Rules for Reasonable Password Management

I wrote up some rules for passwords for a client a little while ago and thought it was worth sharing. Lots of other people have written up these kind of rules, but I think it's always worth reiterating because so many still don't follow these practices.

Before listing the rules, an important reminder that almost all hacking is done with automated tools. Unless you are a VIP, you are very unlikely to be targeted specifically -- but rather one in a list of thousands or millions being scanned. You're protecting yourself from hacking software, not mythical black hoodie-wearing super-hackers. We have to think from a software perspective to understand how best to protect ourselves.

Password Best Practices

1. Never use the same password across multiple sites. You've heard this one a million times. Probably some site you've used has had their data stolen (check haveibeenpwned.com to see, and remember that's just listing the breaches that were made public), so if you use the same password everywhere all you need is one site to be hacked to be put at risk. This is the most basic of all password advice, but many many people still reuse passwords.
2. Use a password manager like 1password or lastpass. Apple keychain is ok too. So you've been following rule #1, and now you have dozens (or more) of different passwords. You need some way to remember them! Password managers are also great for sharing passwords between family members or setting up the ability to grant access to your entire password vault if you get hit by a bus.
3. Really, get a password manager. And let your password manager create your passwords for you. As humans we are terrible at creating and remembering passwords, and we're up against computer software which is incredibly good at doing that very same thing! Security experts call this "password entropy", which a way of saying how hard the password is for a computer to guess. Your choice is to read up on this and understand how the algorithms work, or just let your password manager do it for you.You may think you've been very clever with your password creation, but computers deal in math, not cleverness.
4. Password length is more important than "trickiness". "s3cret!"?is a terrible password, whereas?"my special secret password"?is much better (though still not great). But see #3, don't create your own passwords.
5. Always use multi-factor authentication if you can, it's an important second line of defense. I know it's annoying, but it will absolutely save you! App-based one time passwords or pushes (like authy, google authenticator, etc) are preferable to SMS or email, but I wouldn't worry about it too much as long as you have some second factor.
6. Usernames / email addresses are also part of your login credentials and so are effectively part of your password. Using different usernames for important things like banking is a good idea. For example, if your use "bobjones" as your username everywhere, the hacking scripts just need to get your password to login. But if you use "bobjones-linkedin" on LinkedIn and "bobjones-facebook" on Facebook then even if someone had your password that wouldn't be enough. "But LinkedIn uses emails for username logins" you might be (correctly) saying. This method is easily adapted by using email aliases, for example [email protected] will automatically forward to [email protected] without you having to setup anything in gmail. Many other email platforms support the "+" aliases as well. This has the added bonus that if a site sells or leaks your info, you know what the source was. If I start getting spam to [email protected] then I know who to blame.
7. Think twice before you enter your password when you see a login screen! Phishing is everywhere and there are a lot of tricky ways to make a login screen look like the real thing. Again, a password manager can save you here because it won't enter your password into ???kе??? . com (uniocode obfuscation) or 1inkedin . com (a one instead of an ell), etc. Fight bad software with good software.

This is a very deep subject which we are only scratching the surface of here. It feels like a ton of rules to follow and it makes something that seems like it should be very quick and easy (logging in) into something more complicated, but once you've got a password manager setup and working it is pretty easy. It can also help to work with a smaller set of accounts by using 3rd party logins when possible. Like using your Google or Apple account on other sites that allow that and then making doubly sure that those accounts are locked down as much as possible.