Passwords are a perpetual point of confusion, frustration and worry for most internet users. We know we need strong passwords to keep our information safe, but if the password is too secure, we forget it ourselves. Worse yet, keeping track of multiple passwords at once is complicated.
We have written many times about the importance of using strong and unique passwords, particularly on sites which have any connection to your financial information (such as banking or retail sites). You could use a password locker such as Lastpass or 1password, to generate and store random strings which are very secure, but many people are not comfortable with these apps and want something that is both strong and simple instead.
One very useful trick to master is using a passphrase instead of a password – you will often hear that passwords need to be long, and remembering long strings is always difficult. Combing the way your personal biological memory works best, with the way digital security works, is an important step forward to securing your online access.
So how does that work? Well, remember a password is any string of characters that you repeat each time you want to access a specific account. A computer doesn’t care about the difference between “1234ABCD” and “He5wis*&,” it reads both strings as 8 characters. So, creating a complex string is less important than creating a long string (as long as you avoid the stereotyped passwords like “1234ABCD”). Rather than thinking of a passWORD, think of a passPHRASE.
To start with create a passphrase like, “ILoveMarmaladeHamSandwiches.” This already has lower and upper case letters, which is good because you’ve widened the possible characters from 26 to 52. Next, take your all-letter passphrase and make a few substitutions. Change “Love” to the heart symbol <3 and replace all the letter ‘a’s with ‘4’s. Now you have “I<3M4rm4l4deH4mS4ndwiches” which is a very strong password. It is 25 characters long and contains capital letters, lowercase letters, numbers and symbols. Better yet, it is unique (not a password anyone else will think of) and still easily remembered.
Of course, that final point is vital. You need a phrase, and simple rules to hash it up, that YOU will remember always. And that nobody else could guess about you, from collecting up bits of personal information online. Forget MyFirstPetsNameIsSooty or ILoveMySonJim. Memorable but un-guessable is the essential combination that will protect you.
Most websites that handle financial information have pretty high security methods. They detect and prevent false log-ins and inform you if they think someone has tried to impersonate you. They block a log in after a certain number of attempts or have a secondary login form like a question to answer or picture to be captioned. These websites are unlikely to be breached by “brute force hacking” your password. Brute force hacking is when a computer tries every combination of allowed characters until it finds one that works. Instead, the most common way a hacker gets into these accounts is by using the same password on your financial information that you use in your email, on forums or on another website.
Similarly to the financial information, most email services provide back-up recognition for unexpected log-in attempts. This might be as simple as repeating the password (a task many brute-forcing programs aren’t equipped to handle) or completing a ‘captcha’ code, or as complicated as texting you a code to your phone number that needs to be entered into the computer. For convenience’ sake, email providers try to make their security as non-intrusive as possible, making it weaker than most financial websites options. Because of this, there are more hacking issues with email than financial websites.
The third layer of security is what you’d expect on a hobby forum, library catalogue or other non-secure website. These websites have usernames and passwords for your convenience. You can store previous searches, easily look up information or comment as yourself by logging in. These websites are not designed with security in mind, and you as the user probably don’t want to double enter your password each time you try to check out a library book. Though it is relatively easy to get password information from these sites, if you have a different password for your library account than your email, a hacker won’t be able to transfer one to the other and break into your email. Similarly, by using a separate email and financial password, any breach that does happen at the email level won’t immediately give access to your financial information.
Creating and maintaining secure passwords is viewed as being a confusing, frustrating task with very low pay off. In reality, we can all drastically improve our passwords with a few easy adjustments and still remember all the important ones along the way.
Remember the three golden rules:
- Financial sites or any sites connected to finances, deserve your best most unique complex lengthy passphrases.
- Never reuse passwords on a financial site, or the email account those sites are linked to (where password reset instructions would be sent)
- Never reuse passwords on a relatively insecure site like a forum, on something important like a finance portal. There is no point your bank employing the latest 64-bit encryption security software, when your password and email combo can easily be gleaned by someone idly hacking a badly-secured hobby site… Your security is only ever as strong as its weakest link after all.