Password Security Practice Tips

1234, Password1, 25june1980, ABCD (+E for a stronger one). And the list goes on and on.

Although these types of passwords have become very common, they are actually very weak in the 21st century. And while many people are starting to become aware of this, many continue to create weaknesses in different places and practices, such as writing their passwords on scraps of paper, reusing the same password on every account they have on the internet, or a more modern version of writing the password on a scrap of paper: Writing them in a notepad file, and saving them on the desktop.

In this helpticle, we are going to share with you some best password security practices tips, that we strongly advise you to apply when you create an Account on my website, or literally anywhere on the internet.

    1.Back to basics.

    DO NOT use short, identifiable, and obvious characters/names such as password1, 1234, ABCDE, andy2, date of birth, first love birthday, kitty name, your favorite color. Also, try to avoid combining them as well. While doing a favorite color+ kitty name combo (Blue Mimi) sounds so cute, avoid doing it.

    2. Try not to l̶a̶u̶g̶h re-use them!

    And we mean across the entire internet.

    When one password has been dedicated to one service, try to avoid re-using it on another one. Why?

    The domino effect. If your password on one service gets breached/leaked, all other accounts across all services using that same password are at risk as well because you are using the same key to unlock your gate, your house door, and your vault.

    PS: We see you ? ! adding counting numbers at the end of your root password to make them look and feel like new ones:

    Facebook password : thisisapassword

    Instagram password : thisisapassword1

    Twitter password : thisisapassword5

    or worst, adding the name of the service at the end of them :

    Facebook password: passwordfb

    Instagram password: passwordInstagram

    Twitter password: twitterpassword

    Do not do that! When we say a new one for each service, we mean a unique one per service, with no similarities.

    We know it is really hard to keep track of all the passwords, especially if we have to create one per service. But we can assure you, it is worth the dedication.

    3. Rock, Paper, Scissors.

    "The Shortest Pencil Is Longer Than The Longest Memory." — Mark Batterson

    It is very true most of the time. But not when it comes to passwords.

    Same thing for pencil+paper v2.0 a.k.a. computer/phone notepads.

    Avoid writing your passwords down in plain text (or by hand) on your devices, agenda; let alone on email platforms.

    4. Password Sonata - 3rd Movement.

    Play symphony on your keyboard, but do not use consecutive and following-up combinations: AZERTY, QWERTY, ABCD, 1234,...

    5. Quality over complexity.

    This one sounds a bit controversial here, as we've talked about how strong your password should be. But there's a trick to it. Extreme complexity doesn't always equal effectiveness.

    What we really mean is: avoid using a short but complex password with all the special symbols in the world, like 4E&~>@, saying "yeah, it's short but complex enough".

    Instead, start using what are called "passphrases"; like grapepatchworkclassdoorframe.

    Why?

    The first one is so hard for humans to remember, but can be easily decrypted by machines due to its shortness.

    The second one satisfies the length factor AND is easy for humans to remember.

    In fact, the length of your password takes precedence over its complexity. You can have a short password with complex characters thinking that you are safe. But note that short passwords do not really make you secure, no matter how complex you have set them up.

    With passphrases, you open up more possibilities of what could be your password during a brute force attack session VS a short, complex password that could be broken much more easily with a simple sheer logical sequence algorithm.

    TIP: While using the passphrase technic, keep in mind all the previous bits of advice we gave you.

    And then, if you want to enable god mode, you can combine complexity + length. For example D$@HQjmgMJ9bQFAeP3QE35Qz.

    But with these types of passwords, you better have password managers, otherwise, good luck remembering them.

    6. Make your password famous...

    ...so that they can have a Manager.

    Ok, that pun was too much. NO! Do NOT make your passwords famous.

    More seriously, you can ask yourself: "how can I remember all my passwords if I do not write them down somewhere? "

    Well, while using passphrases or much more complex password technics, it is always a great idea (at least at the time this helpticle is being written) to use Password Managers.

    Why?

    They can be your best friend, keeping all your passwords in one safe and encrypted place. You will be able to set and save new long and complex passwords per service, as advised throughout this article, without worrying that much about whether you will remember them or not.

    Until now, a vast majority of cyber-security experts are agreeing that Password Managers are one of the safest and secure ways to protect your passwords.

    They all have their own ways and practices securing your passwords though. Some are stronger (or weaker) than others; Using industry standards encryption methods and protocols (i.e. AES 256-bit encryption — Used by military), or zero-knowledge architecture encryption protocols, ...

    However, (yes, there is a "but" everywhere). It is practically impossible to protect and secure your data and digital life with 100% accuracy. You will always have pros and cons to any security method you will follow and apply.

    Regarding P.Ms, here is a quick and non-exhaustive list of their cons:

    • Having all your sensitive information in one and unique place is generally not a great thing, even if you have the best encryption method in the world. It will be enough for someone to get your master password to open your Alibaba password cave. (But at least, it is way safer than writing your password down in plain text on your notepad or paper)

    • Your P.M might be undoubtedly really secure, but the devices on which you host them are not. All it takes is a mistake and an inattention on your part or an update bug from the manufacturer, or anything that you can't control happening on your device for malwares to spoil the party.

    • Wrong Password Manager choice. Like an artist, your career may succeed or break because of your manager. If you have made the wrong P.M choice, instead of granting you a safe place for your passwords, you may actually expose them, due to weak encryption practices some bad P.Ms might have.

    • P.M not providing cloud-based backups. Some P.Ms do not have cloud-based backups in their offer. While it is not a mandatory thing, having encrypted backup always helps. Imagine your device lost or damaged. All the passwords you have stored locally will follow. And bypassing that by building yourself your own password backups to store on your Google Drive is the worst thing you can do.

    • ...

    So yeah, you got it. The choice of your password manager should not be taken lightly. Take your time, evaluate their practices, and balance the pros and cons of each service.

    It is exactly like choosing wisely THE friend you would share all your secrets with.

    “If you want to keep a secret, you must also hide it from yourself.” ― George Orwell

    Here is a non-exhaustive list of P.Ms in the market:

    Cloud-based solutions, such as :

    Local Storage solutions, such as :

    Physical (hardware) solutions, such as :

    DISCLAIMERS:

    • The list above is not a ranking of the best or worst PMs. It is an extract from the list of PMs on the market according to their category. We do not influence you to choose this or that PM. The choice is yours alone, and the responsibility to investigate the service you intend to use is entirely yours.

    • This helpticle does not contain any affiliation with the above-mentioned products. No affiliate links were involved in the above hyperlinks. Each link is the original and classic URLs.

    7.2FA when possible.

    If you use "2FA" as your password, it means you did not understand any of the security practices we've discussed until here.

    2FA a.k.a. TOTP stands for "Two-Factor Authentication" / "Time-Based One-Time Passcode."

    It adds an extra layer of security to your digital life. If the service you use gives you the option to enable two-factor authentication on your account, please, do so as soon as possible, especially if your account gives you access or control over your sensitive information.

    Why would you do this?

    The explanation is simple: your account is the ultimate target for hackers. If your password is breached, all they have to do is log in to your account with the information they have collected (email+password) and BASTA!

    With 2FA enabled, they will have one more level of boss to fight. 2FA will recognize any new activity from a device you've never used or authorized and ask you to type in a temporary dynamic code that is sent to you via email, SMS, call, or automatically generated by your registered authentication apps.

    This is basically your second authentication door, in case someone manages to get through your first castle door.

    That's the raw explanation, but the science behind it is much more complex and very useful to understand.

    Take a look at this article that explains in detail what 2FA is.

    8. VIP your email.

    Your email address is one of the Holy Grail that allows you to have an online presence and an account across various services.

    Most of nowadays services ask for your email address to allow you register and log in.

    This same email address that you provide will also serve as their primary communication element to send you much sensitive information, such as password reset links, 2-factor authentication codes/links, invoices, account activity reports, etc...

    This explanation speaks for itself. We hope It is therefore obvious and that it is no longer necessary to specify why you need to prioritize the security of your email address.

    Here are some quick tips to help you secure your email :

    • Change your email password regularly.

    • Always double and triple-check the domain name and email address of the email sender. Make sure it is the authentic sender.

    • Avoid clicking on links you receive in email without checking first that the links are secure and safe.

    • Learn more about phishing and other common email scams.

    • Make sure you trust the companies you are providing your email address to.

    • Check to see if your email address has been pawned.

    • Use different email addresses for personal and business activities, and avoid mixing them up.

    • If possible, use a different email address for account creation. A new one that will be different from the one(s) you share publically.

    Now...

    With all these being said, we repeat: it's impossible to secure at 100% your digital life and data, including your passwords.

    The rules will always change, and it is only a matter of time before a working and efficient technology currently established will be obsolete in a few hours/days/years/decade. Cybercriminals always multiply their effort on their side, to make sure they are getting over the established limits.

    This is why it is very important to follow the latest security practices, and, to follow + be aware of the latest security breaches, even if you are not that interested, because your online security is at stake, and that of your data, whether you like it or not.

    Now, go, and change all your passwords across all your services, that you think are weak.

Is this article helpful?

Articles in this section: