Many of us have numerous online accounts that need a unique username and password. While you may already know the significance of a strong password, everyone has their own interpretation of what makes a password secure. Let's ensure that you have not unknowingly adopted some common unsafe password practices.
This article on Cybersecurity Awareness Week is presented in partnership with Incogni.
Putting Personal Information in Passwords
Using a password frequently necessitates it being memorable, which is why individuals often employ birthdays and personal details. Nevertheless, this practice is highly inadvisable.
The reality is that much of the so-called "personal" information is not truly private. It would not be difficult for a determined hacker to discover your birthday, middle name, child's name, or home address. This is true even for the names of famous individuals. Any password that consists of a real word, name, or any other existing entity in the world is inherently more susceptible to being cracked by software.
Using a "Keyboard Walking" Password
WPEngine
Keyboard Walking, the practice of using adjacent letters, numbers, and symbols on a keyboard, is a common and easily decipherable method of creating passwords. Even seemingly random combinations can be cracked if caution is not exercised.
The idea behind creating a strong yet memorable password is to use a series of adjacent keyboard keys. However, since many people adopt this approach, it becomes effortless for cracking software to systematically explore all possible combinations generated by keyboard walking.
Reusing the Same Passwords Everywhere
Using the same insecure passwords in multiple places exacerbates the negative consequences of previous habits. It is understandable to desire a single password for convenience, considering one typically needs passwords for numerous accounts. However, this approach is highly ill-advised.
If an individual manages to crack your password in one location, the next logical course of action would be to attempt that very same password on other platforms. By employing this method, you are essentially facilitating access to all your accounts with minimal effort for potential intruders.
Insecure Password Storage
Perhaps the habits you had before are outdated, and you may already be generating robust passwords for every single website. However, this introduces a new dilemma: how can you effectively manage passwords that are intentionally difficult to recall?
What you should avoid is storing them in a spreadsheet, sending them to your own email, or saving them in a text document. This resembles the issue of using the same password for all your accounts. If by any chance someone gains access to these supposedly "secure" storage locations, they would essentially possess the means to unlock your entire domain.
Not Using a Password Generator or Manager
Justin Duino
To enhance the security of your passwords, consider utilizing two easily accessible resources. Firstly, employ the assistance of a password generator, a tool specifically designed to generate highly secure passwords. These generated passwords surpass any creative combinations you may conceive.
Generated passwords are difficult to remember, and storing passwords in a spreadsheet or text file is not recommended. To address this issue, a password manager can securely store your passwords for you. In fact, certain password managers can even generate passwords for you.
You might be under the impression that a password manager is similar to a spreadsheet. However, if someone gains access to your password manager, they would have access to all your passwords. Password managers require just one "Master Password" to access your passwords. This means you only need to remember one password, which should be stored safely offline.
Skipping Multi-Factor Authentication
The adoption of multi-factor authentication, often referred to as "two-factor authentication," is growing rapidly across different services. While the traditional username and password combination acts as the initial line of defense, implementing additional layers of authentication is crucial. It is important to realize the significance of multi-factor authentication and not disregard its importance.
Multi-factor authentication often requires the use of a phone number for verification purposes when accessing a website. Once you have entered your username and password, a text message containing a PIN is sent to your phone. To complete the sign-in process, you must enter this PIN. The concept behind this is that even if someone manages to obtain your password, they would still require access to your phone number, which poses a greater challenge.
However, it is worth noting that phone numbers are not the most secure method of implementing two-factor authentication. Applications such as Google Authenticator and Authy provide significantly higher security as compared to phone numbers.
Never Updating Old Passwords
It is highly unwise to use weak passwords, and the situation becomes far more precarious when these passwords are retained over extended periods of time. Regrettably, incidents of data breaches have now become increasingly frequent. In the event that a website you are registered with experiences such a breach, your username and password are vulnerable to unauthorized access by potential wrongdoers.
Using Passwords Instead of Passkeys
Regularly updating your passwords renders any leaked information obsolete. In the event that a website notifies you of a data breach, it is imperative to promptly change your password. Another useful tool to check if your personal data has been compromised is "Have I Been Pwned?"
Most of the issues with passwords stem from the individuals who generate them. Utilizing a password in the first instance could be the most significant error you are committing. Passkeys represent the future of password security and should be employed whenever possible.
Rather than inputting a username and password, a passkey functions more akin to unlocking a phone. For instance, your Facebook password can be used to access the Facebook website or app from any location. Conversely, a passkey is exclusively linked to the device on which it was generated.
Imagine using a passkey to access your Facebook account on your computer. Instead of typing in your username and password, you can simply scan a QR code from your phone and unlock it to sign into Facebook. Your phone acts as the "password", ensuring only you can gain access.
The encouraging news is that there are solutions available for every poor password habit. The downside is that it is your responsibility to utilize them. Fortunately, tools like password managers and passkeys greatly simplify and enhance security compared to attempting to manage everything on your own.