Word Count: 1306
Est Read Time: 8 mins

We have all received them…the dreaded password notifications. “It is time to change your password”, “you cannot change to a password that you have used in the past 12 months”, “your password must contact a letter, number, and special character”…uggghhhh. If you are anything like me (and I would imagine most other people), you have a lot of passwords to keep up with; and it seems like once you have used the password enough remember it, it is time to change it again. Is this all really necessary?

The short answer is yes. It today’s digital world, security is incredibly important. Every day, more of your information/data is being stored online, and it increasingly more important to utilize effective security practices in order to protect that information. Are passwords the only method of securing the information? No…but until biometrics (e.g., fingerprint readers, retina scans, facial recognition) become more readily available, it is our best option. So, you might want to step up our password game with some of the following tips.

  1. Subscribe to a password manager. This is the best strategy to securing your data…and if you take my advice on this one, there is really no reason to read the rest of the tips! Password managers (e.g., 1Password, Dashland, LastPass) are designed to:

    • Keep track of your passwords and automatically insert them when needed,
    • Minimize the number of passwords you need to remember (once set-up, you will only need to remember your “master password”, which will be unique from your other passwords, therefore safe), and
    • Help you recognize/correct problems with your passwords (e.g., notify you when you have a password that has been compromised or used more than once).

The catch is that these services are not free…or at least should not be (don’t trust a free password service, as they are earning money somehow…probably from your passwords!). However, you should be able to find a program for ~$5/month.

If you are not interested in a password manager yet, take the following steps to protect yourself:

  1. Check to see if your passwords have been compromised. A few months ago, I began receiving some spam email to one of my accounts. That in itself was not unusual…but the fact that one of my passwords (which is a unique/random string of numbers, letters and characters) was included in the subject line of the emails certainly caught my attention! Although it was pretty obvious that this particular password had been compromised…it motivated me to begin examining all of my passwords. So, how do you determine if your password has been compromised? Check out the site “Have I Been PWned?” (www.haveIbeenpwned.com). This is a free service (yes, I actually trust this free service…) that allows you to check and see whether your password has been exposed in data breaches. The service also allows you to check your email address(es) to determine if they have been breached as well. Although this service does not fix your problem (informational only), it can provide you with the motivation to make a change…and provide you with some guidance on how to do so.

  2. Choose a strong password. Although ‘Password_123’ or ‘ may have seemed like a good option (easy to remember and follows most of the guidelines, right?), it is not going to keep you secure. Of course, the dilemma that we all face is that the stronger the password, the harder it is to remember…and the passwords that are easier to remember are easier to hack. So, how do you create a strong password that you can remember? Try coming up with a system (that only you know!) for your passwords, such as (a combination of):

    • Use the first letters of each word of a poem, quote, or lyric that you can easily remember. For example, “I pledge allegiance, to the flag, of the United States of America” could be represented by “Ipa_ttf_otUSoA”. The key is that you can remember the quote…but have to think about the password, making it much harder to hack.
    • Change some of the characters of your quote to create your unique password (e.g., to → 2, 22 → twentytwo, S → $, 2020 → MMXX, commas → _, ).

Let’s give it a shot. Using these tips, can you guess what the following password is supposed to represent? It’s a tough one…but that is the point! Check your answer in next month’s Technology Tips & Taboos article!

B$2dyO_LOA_XII-XXIV

Here’s a hint: The password represents a combination of a movie quote, the ‘author’ of the quote, and day of the year you would probably see the movie.  Oh, and a decoder ring might help!

  1. Change your password often. Wait…you went through all of that effort in creating a fantastic password, and now you are supposed to change it? Unfortunately, yes. Most online sites will force you to change your password every 6-12 months, and for good reason. The longer a password is in circulation, the more likely it will be hacked. So, rather than waiting for the company to force you to change your password (which we know will always come at the wrong time!), create a reminder in your calendar to change all of your passwords on schedule. At least you are in control…right?

“Treat your password like your toothbrush. Don’t let anyone else use it, and get a new one every 6 months.”

Clifford Stoll
  1. Use Multi-Factor Authentication (MFA). I know, I know…having to enter your password is annoying enough, and now you are being asked to do more? Although it is another step in the process (hence, the name)…multi-factor authentication is truly a good thing. For sites that support it, MFA will require that you not only enter your password when logging in, but also confirm that it is actually you by a second means (e.g., often a code sent by text, call, email). This way, even if someone stole your password, they would not be able to log-in to your account unless they had your phone, access to your email, etc. Possible…but much less likely. Are you an employer who has employees that have access to sensitive information? You might want to look into some of the MFA platforms (e.g., Duo). This way, when your employees log-in to their account, they will be asked to verify that it is them. **My employer recently began requiring MFA, and although it was met with some initial resistance, the process is pretty simple (i.e., click “Approve” from your phone, tablet, or smartwatch when you are logging in). And, for those who do not regularly carry one of those items, there are USB keys that can be inserted as your verification.

  2. Finally, although this may seem counter-intuitive based on my previous advice…you may want to develop a system of recording and sharing (at least some of) your passwords with your significant other. If something were to happen to you, would they have access to the information that you want them to have (e.g., finances, contacts, photos)? Although I love technology, I am also a fan of the old fashioned way…write them down! Keep them in a locked safe, or even on the last page of your favorite book…but make sure to update them at the same time as you change your passwords.

Although having to use passwords is not fun…it is better than having to deal with a security breach! So, step up your password game and make sure that you and only you (and maybe your significant other) have access to your information!

-Brian Jackson, PhD
Professor and Technology Enthusiast