The story of the very first computer password is also the story of the very first password hack.
In 1960, Fernando Corbató was working at the Massachusetts Institute of Technology (MIT) on a computer network known as the CTSS (Compatible Time-Sharing System). The CTSS was used by many different researchers, all of whom had their own personal files on it. In order to keep the private files secure, Corbató set up a password for each user.
The problem was, each researcher was limited to using CTSS for a certain number of hours per week. One of them, Allan Scherr, wanted more time. So he did a run-around of the system and printed out the file that contained all of the passwords. Now, he could log into multiple accounts and avoid being limited to four hours of use per week. He distributed the passwords to other researchers so they could use them too.
While Scherr’s intentions weren’t malicious, they demonstrate one of the ways that password security can be breached. Ever since that first hack, an entire industry has developed around helping people keep their passwords secure — and another industry, made up of hackers and identity thieves, has been trying to break through their defenses.
In this article, we’ll look at some of the most common data breaches, why you need to keep your passwords secure, as well as some password managers to help you store them.
First, Some Quick Password Statistics that May Terrify You
With all the tools out there to create strong passwords — and with all of the security breaches that have been in the news — you might think that young Americans would be more security conscious than older generations. That’s not necessarily true.
According to the Americans and Cybersecurity study by Pew Research Center, 40% of U.S. adults who use the Internet have shared passwords with their friends and family. But when broken down by age group, only 25% of users over the age of 65 had shared their passwords, and 56% of users between ages 18-29 said they had.
Americans aren’t necessarily using the latest technology either. According to the same study, only 12% said they used a password manager. Eighty-six percent relied purely on memory, while nearly half said they wrote their passwords down, and a quarter kept them saved on their computers.
Here’s another alarming statistic: according to YouGov, twenty-six percent said they used the same password for most or all of their accounts.
Most people aren’t creating very strong passwords either. In a leaked dataset of 320 million passwords, only 2% used the strongest combination (upper and lower-case letters, numbers, and symbols), while nearly half used just numbers and lower-case letters.
If statistics like these are an accurate representation of Internet users, then it won’t be hard for you create stronger passwords than the vast majority of them. In the rest of this article, we’ll look at some ways to create, test, and store passwords for all your online accounts.
What Not To Do
We’re going to run through how to create ultra-secure passwords in just a bit. But before we get started, it’s worth discussion the most common mistakes people make when creating passwords so you can minimize or eliminate any vulnerabilities that might already exist in your password ecosystem.
Here’s a quick list of the most common mistakes people make when creating passwords:
- Don’t use the same password for multiple accounts. Using the same password for multiple accounts drastically amplifies your vulnerability. If one password is compromised, hackers can use software to try the same email (or username) and password combination on thousands of different platforms.
- Don’t use personally identifying information to create passwords. Names. Birthdays. Kids’ names. Pets’ names. Avoid it all if you can. These are likely the first things malicious actors will try.
- Don’t use common passwords. It’s more or less common knowledge that one of the most common passwords is “password.” Other common passwords include: “qwerty,” “monkey,” “football,” “trustno1,” “letmein,” and “iloveyou.” Here’s a big list of common passwords to avoid.
- Don’t store passwords in plain text. Plain text documents are vulnerable to ransomware, which makes having a spreadsheet or notepad file containing all your passwords more risky that using another method.
- Don’t create passwords with adjacent keys. Passwords created with adjacent keys tend to be more common than those created from different parts of the keyboard (this is one of the reasons “qwerty” is so common).
- Avoid short passwords. Shorter passwords require fewer permutations to “guess” or crack with software, making them considerably weaker than longer passwords. This is also. There’s an interesting discussion on this topic on Stack Exchange.
- Don’t substitute letters for numbers or symbols. It might feel tricky, but it likely won’t get the job done against a skilled and determined hacker. In particular, avoid using substitutions with common passwords (e.g. “[email protected]$$word” generally isn’t much safter than “password.”)
- Avoid typing passwords in directly. Keyloggers are a type of malicious software that records keystrokes as you type them and is one way for hackers to gain access to otherwise secure passwords. It’s generally better to use something like a password manager to minimize the number of times you type a password directly (more on this below).
Wondering how exactly passwords get hacked, and if you’ve ever been the victim of a security breach? You may be in for a bit of bad news. Chances good that you’ve probably been compromised to some degree at some point in your online existence.
A useful site called Have I Been Pwned? lets you type in your email address and see if any accounts associated with it have compromised.
You’ve probably heard of some of the biggest data breaches. In 2013, 3 billion Yahoo! users had their account data stolen, including their passwords, birthdays, and phone numbers. Dropbox, LinkedIn, Evernote, and Tumblr have all been affected by data breaches as well.
If you received an email from one of these companies advising your to change your password, then do so. If you’ve used the same password for other accounts, then be sure to change them too. In some cases, the leaked passwords were encrypted and unlikely to be compromised, but it’s still a good idea to change them out of caution.
How Serious Are Data Breaches?
Sometimes, it can be hard to tell how serious a data breach is. Hackers don’t immediately log into the affected accounts and post “gotcha” notices your profile. They’re more likely to sell the stolen data on the Dark Web, and it may not be used to break into anyone’s account for years. Only rarely do hackers access passwords in plain text; usually, they’re hashed or salted.
What are “hashed” passwords? Security experts apply various levels of encryption to user data. According to Wired, hashes are “random-looking strings of characters into which the passwords have been mathematically transformed to prevent them from being misused.” In other words, a security-conscious website will store passwords in an indecipherable form.
However, these hashes can vary in strength and complexity. Some hashed passwords can be cracked relatively easily, while others would require immense computing power to break. They may also be “salted,” or sprinkled with random bits of data to further mix things up. Since it can be hard to know how well any site maintains its user data, your best protection is to use strong passwords of your own and update them regularly.
Another way that hackers acquire passwords is through phishing, or sending an email that appears to be from a legitimate site and asks you to enter or reset your password.
This is how hackers gained access to the personal emails of John Podesta, one of Hillary Clinton’s campaign managers, during the 2016 election. A spoofed email that appeared to be from Google warned him that someone had tried to access his account and that he needed to update his password immediately. But instead of going directly to Google, one of his aides clicked the URL in the email, which led to a site maintained by Russian hackers instead.
If you receive an email like this and you’re unsure if it’s legitimate, don’t click the link; log into your account as you normally would and change the password from there.
How to Create A Strong Password
There are several tricks for coming up with a strong password, and not every expert will give you the same advice — but there are some standards that nearly all experts agree on. Let’s look at passwords that use letters, numbers, and symbols first.
First, make sure your password is at least 12 characters; anything less is too easy to break. There’s no harm in going longer, depending on how often you’ll be typing it. Keep in mind that some characters are easier to type on a keyboard than on a mobile device.
Second, use a variety of numbers, symbols, and capital and lower-case letters. Avoid using obvious replacements (such as $ for an S) or putting all the numbers and symbols at the end. Try to mix it up, and use a pneumonic device or sentence to help you remember it.
If you like, you can use a site like Password Meter to test the strength of your password. (Just don’t type your actual password into a password meter like this – they aren’t all secure!)
Try out various combinations of letters and symbols to see which ones make your password stronger. Some sites require you to use a minimum amount of numbers or symbols, and will refuse to let you use a password that they consider too weak for their standards. You can use a Secure Password Generator and tell the program exactly how many letters, numerals, and other symbols you want to include.
The Random Word Method
There are, however, some security experts who recommend a different system altogether. A popular comic by xkcd shows how a string of four randomly-generated words can be as strong as, or even stronger than, a traditional alphanumeric password. To be effective, the four words have to be truly random and no make no grammatical sense.
You can generate a phrase directly at xkcx, or use a list like this one to create a multi-word passphrase using dice. A phrase like “correct horse battery staple” may not make any logical sense, but it’s easier to remember than a string of randomly generated characters.
Have a system for coming up with passwords in advance — and maybe even have a few unused ones ready to go — so you don’t have to come up with them on the spot every time you sign up for a new account. That’s when you’re most likely to be lazy and use the first thing that comes into your mind. If you have to cheat and use a simple one — because you’re in a hurry, or on your mobile device — change it to a more secure one as soon as you get home.
If all of the above sounds daunting, or you just can’t be bothered to create and remember dozens of passwords, don’t worry – there is a solution. More and more people are switching to password managers, which not only do all the work for you, but also include lots of extra security features to help button up other loose ends.
Password managers generate strong passwords, store them securely, and let you access them on multiple devices. In fact, you’ll never even have to look at most of your passwords, since your password manager can automatically fill in log-in forms for you.
The Three Best Password Managers
LastPass is one of the largest passwords managers in the market. It operates in the cloud and can be deployed by users via a browser extension or a mobile app.
Standout features include:
- Robust free plan
- Auto-generated passwords
- Ability to set the default length of auto-generated passwords
- Alterns for weak or old passwords
- Can change passwords automatically on popular sites
- Two-factor authentication
Of the three password managers discussed here, LastPass is the cheapest ($2/mo), and most of its features are available for free, including its mobile app, so you can access your passwords anywhere you go.
One important thing to note, here, though, is that LastPass has been the target of minor hacks and/or vulnerabilities in the past. They have good security, and no passwords have ever been compromised (as far as I know), but because they are so large, it would stand to reason that they get attacked more often than most.
1Password is another popular password manager that runs on all operating systems except Linux. Unlike LastPass, it doesn’t operate completely on the cloud; it saves passwords locally but allows for syncing through the cloud.
Standout features include:
- Stand-alone software for desktops in addition to a browser extension and an app
- 24/7 support with paid plans
- Ability to restore deleted passwords within a year
- Two-factor authentication
- Travel mode to keep passwords secure when crossing boarders
There aren’t any free plans available with 1Password. You can only get paid plans, and they start around $3/mo.
Dashlane is the last of the big three. Aside from being a password manager, it also functions as a secure digital wallet. Like 1Password, it relies on local storage to save sensitive information but allows for cloud sync.
Standout features include:
- Digital wallet functionality
- Can also encrypt sensitive documents
- “Identity dashboard” gives you an overview of your online security
- Dark web monitoring and alerts
- Can encrypt your activity on unsecure wifi networks
Dashlane does offer a free plan, although it’s likely not quite as robust as LastPass’s. It’s paid plans start at $3/mo and go up to $10/mo.
Are Password Managers Secure?
Are there any security risks to storing all of your passwords in the same place? Yes and no. In order to protect your passwords, you’ll rely on a master password, which gives you access to your password vault. If your master password were stolen, then theoretically a hacker would have access to all of the rest of your passwords.
However, password managers have several layers of protection built-in. Since their business model depends on security, password managers have incredibly strong encryption and never store your master password in plain text. They may also require you to receive a code via an SMS message when you log in from a new device or location.
The other risk is that you’ll forget your master password — and for security reasons, password managers don’t make it easy to reset your account. Dashlane warns its users that if they lose they master password, they won’t be able to unencrypt their data. And 1Password says that, if you’ve tried all of their recovery options and “you’re sure you’ll never remember your Master Password, delete your 1Password data and start over.”
It isn’t the end of the world, but it means that you’ll have to reset the passwords on all of your accounts manually. And if you lose access to the recovery email address linked to those accounts, it could be a major headache. In short, don’t lose your master password!
Dual-Factor Authentication & Biometrics
Another strategy that more and more sites are incorporating is dual-factor authentication, which requires an additional step beyond typing in your username and password. You might be familiar with this process if you’ve ever had to receive a log-in code via text message, or click on a link via email to verify that yes, it is actually you trying to access your account.
Why Use Dual-Factor Authentication?
This extra step can be annoying if you don’t have your phone handy, but it’s a surefire way to reduce the likelihood of hackers accessing your account. Even if they managed to obtain your password from a data breach, it’s unlikely that they would also have access to your phone or your email address. Dual-factor authentication is optional on sites like Facebook, Google, and Twitter — but if you haven’t already, it’s a good idea to turn it on.
Dual-factor authentication is especially important if you use a password manager. If you try to log into your LastPass account from a new laptop, for example, you’ll immediately receive a push notification on your phone asking you to “Approve” your log in attempt.
There are also stand-alone apps like Authy and LastPass Authenticator you can use to generate one-time log-in codes for a variety of sites. This is a good alternative to receiving a code via text message if you’re traveling abroad and won’t be able to receive an SMS. Both the Authy app and LastPass Authenticator allow you to verify your identity with a fingerprint, if you have a smartphone that allows fingerprint recognition.
Fingerprints and Other Biometrics
In fact, some experts predict that biometrics, such as fingerprints and facial recognition, will replace passwords in the near future. After all, it’s harder to fake a person’s voice or facial characteristics than it is to guess their password. Microsoft enabled this option with Windows Hello, which lets you sign into your Windows device using a face, iris, or fingerprint scan.
If that all sounds a bit overwhelming, don’t stress out. There’s a site called Turn On 2FA that will walk you through the steps to enable 2-factor authentication on dozens of websites.
Remember, the goal isn’t to make logging into your accounts so complicated that you dread using your computer. You just need to set up a system that work for you. If you use them right, then these tools will make accessing your data harder for hackers but easier for you.