JOIN OUR TEAM

Password Best Practices — Why Your Password Isn’t Good Enough


Nick Bambulas
Author: Nick Bambulas Date: 04/16/2019

Co-authored by: Nick Bambulas and David Eichkorn

How many passwords do you use? Are you recycling the same password over and over with slight variations? Is there a word or phrase in your password to help you remember it? Do you use the name of a family member or pet in your password?

Despite warnings and embarrassing data breaches of firms such as Facebook, Quora and Marriott, many of us continue to use weak passwords. When you choose a password, you’re also choosing whether it is easy or hard for a malicious attack to gain access to your account. Even though new hacker techniques tend to be more sophisticated, the age-old practice of cracking weak passwords remains one of the top ways cybercriminals steal data.

We consider a password insufficient when it is:

1. Easy for humans or computers to guess

2. Hard for you to remember 

The passwords that protect your most vital information like bank accounts and personal emails are extremely important. But according to the National Institute of Standards and Technology (NIST), most eight-character passwords with numbers, mixed case letters and symbols can be cracked by hackers in a matter of minutes. To find out how easy it is, you can test a password’s strength here (but don’t test your actual password — it’s not a good practice to share that with anyone).

You May Already Be Compromised

Many of your password and email combinations may have been compromised. For example, if you use Facebook, JP Morgan Chase, Marriott, Home Depot, Yahoo Mail or shop at Target, there is a good chance your user names, passwords and/or banking information were compromised at some point.

Your password can be compromised in several ways. One is dictionary attacks. These attacks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with these tools and, with enough processing power, anyone can crack lazy passwords.

To thwart these kinds of attacks, avoid using common words or even consecutive keyboard combinations — such as qwerty or asdfg. Avoid using dictionary words, slang terms, common misspellings or words spelled backward. 

Other common attacks take advantage of security questions. When you click the “forgot password” link on many sites, you’ll often be asked to answer personal questions such as the names of spouses, kids, relatives or pets. However, a hacker can find most of these answers from a quick look at most people’s social media profiles. This is how Sarah Palin’s Yahoo account was hacked.

When selecting your security questions, choose information that would be difficult to find on your social media profile or elsewhere, like the make and model of your first car.

But I Use Numbers AND Letters!

Because passwords and credentials have been stolen from major corporations, reusing passwords for email, banking and social media accounts can make you exceptionally vulnerable. One report found a password reuse rate of 59% among respondents, even though 91% of them said they understood the risks. Reusing passwords is a huge mistake because hackers know we reuse them, so they take passwords from one breached site and then try them on lots of others. If your password was compromised in the Yahoo breach from a few years ago, a hacker may try to use the same credentials on banking sites.

Here are a few basic strategies for managing passwords:

  • Make sure you use different passwords for each of your accounts

  • Always log off if you leave your device and anyone is around — it only takes a moment for someone to steal or change your password

  • Use security software and keep it up to date to detect and remove  keystroke loggers and other malware that can steal passwords

  • Avoid entering passwords when using a computer you don’t own or when using unsecured Wi-Fi connections (like at the airport or coffee shop) — hackers can intercept your passwords and data over these unsecured connections

  • Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year

So What is a Good Password Practice?

Whenever possible, use multi-factor authentication (MFA). There are many services that can verify your identity if someone logs on to your account from an unrecognized device. It is the absolute most impactful way to secure anything requiring a password, and it’s likely that the major breaches mentioned above would have been thwarted by MFA.

The best tool for password security is to use a password manager. Password manager programs keep all your log-in details in a secure, digital vault. Using a program to keep track of all your unique passwords may take some adjustment, but once you get the hang of it, a password manager can make logging into websites not only more secure but faster as well. Password managers are not perfect, but if used along with good security practices, malware scanning, and regularly updating your software and security services, you can make sure you are not an easy target for cybercriminals.

Length is always your friend. Longer passwords with a minimum of 14 characters containing upper and lower case letters, numbers and special characters are harder for thieves to crack.

Never use a public open Wi-Fi at any time, for any reason. If you must, then use a Virtual Private Network (VPN) to secure the data you transmit. It’s always preferable to use the hotspot feature on your smart phone instead, but be sure to change the default name of the hotspot (e.g., “Nick’s iPhone”) to something less obvious. These are simple things that have a HUGE impact on the security of your data.

Watch for dark web sales of passwords. Gordon Flesch Company offers enterprise tools to monitor the sale of our clients’ passwords on the Dark Web, but there are also free, single-use tools that can help the average home user to discover whether their passwords or credentials are being sold online. For example, you can search for your information on www.haveibeenpwned.com. However, be aware that the data on these types of free sites may be a bit old.

Don’t use personal information in your passwords. This includes your name, age, date of birth, children’s or pet’s names, or your favorite song or color. Several years ago, 32 million passwords were exposed in a breach and approximately 1% of the victims used “123456” as their password. The next most popular password was “12345.” Other common choices included “111111,” “princess,” “qwerty” and “abc123.”

Even if it appears to be from a legitimate website, be very careful before clicking on a link asking you to log in, change your password or provide any other personal information. This is how Democratic National Chairman John Podesta was hacked in the run-up to the last presidential election.

Want more tips for protecting your systems from cyber criminals? Just click the link below and use our cybersecurity checklist.

Gordon Flesch Company is one of the fastest growing Managed IT and cybersecurity firms in the Midwest. We’d love to show you how our Managed IT experts and experienced vCIOs can help optimize your security systems. Contact us today for a no-cost, no-obligation assessment of your security and Managed IT needs.

New call-to-action

Leave a Comment

Written by Nick Bambulas

With nearly 15 years in the IT industry, Nick has experience with both small businesses and major corporations. He combines his knowledge of infrastructures, data centers and other IT solutions to create a technology roadmap that brings results.

Need More Information?

We’re ready – and eager – to help you solve your technology challenges.