Password Management - Best Practices

It seems like everywhere you turn online these days, you are being asked to create an account and subsequent password. Want to buy textbooks for your college student or reference your doctor’s advice from your last visit? Well, set up an account and create a password! Passwords are now needed for everything from retail websites, social media, and e–mail accounts to medical providers and financial institutions. According to the latest research by NordPass, the average person has 100 passwords to remember! 

Obviously, some of these passwords are more important and safeguard more sensitive information than others. With the increasing frequency and risk of data breaches, it is so important to practice good password management. So, what exactly is “good” password management? Password management is defined as the security practice of creating, storing, managing, and organizing your passwords to safeguard against unauthorized access and breach of information. According to experts, “good” password management will include the following practices: 

• Choose strong, random, and unique passwords for every website or application. This means they should be at least 15 characters long, and contain at least one uppercase and lowercase letter, a number, and a special character. It should not be guessable or contain personal information about you or family members.  
• You should never use the same password on multiple applications. This is important because many people try to keep their passwords the same for different applications to simplify their life or to help them remember. Hackers know this. If a hacker figures out your password to your e-mail account, then he or she is going to try to use that, as well as commonly used different versions of it, to get into your bank account too. 
• Use MFA/2FA (Multi-Factor Authentication) on any application that will allow you. This is an authentication method that requires you to provide two or more verification factors to gain access. These will require something you know (password), something you have (phone), and/or something you are (facial recognition). This step right here will rule out the vast majority of potential hacks. One of the most common MFA factors is a one-time password that is sent to you by e-mail or text.  

What is the best way to continually create, remember, and store all these passwords and know that my information is safe?  

Often people create spreadsheets, store them in their personal computer in some fashion, or even keep a printout in a presumably “safe” spot in their home. Of course, hackers and thieves know this too. Most cybersecurity experts these days recommend the use of a dedicated password manager. A password manager is a software application designed to store and manage your online credentials. It will store your passwords in an encrypted form, help you generate secure random passwords, update changes, and allow you to easily access your passwords across all the devices you might use. The password manager itself is locked by a different master password of your choosing. It is the only password you have to remember. 

How exactly does a password manager work? 

When you need to log in to a website, instead of typing your password in to that website, you type your master password into your password manager which will then automatically fill in the appropriate login information into your website. If you are already logged in to your password manager, it automatically fills in the data. It will fill in all your pertinent information, including your e-mail address, username, and password.  

Password managers come in free and paid versions, depending on the features you want. Even if you pay for one, the investment is still a small price to pay for safety and peace of mind. Some of the more reputable ones are Bitwarden, LastPass, and 1password.  

What if information in my password vault is compromised? Is it safe to have all my eggs in one basket? 

So of course, anything on the internet is susceptible or vulnerable to hacking. Security is never absolute. What if your master password is compromised, or you write it on a piece of paper that you accidentally lose? One idea is to use a double-blind password, sometimes cleverly referred to as a “horcrux.” The term horcrux is a Harry Potter reference in which you store pieces of your soul, placing the proverbial eggs of your soul into different baskets, to gain quasi-immortality. In this case, you split your password into two parts- the first part is stored in the password manager and the second part is stored in your head. Your horcrux can be as short or long as you want it. It can be a simple word or number sequence, as long as you will remember it. You can use the same horcrux for all your passwords. This simply just adds an additional layer of security that only you can unlock. Here is an example: 

As stored in the password manager: 

Username: SuzieQ 

Password: Welove2cookies! 

Stored in your head: 

Carrot 

Actual credentials: 

Username: SuzieQ 

Password: Welove2cookies!Carrot 

If you are still uncomfortable with a dedicated password manager app, you can use your browser based (Chrome, Firefox, Explorer) password manager at the bare minimum. Many cybersecurity experts feel that these are not ideal, but any password manager is better than nothing. Each additional security measure you take just makes it that much more difficult for malicious hackers to steal your information. Just remember that what is easy and predictable for you is also probably true for a cybercriminal. Always exercise caution, particularly with your social security number and financial information.