Choosing a strong password
A few years back, companies started enforcing passwords of eight characters or more. Avoid dictionary words, favourite colours, pets, family member names, etc. Then passwords of twelve characters were next, and today many, including NIST of U.S.A, say sixteen characters. The issue with a 16 character password is remembering it – “SG;LFfhw!8cMTx4z” is great but hard to remember so the below can assist you.
First pick a group of words
|
Take each first character and make a word
|
|
Add a random word at the end
|
Further strengthen
|
Use a passphrase
A passphrase is similar to a password, but it is made up of various words separated by spaces. Easier to remember and it still offers a massive amount of permutations. I.e. “holy handle people this”. Make your own or use online tools to do this for you.
The longer the better
A password of a few characters can be cracked using automated tools in minutes. Bigger is really better. Include upper case, lower case, numbers and special characters to enhance security. Specials of other alphabets can enhance it greatly since most attacks are based on core Latin characters.
Do not reveal your password
Never share your passwords with friends, colleagues, or even family. Genuine sources will never ask for passwords over the phone or by email. Imagine giving your password to your boyfriend or girlfriend, then you split…
Do not write your password down
Never write your password down, especially next to a desktop, laptop or phone. If you need to store passwords, print them out and place the sheet in a safe. You could argue that a password notebook is better than an Excel sheet on your desktop, depending on storage/protection methods.
Change your password frequently
Every so often, change your password to enhance security, and do not use previous passwords. Most large companies implement this as part of their IT standard. 60 or 90 days is too soon and adds little benefit.
Do not use your password for everything
As the saying goes, “don’t put all your eggs in one basket”. If you use one password for everything, and it is leaked, the criminals can access everything.
Use different classes
Separate password strengths by classes ... one for website forums or unimportant websites, one for emails and one for internet banking.
Use two-factor authentication
Many websites offer this for free now, so use it. Options include OTP via email, OTP via SMS, push authentication, rolling codes like on Google or Microsoft Authenticator, or hardware tokens (the best).
Consider a passkey
Passkeys are a fairly modern concept, like a giant password stored somewhere. Behind this is a private key (10 times stronger than a normal password), which is locked by a pin, password, or biometrics. These are stored on the device, browser or password manager.
Think of the username
A decade or two back, usernames were not based on your email address but something like P547834777, which is hard to guess. Now, they are based upon initialsurname, firstname.surname, or your email. All are guessable, so if a service does use email, create a different email so your username is not too guessable.
Leak monitoring
Some password manager services will search known breach databases for your email address to see if your password or username has been leaked before. If so, log in to the affected service and change your password. Re-used passwords may be hard to deal with.
Consider a password manager
These are typically integrated into the browser natively, stored in an application locally, or cloud synced. Integrated browser storage is not great, and the strongest is a self-managed software product like KeePass. A password manager is as good as its authentication and should be backed up and use 2FA. Cloud services can be good if you pick a trusted one—use a non-obvious login email and set it up correctly.