Good Passwords: How to Protect Yourself from Hackers

Safety Tips / July 21, 2022
Good passwords
Photo by Paulius Dragunas on Unsplash
Spread the love

Maybe Google has just warned you that one of your passwords was discovered in a data breach.  Or you’ve already experienced a compromise of one of your email, financial, or social media accounts.  Or maybe your network password has expired, and your company is requiring you to change it to continue accessing company resources. 

Regardless of the scenario, it’s essential to know how to create a good, strong password to ward off potential breaches of your personal or business-related accounts. 

To make a good password and protect yourself from hackers, it is now recommended to create a unique, lengthy yet memorable passphrase instead of the former long-standing guidelines of making a complex password composed of at least 8 upper- and lower-case letters, numbers, and special characters. 

Then, by combining a strong passphrase with a password manager and two-factor authentication, you greatly increase the likelihood of it taking a hacker hundreds of years or the use of extraordinary computing power to be able to crack your accounts. 

What Is a Good Password?

Woman in bright yellow shirt in front of teal background with thumbs up - Cyber Security Resources for Women
Photo by Andrea Piacquadio

Lengthy

A good password is now considered to be a passphrase, which is exponentially more complex to crack.  According to the world-renowned National Institute of Standards and Technology (NIST), a password’s length is one of the biggest factors of its strength,  and the longer it is the more difficult it is to guess. 

Passphrases fit the bill for greater length as they are a combination of 4 or more random words that mean something to you but are too random for a hacker or their password guessing software to figure out in this century or the next. 

Easy to remember but hard to guess

And that phrase “words that mean something to you” is important.  One downside of passwords is that they are often easily forgettable, especially when you’ve got to keep track of several of them across different accounts. Their forgettableness leads to unsafe behaviors like writing them down or re-using them for multiple accounts. 

When an account signup requires you to create a password between 8 to 20 characters in length using a combination of upper- and lower-case letters, numbers, and special characters, people commonly end up with passwords like Rain$t0rm!23.   

And when trying to remember passwords like this one, confusing thoughts like “Did it have an ‘S’ or a ‘$’?” or “Was it a ‘!’ or a ‘1’?” can often lead to account lockouts or frustrating ‘Forgot My Password’ resets. 

A passphrase allows you to choose random words that you can easily see in your mind and have a relationship to each other that makes sense to you but no one else.  If you created the passphrase MicMonitorLampFan because that’s what you see every time you sit down at your desk and that image is ingrained in your mind, you could easily recall this passphrase.  Yet it would take centuries for this passphrase to be cracked compared to only a few hours or even minutes for Rain$t0rm!23 because the length of MicMonitorLampFan exponentially increases its strength. 

Unique

Unique Piece of Candy in a Group - Cyber Security Resources for Women
Photo by Karolina Grabowska

Again, because of so many passwords to keep track of across various login portals – many of them having different sets of password requirement rules – any human that values their sanity is likely to resort to re-using the same passwords for different logins. 

However, a good password (now passphrase) is unique – meaning that after you’ve created the passphrase, you only use it for that one account and never re-use it for any others.  It also means that after the passphrase expires, you don’t re-use any variation of it for the same account. 

And lastly regarding uniqueness, a good passphrase is one that hasn’t been found in any data breaches nor is it included in any password blacklists or list of commonly used passwords

Not written down anywhere

Risky password management is a common issue due again to…you guessed it, having to keep track of several passwords for lots of different accounts (notice a pattern here?).  A 2019 study conducted by The Harris Poll and Google found that the average person in the U.S. has 27 different accounts requiring passwords. 

What seems like the logical thing to do when juggling that many passwords?  For most people, it’s to write them down on a piece of paper or in a notebook or to type them up in a document on your computer or phone.   

But this DIY method of password management is extremely susceptible to password exposure if the paper or digital document are not hidden and well-guarded.  A good passphrase is not handwritten down anywhere nor is it stored in a digital document, especially one that is not passphrase-protected and is accessible to anyone logged onto your device.  

Not changed often

A strong passphrase is one that is changed infrequently. That sounds highly counterintuitive seeing as though many companies implement password expiration policies that require their employees to change their passwords every 90 days or so.  

However, Federal Trade Commission (FTC) researchers discovered way back in 2016 that “there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.” 

So don’t be so hard on yourself if the last time you’ve changed your bank password was a year ago. NIST even advises government agencies against requiring passwords to be changed regularly.  

What’s most important is that when you last changed it, it was changed to a unique, lengthy passphrase that’s not written down anywhere nor has since been exposed in a breach, phishing attack, or other social engineering attack

Doesn’t contain any PII or publicly available info

A good passphrase does not have any of your personally identifiable information (PII) – such as your name, birthday, phone number, address, or any part of your social security number or financial account numbers (just to name a few examples). 

You’ll also want to steer clear of creating a passphrase that contains the names of your partner, children, parents, pets, favorite sports team, employer, or any other information about you that can be deduced from plugging your name into Google’s search bar. 

Password Best Practices

Woman Standing Holding Laptop against Neon Sign - Cyber Security Resources for Women Good Passwords
Photo by ANTONI SHKRABA

For almost two decades, the best advice to create a good, strong password has been to make it complex using: 

  • A minimum length of 8 characters 
  • Upper- and lower-case letters 
  • Numbers 
  • Special characters 

These password complexity guidelines originated from NIST’s 2004 Special Publication 800-63 Version 1.0, which was co-authored by Bill Burr (not the comedian) who has since apologized for having come up with these rules in the first place! To be fair, the document does briefly reference ‘pass-phrases’ even back then. 

Now that research has proven that the length of passphrases outperforms the complexity of passwords in their ability to hold off cracking attempts, best practice is to now

  • Use a password manager 
  • Create a unique yet memorable master passphrase for this password manager 
  • Use Two-Factor Authentication (2FA) with this master passphrase 
  • Use the password manager to randomly generate and store unique passphrases for all your accounts 
  • Make sure all your accounts have 2FA turned on 
  • Make sure your passphrases aren’t written down anywhere 

If you’re able to not fall prey to phishing attacks, keylogging, shoulder surfing, or otherwise sharing your passphrases with anyone – these updated passphrase best practices should keep you in good stead for the rest of your life, even if you end up living another 200 years. 

Several login portals still abide by the outdated password complexity rules mentioned above. So, to fulfill their requirements while taking advantage of the power of passphrases, you can use your password manager’s passphrase generator and add in any missing requirements until the portal accepts the passphrase.  

Best Free Password Manager

Neon Sign Against Dark Brick Wall - Cyber Security Resources for Women Passwords
Photo by Austin Chan on Unsplash

Hands down: Bitwarden. Don’t let the price tag of zero dollars make you doubt its quality. On top of being an open source platform and submitting to audits by third party penetration testers, Bitwarden also features: 

  • Compatibility across every major operating system and web browser 
  • Two-factor Authentication 
  • End-to-end encryption 
  • A passphrase generator of up to 20 words! 
  • Use across unlimited number of devices 
  • Autofill 
  • Storage of unlimited number of passphrases 

You can use either their cloud version or the ‘self-host’ option if you prefer not to store your encrypted passphrases on Bitwarden’s servers. If you choose to go the more common cloud route, they use zero-knowledge encryption, which means that even Bitwarden won’t have any clue what your passphrases are, let alone any hackers if they ever got a hold of them. 

Hopefully, we will get to the point where we’ll no longer need passwords at all. Until then, a good 2FA password manager and generator with a handy autofill feature makes it so that you don’t have to think of and remember every single passphrase for all your accounts – while still keeping them as protected as possible.    

Related Articles:
How To Stop Spam Texts 
QR Code Scams: What to Know to Not Fall for One

Leave a Comment

Your email address will not be published. Required fields are marked *