Alongside 2FA, making a difficult-to-guess password can stop a staggering number of cyberattacks, both brute-force and engineered. But how exactly do you do that? The latest recommendation for a password has jumped from 8 characters to 10, 12 if you really want to play it safe, and a scrambled set of characters that meets all of a decent administrator’s password requirements is going to be difficult to remember almost no matter what! If you do make a good, memorable one, you shouldn’t be using it anywhere else. It’s also unfeasible to just reset your password every time you need access to a site. What can you do?
Get a Password Manager
Password managers bridge the gap between the passwords you want to make, the ones you can remember, and the password that meets all of the site’s requirements. This is such a common problem that it’s even built into some browsers! Firefox will save your passwords securely for you, although you can always download the third-party extensions of your choice in the Mozilla add-ons page (https://addons.mozilla.org/en-US/firefox/extensions/). While Chrome also has a built-in password manager, if your Google account gets hacked, all of your passwords just went with it, so in their case it’s better to go third-party.
You can download reputable password managers such as LastPass or 1Password just as easily and perhaps more securely – in all of LastPass’s existence, it’s never had its password database breached (although their dev environment had a security incident a little while ago).
DO NOT “Just Write It Down”
If you think just writing the password down on a Post-It is good enough, don’t be so sure! Social engineering is probably the easiest way to get into someone’s computer. If someone wanders into your office when you’re not there, and they spy your password written on a Post-It stuck to your desk, then boom – they’re in.
Similarly, this actually isn’t a great way to keep track of your passwords even if nobody else has access to it. For example – if you keep a Word Doc with a bunch of passwords in it, assuming nobody is going to be able to
A) find it or
B) identify which passwords you used where (assuming you didn’t write down your username with them) you can also assume you’re not going to remember them either!
If you don’t use them frequently, you’re far more likely to forget what goes where. Oh, good, a random bunch of numbers and letters just titled ‘game account’ on the front of a post-it that’s lost all it’s sticky powers. Where does it go? What is the username? Does it need a username, or just your email? Good luck figuring that out!
But the Manager is Always On!
Yes, these password managers are always prepared to fill in a blank on a webform. If you leave your office without putting your computer to sleep, then hypothetically someone could access an account of yours using one. However, this is easy to fix. If you’re not putting your computer to sleep or locking the screen when you leave for extended periods of time, you should! If you’re not doing that because your password is too long to type in every time you get up, consider setting up a login PIN instead to remove that barrier – a regular person isn’t going to be able to guess every permutation of four-to-six numbers (and sometimes letters depending on your admin’s settings!) in a reasonable amount of time. By locking the desktop, the manager’s convenience can’t be used against you. It’s more secure, anyhow. It’s actually a requirement for companies that follow HIPAA standards!