I was doing some research on best practices for passwords, and was amazed at what experts are now saying about it. According to a 2019 Verizon Investigations Report, the use of stolen credentials (passwords) is one of the top techniques used by hackers. Other reports from sources such as the Department of Homeland Security, the National Institute of Standards and Technology, and Microsoft agree, and have come up with their own password policy advice.
Many best practices are directed to system administrators, and some may surprise you. Below are a few of the guidelines I was shocked to learn might not be a best practice anymore:
- Maintain an 8-character minimum length requirement (longer isn’t necessarily better)
- Don’t require periodic password resets for user accounts
- Don’t require special characters such as *&(^%$
- Don’t use knowledge-based authentication (e.g. what is your mother’s maiden name?)
If you’re like me, I thought the current recommendation was to create really long complex passwords to help keep it from getting hacked. It seems that practice is changing now and who knows what it will be in the coming years. So regardless of what a site administrator forces on you from a password creation standpoint, you can take a more active role in protecting your password. Here are some ideas.
Change Your Password – Oddly enough, they only suggest you change your password should you feel it has been compromised. One of the reasons they suggest this is that people tend to change them in a simple fashion, which if the original is compromised a hacker can easily guess the new one. For instance, if your password was j@berWacky1 and you change it to j@berWacky2, it doesn’t do much good.
Use Multi-factor Authentication – This requires the site to send an email or text to you to reset your password. Sometimes this is forced by the site you are accessing, other times they offer the option to enable it in your account preferences. If a site doesn’t offer multi-factor authentication, email them and ask them to provide it.
Password Length – The best-practice is to have a minimum of 8 characters, and a maximum of 64. If a site you are accessing allows less than 8 characters, you should still use more when you set your password.
Use Special Characters (including spaces) –This is where you can get creative. Replace an “a” with an “@.” Use an “!” instead of an “i.” Something that you will remember, but would be hard for the bad guy to anticipate.
Use Mixed Case and Numbers – You can enhance your password by mixing these in. For instance, mYspec1alp@Ssword would be hard to crack.
Get creative – Use phonetic replacements, such as “PH” instead of “F”. Or make deliberate, but obvious misspellings, such as “enjin” instead of “engine”.
Use a Passphrase – The best strategy to create a strong password is to create a random passphrase that you do not share with anyone. For example, think of a random sentence, such as “My Favorite Movie Is Starwars Return Of The Jedi ” and creating your password using the first letter of each word: mfmisROTJ.
Don’t make passwords easy to guess – Do not include personal information in your password such as your name, pets’ names, or dates of birth. This information is often easy to find on social media, making it easier for cybercriminals to hack your accounts.
Use a Password Manager – This way you only have to remember one really strong password. Then, use the password generator provided by your password manager to create a unique password for all of your sites.
And lastly, Never Share Your Password – Don’t tell anyone your passwords. Don’t write them down or put them on a sticky note on you monitor. Watch for attackers trying to trick you into revealing your passwords through email or calls.
The most important thing you can do to protect your data is to make the hacker’s job more difficult. Hopefully, some of these ideas will help.
Senior Technical Solutions, Training, and Product Manager
American Academy of Estate Planning Attorneys, Inc.
9444 Balboa Avenue, Suite 300
San Diego, California 92123
Phone: (858) 453-2128