Password Safety Tips: So Fresh and So Clean Password Hygiene

The coronavirus outbreak and all efforts to slow the spread have transplanted the world into a totally new normal. Best case scenario, you may find that your to-do list is looking a bit different these days. You may even be looking at a blank page, either because you’re overwhelmed by your current demands, or because you just have no idea where to start.

There’s nothing more satisfying than crossing items off your to-do list, so we’re going to give you a task that’s totally manageable now: Clean up your flimsy passwords.

Guardian Protection is still fully operational right now, and we are seeing so many people doing their best to help those around them. But the Cybersecurity and Infrastructure Security Agency (CISA) warns that there are people out there who may try to take advantage of public concern to commit cyber crimes. One element that makes their work easier? Previously mentioned flimsy passwords.

And as many 3rd to 8th graders wisely told researchers during a study, people need good passwords to help “keep people out of their stuff.”

Why are we having this conversation?

First, a confession, and we invite you to confess along with us if you’re feeling it: At some point in our personal lives, we’ve all practiced really, really bad password hygiene. Maybe we’ve been using the same password on all of our accounts since our college days. Maybe we’re in the habit of taping our passwords to our computer monitors.

Second, as a security company, this topic is near and dear to us. We’re dedicated to helping keep our customers stay safe, and part of safety is the security of your personal info.

So let’s acknowledge together that it’s a problem, but don’t stress — we wouldn’t drop this on you without offering a solution.

We’re laying out some healthy password guidance that’s not only safer but surprisingly simple. Take these best practices to heart and wash those dirty password habits out of your hair for good.

1. Password length is more important than password complexity.

According to the National Institute of Standards and Technology (NIST)  password length is much more important than password complexity.

We all know it’s dangerous to use a simple password, and many sites require combos of caps, numbers, special characters, etc. So, we try to manufacture tricky-yet-sticky passwords using random capitalization, symbols, and substitutions.

This is how “password” becomes “p@s$woRd”.

These changes are an improvement over the text only, but experts are realizing that these tactics result in passwords that aren’t as strong as they appear. Many people use the same techniques to concoct and update these Franken-passwords. The results? Predictable patterns that are frighteningly easy for a criminal with a computer to crack.

So instead of using a short, uber-complex password, consider one that’s long and strong. What constitutes long and strong? Keep reading!

2. Ditch passwords altogether in favor of passphrases.

Number two on this list is not a brand-new concept, but it’s an underutilized idea: Stop using passwords.

Probably not what you were expecting, but hang in there because this fully ties into the length-versus-complexity point. Stop using passwords and start using passphrases, a combination of words into a long string of at least 15 characters.

The FBI concurs. 

“If you use a simple password or pattern of characters, it’s considerably easier for an adversary to crack,” reads the FBI’s guidance on the topic. “The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.”

Here’s the logic: the more details you need to remember, the more likely you are to forget something. Also, anything we can visualize will be easier to remember. Can you visualize a p@s$woRd?

Instead, put some words together in a passphrase that’s longer and way easier to visualize and recall, like HappyGoatsTurning5. For us, this conjures up an image of an adorable little goat in a party hat in front of a birthday cake with five burning candles. Your mental image may be different, but it’s probably memorable.

Check out the classic “Correct Horse Battery Staple” cartoon and see for yourself.

3. Are password managers safe?

If you’re not familiar with password managers, they help you generate and store strong passwords all in one encrypted place. To access them, you only need to remember one master password. A few of the more popular password managers include LastPass, Keeper, Dashlane, and 1Password. Some options are free, and some are paid.

So are they secure? The answer is complicated because expert opinions vary. Some consider it a tradeoff between security and convenience, comparing using a password manager to “putting all of your eggs in one basket.” In other words, if someone gets their hands on one of your passwords, they have them all.

On the other hand, password managers may encourage users to practice better password hygiene and serve as an amazing organizational tool:

We recommend taking a balanced view. Password managers aren’t foolproof. Not much in the cyber world is (short of retiring from the internet forever). Weigh the benefits and the risks to determine if a password manager is the right choice for you. And when it comes to your personal info, always tip the scales toward security over convenience.

4. What about saving passwords in my internet browser?

Does your favorite web browser prompt you to save your password?

The most popular web browsers, including Chrome, Safari, and Firefox, have built-in functionality to store and auto-populate your usernames and passwords. Enter them once, and the work is done. It’s so tempting and so convenient. Who could blame you?

But is it safe to let web browsers remember your passwords?

In short, not entirely. The full story requires a deeper dive into each individual browser and how it actually stores your info. But overall, it’s risky, particularly if you’re using an older browser version. Just a few reasons why:

1. If your device is lost or stolen, whoever finds it will have instant access to your accounts.

2. If you have roommates or frequent guests, they can easily invade your privacy.

3. Data stored in your browser may become accessible to hackers, whether they physically have your computer or take over remotely.

So the next time your browser asks if you want to “Remember Password,” we won’t judge you for clicking “yes.” But proceed with caution and know thy browser.

Want to make some changes to your browser password management? Here’s where to find instructions for some of the more popular browsers:

Chrome

Internet Explorer

Safari

5. You’ve got 99 passwords, but our app needs one.

It’s probably evident by now that the fewer passwords you need to remember in your life, the better. That’s one more benefit of Guardian Protection’s all-in-one mobile app. Instead of having numerous apps on your phone to control different parts of your home — one for your alarm system, one for the thermostat, one for the garage door, etc. — you can integrate everything into one centralized place with just one login.

One caveat: Don’t reuse this password or passphrase across multiple accounts. It can be really tempting to use the same password across all accounts, but it’s risky business. Don’t do it!

We recommend creating strong and unique passwords for each account. At the very least, do this for your high-value accounts, like your Guardian account, your credit cards, your bank account, etc.

More account security tips to remember

It never hurts to brush up on the basics, so here’s a few more tips for the road:

• Set lock screens on all your devices.
• Always use a passcode, fingerprint, or facial recognition for your mobile device.
• Change your wireless router/modem password and username from the default to something secure. Remember that this is not the same as the WiFi password you use to connect your devices to the internet. This is the password that protects your router settings.
• Companies are introducing two-factor authentication (2FA) as an additional security measure. This is a good practice, but it is not a substitute for strong passwords.
• Only use computers and WiFi networks you trust.

The Top 25 Worst Passwords of 2019

We’ll leave you with one more parting thought: the worst thing a password can be is common. Every year, password management and digital security company SplashData evaluates millions of leaked passwords to pick out the most commonly-used ones.

Here’s SplashData’s Top 25 Worst Passwords of 2019. If you find your password — or a close relative — on this list, it’s time for a deep cleaning.