Common Tips and Tricks to Making a Password
A commentary on password guidelines
Avoid using commonly used passwords or easily guessable information
I Like: It is true that the password containing common information is easily guessed, even if you use a FEW characters after/before it. The problem isn’t the information, it is the length and complexity.
I Don’t Like: Bouncing off of what I like – if you wanted to make a password that was composed of the 5 most common passwords in 2022 (Security Staff, 2023). It would be a GREAT password. 123456789guestqwertyguest123456password12345a1b2c3 – throw a capital letter and a symbol in there and BOOM you just made a password far more secure than any I have made recently.
Use a passphrase instead of a password A passphrase is a sentence that includes a mix of uppercase and lowercase letters, numbers, and symbols. For example, "Ilove2Eat#PIZZA" is a strong passphrase.
I Like: Everything about this. Passphrases can be easily remembered and are very hard for computers to guess. I have no complaints.
I Don’t Like: No complaints at all actually – carry on.
Use a mix of characters including uppercase and lowercase letters, numbers, and symbols. The more characters your password has, the harder it is to crack.
I Like: While this is true, it should not be forced in such a way that it is unnatural. Use characters where they make the most sense to you.
I Don’t Like: Many IT teams will take this to the extreme and force the use of most or all of these. I cannot stand that practice as it puts the security policy and the user at odds with each other. What needs to happen is the overall password length needs to increase and password resets need to be a thing of the past (more on that later).
Avoid using your personal information such as your name, birthdate, or address.
I Like: Not a thing about this! Use your personal information in your password and check the next line to understand how.
I Don’t Like: complexity complexity complexity! It is what is important here. If you wanted to make a password that was your birthday, your mom’s birthday, and your high school mascot then go ahead! The problem you get into is when you only use ONE of those and the password overall is short.
Don't use the same password for multiple accounts. If one account gets hacked, all your other accounts become vulnerable.
I Like: I cannot tell you how important this is. Period.
I Don’t Like: People are forced to come up with completely new passwords for each site. Yes, the passwords should be significantly different but that doesn’t mean that can’t have some things the same. Check out this Blog Post on what I mean by that and how you can write down your passwords securely too!
Consider using a password manager, which can help you generate strong, unique passwords and store them securely.
I Like: This is great for people who have other things on their minds and cannot take the time to learn password theory (even though it is really easy and fun). I understand that frustration and the need for a more simple “out of the box” solution. So check out Data Privacy Vendors to see what password manager I recommend and other useful data privacy vendors as well! Like did you know that there is a service out there that can help remove your data from the internet? Check it out.
I Don’t Like: As with everything else, a single point of failure is always scary. What happens if the password manager gets hacked (it happens)? Or worse yet, you forget the password to your password manager?
Change your passwords regularly, at least every three to six months.
I Like: Not a thing about this.
I Don’t Like: Everything about this. As I mentioned in the Use a mix of characters section is that it pits IT and the end user against each other. Making passwords overly complicated is counter to the point of passwords. So is changing them regularly. NIST published guidelines (NIST, 2020) that would do away with arbitrary password changes forever. Let’s just hope it catches on!
Citation Needed:
Works Cited
NIST. (2020, 03 02). Digital Identity Guidelines. Retrieved from NIST Special Publication 800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html
Security Staff. (2023, 02 02). The most used password in 2022 was ‘password’. Retrieved from www.securitymagazine.com/: https://www.securitymagazine.com/articles/98871-the-most-used-password-in-2022-was-password
