Let’s talk passwords. You should have a different password for every site and service, over 16 character long, without any words, or common misspellings, using capital, lowercase, number and special characters throughout. MyPassword1! is terrible. Q#$bnks)lPoVzz7e? is better. Good luck remembering them all, also change them all every 30 days, so here are my secrets.
1: write your password down somewhere, and obfuscate it. If an attacker has physical access to your desk, your password probably isn’t going to help much.
2: We honestly don’t expect you to follow those passwords rules. I suggest breaking your passwords down into 3 security zones. First zone, bullshit accounts. Go ahead and share this one. Use it for everything that does not have access to your money or PII (Personally Identifiable Information). Second zone, secure accounts, use this password for your money and PII accounts, only use it on trusted sites.Third, reset accounts. Any account that can reset and unlock your other accounts should have a very strong and unique password, and 2FA.
Big industry secret, your passwords can get scraped pretty easily today, 2FA is the barest level of actual security you can get. Set it up. I know it’s a pain, but it’s really all we’ve got right now.
Good luck remembering them all, also change them all every 30 days, so here are my secrets.
Password expiry hasn’t been considered best practice for a long time (must be at least a decade now?) largely because of the other points you mentioned; it leads to weak easily memorable passwords written somewhere easily accessible. Even when it was considered good 30 days would have been an unusually short time.
Current advice is to change passwords whenever there’s a chance it’s been compromised, not on a schedule.
well, the only solution for that is to use a password generator based on length and complexity. I have used it once and am considering using it for all my accounts with each its own password. I live in a safe place so having them written down is not really an issue.
For absolutely best security, you would change your password to a new, extremely long, randomly generated character string every time you logged in. What the best security options are, and what users are willing/able to put up with has a very small, if any overlap.
As for writing them down, my advice is to obfuscate them. Apply your own secret code to the password, hide it in a poem, get creative. Once an attacker is at your desk, they pretty much own your shit. At that level, the only thing your password is providing is privacy, not security.
Your security is only as good as the weakest link, which is usually people. If your password policy encourages users to stick a note to their screen then your weakest link is anyone in the office deciding to take a selfie or joining a call with their camera on. Best practices balance security with what users are actually willing to do.
Or, just use a password manager and simplify your life. Reusing any password is bad practice, even if the account doesn’t seem important. Every account really should have a randomly generated unique password. A password manager solves all of these problems.
I’ve been using a password manager for years, and.I’d be lost without it, but honestly I think this is a temporary solution. What I want to see is a no password future, and just use the code given by your MFA app. Forget having a password at all. Interestingly Microsoft has been pushing for this and you can already drop passwords for personal 365 stuff I think.
Until the password manager gets compromised, or you lose access to your PW manager. In that case, you’ll really wish you had implemented “Zone 3” of my plan.
This is full of terrible advice. Password rotation is an outdated practice.
Don’t ever reuse passwords with “zones”, just use a password manager to generate long and secure passwords for every account. Then enable MFA wherever possible, and Passkeys where they have been implemented.
Then have a recovery method for the password manager stored in a secure place.
As long as your phone is secure, and the manager only stores data locally, I’d say yes. I would still encourage you to have any “reset capable” accounts secured with a strong password and 2FA that is not in your PW manager.
As with all things IT, there is a tradeoff between comfort/usability and security.
I can’t really endorse any one over the others. We use LastPass at my workplace, but they were compromised recently. I didn’t use the service though, still reset my passwords just in case.
I would look for a manager that has a policy of transparency. Breaches happen, they are a fact of life. Both the systems being used, and the people using them are not infallible. I would be more comfortable with a service that notified me immediately when they were breached, and provided easy resolution. When LastPass was breached, they were extremely open about it, and notified their users. Plus, if you use a PW manager, it’s pretty easy to go back in all your services and update the passwords, since you have a list of them and a random PW generator easily accessible. It probably took most people less than an hour to recover.
Yeah, no. Computers don’t care if a password is complex or not. It can’t read “words”. That complexity stuff was introduced because humans think like humans, and wanted to force people to use words not easily found in a dictionary. Security is about password length, so +@#£h&1g/?!:h&£( is equally as vulnerable to a brute force attack as abcdefgh1234567 because of how modern encryption works, it I length that counts.
It is good advice to use a formula to build memorable passwords. I like a simple sentence you can type them without thinking about, as this also won’t appear in a dictionary (avoid famous movie quotes, use something meaningful to you).
Fact is complex passwords created a new security risk; the written down password. Also, frequent forced password changes made it worse. Most businesses only ask staff to change passwords every 3 to 6 months these days. And web sites.never asks you to change your password.
The dirty (not so secret) secret is that, the biggest risk to security is not how complex your password is, but how easy it is to trick people into just giving away access to their accounts.
These days MFA is what makes logon credentials safer and passkeys are slowly proving that passwords themselves are not worth it for most systems.
tl;dr - complex passwords are a throwback and not better than long memorable ones like 1Verycrappycode!
Shitty sites that store PWs in plain text, or they get compromised and the password is figured out from the hash. Probably the most common way right now is phishing, and with AI/LLM it’s pretty easy to do spearphishing attacks on a large scale. The target enters their password on a seemingly legit site, but it’s actually an attacker’s site that logs the PW. There are lots of ways to get a password, and password-only authentication is considered pretty weak, even with a “strong” password.
Have . and ; and / in the middle of your passwords. If a site is compromised and email + passwords are taken, these are usually stored in a csv file. If someone attempts to delimit the csv data, these characters can split you password into multiple cells.
IT, more specifically user support.
Let’s talk passwords. You should have a different password for every site and service, over 16 character long, without any words, or common misspellings, using capital, lowercase, number and special characters throughout. MyPassword1! is terrible. Q#$bnks)lPoVzz7e? is better. Good luck remembering them all, also change them all every 30 days, so here are my secrets.
1: write your password down somewhere, and obfuscate it. If an attacker has physical access to your desk, your password probably isn’t going to help much. 2: We honestly don’t expect you to follow those passwords rules. I suggest breaking your passwords down into 3 security zones. First zone, bullshit accounts. Go ahead and share this one. Use it for everything that does not have access to your money or PII (Personally Identifiable Information). Second zone, secure accounts, use this password for your money and PII accounts, only use it on trusted sites.Third, reset accounts. Any account that can reset and unlock your other accounts should have a very strong and unique password, and 2FA.
Big industry secret, your passwords can get scraped pretty easily today, 2FA is the barest level of actual security you can get. Set it up. I know it’s a pain, but it’s really all we’ve got right now.
Password expiry hasn’t been considered best practice for a long time (must be at least a decade now?) largely because of the other points you mentioned; it leads to weak easily memorable passwords written somewhere easily accessible. Even when it was considered good 30 days would have been an unusually short time.
Current advice is to change passwords whenever there’s a chance it’s been compromised, not on a schedule.
well, the only solution for that is to use a password generator based on length and complexity. I have used it once and am considering using it for all my accounts with each its own password. I live in a safe place so having them written down is not really an issue.
For absolutely best security, you would change your password to a new, extremely long, randomly generated character string every time you logged in. What the best security options are, and what users are willing/able to put up with has a very small, if any overlap.
As for writing them down, my advice is to obfuscate them. Apply your own secret code to the password, hide it in a poem, get creative. Once an attacker is at your desk, they pretty much own your shit. At that level, the only thing your password is providing is privacy, not security.
Your security is only as good as the weakest link, which is usually people. If your password policy encourages users to stick a note to their screen then your weakest link is anyone in the office deciding to take a selfie or joining a call with their camera on. Best practices balance security with what users are actually willing to do.
Or, just use a password manager and simplify your life. Reusing any password is bad practice, even if the account doesn’t seem important. Every account really should have a randomly generated unique password. A password manager solves all of these problems.
I’ve been using a password manager for years, and.I’d be lost without it, but honestly I think this is a temporary solution. What I want to see is a no password future, and just use the code given by your MFA app. Forget having a password at all. Interestingly Microsoft has been pushing for this and you can already drop passwords for personal 365 stuff I think.
That’s what Passkeys are aiming to do.
REMEMBER TO USE A LOCALLY HOSTED ONE, THE CLOUD IS SOMEONE ELSES’ COMPUTER!
Until the password manager gets compromised, or you lose access to your PW manager. In that case, you’ll really wish you had implemented “Zone 3” of my plan.
This is full of terrible advice. Password rotation is an outdated practice.
Don’t ever reuse passwords with “zones”, just use a password manager to generate long and secure passwords for every account. Then enable MFA wherever possible, and Passkeys where they have been implemented.
Then have a recovery method for the password manager stored in a secure place.
Is using a password manager for your phone recommended or no?
As long as your phone is secure, and the manager only stores data locally, I’d say yes. I would still encourage you to have any “reset capable” accounts secured with a strong password and 2FA that is not in your PW manager.
As with all things IT, there is a tradeoff between comfort/usability and security.
Is there one password manager that is better than another? Thanks for answering.
Bitwarden is free and easy to use. They also encrypt more metadata to prevent the kind of breach that lastpass recently had (see https://community.bitwarden.com/t/lastpass-breach-and-implications-for-bitwarden/47214).
“Oops! That page doesn’t exist or is private.”
Yeah I had LastPass but obviously want to change
I can’t really endorse any one over the others. We use LastPass at my workplace, but they were compromised recently. I didn’t use the service though, still reset my passwords just in case.
I would look for a manager that has a policy of transparency. Breaches happen, they are a fact of life. Both the systems being used, and the people using them are not infallible. I would be more comfortable with a service that notified me immediately when they were breached, and provided easy resolution. When LastPass was breached, they were extremely open about it, and notified their users. Plus, if you use a PW manager, it’s pretty easy to go back in all your services and update the passwords, since you have a list of them and a random PW generator easily accessible. It probably took most people less than an hour to recover.
Yeah, no. Computers don’t care if a password is complex or not. It can’t read “words”. That complexity stuff was introduced because humans think like humans, and wanted to force people to use words not easily found in a dictionary. Security is about password length, so +@#£h&1g/?!:h&£( is equally as vulnerable to a brute force attack as abcdefgh1234567 because of how modern encryption works, it I length that counts.
It is good advice to use a formula to build memorable passwords. I like a simple sentence you can type them without thinking about, as this also won’t appear in a dictionary (avoid famous movie quotes, use something meaningful to you).
Fact is complex passwords created a new security risk; the written down password. Also, frequent forced password changes made it worse. Most businesses only ask staff to change passwords every 3 to 6 months these days. And web sites.never asks you to change your password.
The dirty (not so secret) secret is that, the biggest risk to security is not how complex your password is, but how easy it is to trick people into just giving away access to their accounts.
These days MFA is what makes logon credentials safer and passkeys are slowly proving that passwords themselves are not worth it for most systems.
tl;dr - complex passwords are a throwback and not better than long memorable ones like 1Verycrappycode!
How do passwords get scraped?
Shitty sites that store PWs in plain text, or they get compromised and the password is figured out from the hash. Probably the most common way right now is phishing, and with AI/LLM it’s pretty easy to do spearphishing attacks on a large scale. The target enters their password on a seemingly legit site, but it’s actually an attacker’s site that logs the PW. There are lots of ways to get a password, and password-only authentication is considered pretty weak, even with a “strong” password.
Have . and ; and / in the middle of your passwords. If a site is compromised and email + passwords are taken, these are usually stored in a csv file. If someone attempts to delimit the csv data, these characters can split you password into multiple cells.
Anyone with the barest of skills will have escaped any of these characters.
True. But it will eliminate a percentage of the script kiddies.