The first Thursday of May is special not because it’s a tempting day to go out and ruin your Friday schedule. In a sense, May 4, 2019 is the opposite of that: it’s World Password Day 2019 – raising password security awareness and making Fridays at work less stressful.
Before you complain – yes, everything has a “Day” now, but this one’s important. Bad password management is responsible for a whole lot of data theft and consequently identity theft, fraud, and financial crimes around the world. Luckily, you can spare yourself all of that with a password manager. But we’re getting ahead of ourselves…
How bad passwords and bad password usage can ruin your day
If someone knows your account username, all they need to do to get inside is launch a “brute force” attack on the front-end of the website. This refers to trying all possible combinations of letters and symbols until one sticks. If you have a password like “123456” – the most common password in the world, by the way – a brute force attack will get through in no time.
Even if your identity is unknown outside the digital world, your username and password can still be compromised. Often this will happen due to database breaches on some online service – no doubt you will have seen news stories about Facebook, Google+, Quora, and others leaking data to hackers. Although these leaks don’t necessarily have to contain usernames and passwords, often they do. And often the credentials are not adequately encrypted.
Let’s take this a step further: the database containing Spotify usernames and passwords was breached. It turns out they were encrypted (“hashed”) using the notoriously unsafe SHA-1 algorithm. The hackers now have access to the username-password combination you used on Spotify. If that’s the only service where you used that combination, perhaps you’re fine (although, of course, the world may learn of your obsession with the OST of My Little Pony). What’s that – you’ve been using the same password everywhere?
Well, then you’re a potential victim of “password cramming.” For those wondering, this means the hackers will take your credentials from Spotify and try them on other popular platforms, potentially uncovering a lot more than just your embarrassing music preferences.
How do I create a strong password?
There are many misconceptions when it comes to creating a good password. Most of them are related to the fact that we can’t step outside the mindset of a human being. Unfortunately, tasks that are difficult for us may be quite easy for a computer – and vice versa. In fact, it wouldn’t be wrong to say that we’ve been taught to choose passwords that are hard for humans to memorize but easy for computers to guess. This now-legendary comic from xkcd illustrates the problem perfectly.
So, what are the most important things to be aware of when coming up with a password?
- By far the most important factor for determining password strength is its length
- A password doesn’t necessarily need capitals, numbers, and punctuation to be strong
- Humans tend to use non-letter symbols in predictable ways: using numbers as in “13375p34k” or adding them at the end of the password; capitalizing the first letter in the password; etc. These switch-ups don’t do much to make the computer’s job more difficult
- Long combinations of random words and some punctuation make better, more memorable passwords
To illustrate the point, “bloodstained-donkeykong-bedsheets” makes a better password than “D0nk3yk0ng1”.
The solution: password managers
If the whole password-creation business hurts your head, there’s another way – get a password manager. These tools integrate with your browser and store all your passwords in an encrypted “vault,” making them impossible for hackers to get to. This removes the need to create difficult yet memorable passwords: you can make them as labyrinthine as possible or better still, you can let the password manager generate them for you.
For World Password Day 2019, we chose a few password managers to recommend to our readers.
- Pros: sync across devices, remember credit card numbers
- Cons: few advanced features
- Price: free or $19.99/year
The Czech cybersecurity firm has successfully branched out into a number of areas: they have an anti-virus, a VPN, and a password manager too. Avast Passwords is a lightweight password manager with a powerful free version and protection not just for your login credentials, but credit card details as well. Those who want the full experience can get the Premium version for $19.99/year – well below the industry average. Avast Passwords is available for Windows, macOS, iOS, and Android.
- Pros: feature-rich and dependable
- Cons: the paid version is somewhat expensive
- Price: free or $36.00/year
LastPass is a very feature-rich password manager. It has rightfully carved out a place for itself at the top of the industry and is also available in both free and paid versions. LastPass offers two-factor authentication and other protection features (such as fingerprint login), password sharing between users, and a long list of other goodies. Albeit the paid version of LastPass (at $36.00/year) is more expensive than most password managers, in this case, you get what you pay for.
- Pros: open source – completely free, nice features
- Cons: looks dated, no official apps outside Windows
- Price: Free
KeePass is an open source – and thus completely free – password manager. Among its strengths is its portability – you can carry it on a USB stick and there’s no need to install it. The tool has all the features you would expect of a solid password manager, but it has some weaknesses as well. For example, while it works on non-Windows operating systems, those versions of KeePass are unofficial ports. Also, the interface looks super old. Regardless, as a free tool, it really is great.