In this article, you can find advice about how to work comfortably and safe with your passwords.
Forget about the principles ordering you how many symbols your password should have and how often you should change your password.
Those principles are outdated and contra productive.
- Use a password manager
- Use a unique password for service
- Do not devise your passwords, generate them
- If you are sharing your password with anyone, verify their identity first
- If you have a suspicion your password has leaked, change it!
- Activate a multi-step verification
- How we protect your passwords in ACTIVE 24
Use a password manager
Learn to use a password manager. You don’t have to remember your passwords anymore. It is a very comfortable way of preserving your passwords and you will get used to it fast. It is also sticking to the important principles while creating passwords.
The password manager has to be trustworthy, that is why you should be interested in reputation of the author or the operator. From our experience we can recommend f.e.: 1password.com, lastpass.com or keepass.info.
You then need to remember only one quality password, with which you are protecting the password manager and on other www websites (or mobile apps) is the password going to fill in automatically. If you want to, you can manage those synchronized on all devices which you are using (phone, pc, tablet).
It is understandable, that not everyone is putting their trust into saving all of their passwords at one place, but you should consider the following arguments.
The password managers listed above are protecting access to your thoroughly encrypted purse with the main password but also with being saved only on those devices, which you choose (1password.com or keepass.info). You can also protect your access with multi-step verification (lastpass.com)
The password manager is monitoring the URL addresses, where you are entering your password, thereby protecting you effectively against so called phishing.
Already today you have one place and one password, with which someone can get to most of your accounts. It is your mailbox and the password to it as you can reset your password using your mailbox by most services. That's why you should protect your mailbox access twice as much, even if you would not be using password manager.
Even though the password manager has its shortcomings as every other app, it does not matter that much, if a verified organization is operating that app. They are correcting the errors by return. The manager is not and does not have to be perfect. Using the password manager on your accounts is much safer and more comfortable to use, than without it. It is fundamentally safer and more comfortable to use generated unique passwords, which are at hand and do not need to be copied than inserting memorized passwords. Memorized passwords are the same or similar on more website services. Generated passwords usage is also much better than saving your passwords as a text anywhere (even offline).
Use a unique password for every service
The most common way of misusing passwords in practice is based on the customer using same or similar passwords on several services.
As the password is commonly saved jointly with your email address, it is the worst to use the same password on other web services as you are using on your email. Using your email your password can be reset for almost every account you are using.
You never know, how your password is being dealt with. Whether the operator is saving it correctly or readable. You do not know who has access to the password (f.e. a hired summer worker working for the operator,..)
Moreover even while keeping up with the security principles leaks occur from public services, which are facing robotic attacks every day.
As the incidents listed above occur ordinarily, it is fundamentally important to limit the eventual leak of a password only to one service, so only that password could be misused and other accounts would not be in danger.
If you set a same password for ACTIVE 24 and f.e. for some eshop, the leak of the eshop password can severely endanger your domain or email services at our company.
Understandably it is not in human powers to remember dozens of unique passwords, we recommend to use a trustworthy password manager.
TIP: When you insert your email address at haveibeenpwned.com, you can verify, if there is a leaked password to your mailbox floating around the internet. You can also register at the service to receive a notification if that would happen in the future.
Do not devise your passwords, generate them
Avoid using simple passwords, those which contain well-known words, names, numeric or symbol sequences, birth dates or those which can be estimated in the context with the visited website.
If you are using a password manager, use it to generate passwords and do not be afraid to use long passwords (commonly longer than 20 symbols), as you do not need to know the password and in most cases you do not need to copy it manually.
You can select the length and complexity of the password, with regard to the requirements of the service.
If you still choose not to use a password manager despite the reasons listed above, you should know, that the length of the password is far more important than the symbols it is containing.
So you should use passwords consisting of multiple long unrelated words, ideally including diacritic and creative SpeLlinG.
There are some common situations, where it makes sense to share your access data with someone, f.e. with a webmaster, which you are trusting. On the other hand, elicitation of a password from the user is a very common way to successfully steal someones account.
Elicitation of the password is easier than overcoming technical obstacles of a secured system.
A usual way to elicit a password is pretending to be technical support, commonly combined with invoking the feeling of urgency.
Nowadays it is favorite to elicit data on social networks, where a person is writing you, you think you know them at the first sight (same name, photos,etc.) but it is a fake profile.
If you trust the applicant, choose a suitable handover way of the password. At best use a different communicating channel, than the one, where the password was asked to be provided. For example send the password using SMS, when the request came by email etc.
Do not hand over a password, which you are using for more services! Bear in mind, that customer support should never ask for your access data – they do not need them.
An assumption for safe handovers of passwords is using unique passwords. After handover erase the password from your email/SMS history.
If you have used your password on some untrustworthy computer, send it via some untrustworthy channel, inserted it in a suspicious form (even a pro can fall for phishing) or the reason for sharing your password it with somebody has passed, change your password without any unnecessary delay!
When using a password manager generating and saving a new password is a matter of seconds and you do not need to remember anything.
Activate a multi-step verification
If a service is providing multi-step verification, you should activate it while signing in (so called 2SV or 2FA). Mostly it is about one-time numeric passwords generated by an app in a phone or verifying notification via an app in a phone.
Verifying via SMS is not considered trustworthy enough anymore and it is recommended to resign from it.
In each case protect your password manager in this way, it is saving passwords online (lastpass.com) or use a service for synchronizing files, which you are using for saving files with encrypted passwords (f.e. dropbox.com).
How we protect your passwords in ACTIVE 24?
Passwords are your personal data. To protect them, we do not store them in readable form anywhere, so nobody unauthorised can access them including our employees (they do not need to know them). If you forget your login credentials, follow the instructions to setup new. Links to setup new passwords which you get to your email address are time limited to reduce possibility of abusing them.
We use one-way hashing algorithm to store your passwords. In case of main customer account it is a bcrypt algorithm with cost set to 12, which offers strong protection against brute force attacks. All passwords which were previously stored in different format are now also hashed again using bcrypt. So even if the attacker would be able to access our database, he won't be able to get passwords in readable form, unless they are very trivial (like "123456", "password" etc.). But validation in our systems don't allow you to setup trivial password as we check them against huge public database of leaked passwords. We do not share your password with this service as the check uses K-anonymity protocol. In general we ask you to setup et least 12 chars long password and its strength is visually indicated.
We would never ask you to regularly change your password as we know, that it is annoying and paradoxically it decreases security. If anybody would be trying to guess your password, he will face our rate limit, which stops him after several unsuccessful attempts. If this situation occurs, you will be alerted by email with informations we have regarding this attack and how to follow up. Another types of passwords we store (for FTP accounts, mailboxes, databases etc.) uses different hashing functions according to the possibilities of given backend system. Where it is possible and useful, we move to slow hashing functions, which are resistant against offline brute force attacks.