is not considered trustworthy enough anymore and it is recommended to resign from it.
In each case protect your password manager in this way, it is saving passwords online (lastpass.com) or use a service for synchronizing files, which you are using for saving files with encrypted passwords (f.e. dropbox.com).