Checklist 277: World Password Day 2022

On this week’s Checklist, we cover:

• The state of passwords in 2022
• Some password worst practices
• Tips for good password security

Why we need World Password Day

It’s World Password Day 2022—which makes it the perfect time to talk about password security.

Bitwarden, makers of an open-source password management tool, conducted a survey in 2021 that proves there’s still a long way to go when it comes to educating the public about password best practices.

Here are a few highlights:

• The most popular password management solution by far—accounting for 59% of survey respondents—is memory.
• The next most popular methods? Pen and paper (33%) followed by storing passwords in documents on a computer (28%).
• Only 28% of respondents say that they use password management software (the method recommended by cybersecurity professionals). 

Most people are not using the best possible method to manage passwords. And of the folks who memorize passwords, a full 44% say that they “rarely” have to reset a forgotten password—which either means that they have just one or two accounts or, more likely, that they’re reusing passwords.

Unfortunately, it seems that there’s a pretty big gap between how people perceive their password security, and what’s actually the case. In Bitwarden’s survey, 95% of respondents said that they were “somewhat to very familiar with password security practices,” but 85% said that they reuse passwords for multiple sites! Needless to say, if you were actually “very familiar” with password best practices, you’d know to never, ever reuse passwords.

A checklist of password Don’ts

The good news is that there are a few simple rules to ensure good password security. But before we get to those, let’s talk about what not to do!

1. Don’t reuse passwords. If a bad guy gets a password from a website in a data breach, they can use it to hack more sensitive accounts. This is why we say that there’s no such thing as an “unimportant” account from a security standpoint. If you reuse passwords, a data breach at your local florist can quickly become a compromised email, social media, or financial account.

2. Don’t share passwords. It’s not a trust issue—we don’t really think your cousin is going to hack you (well, she might, but we’ll give her the benefit of the doubt). It’s just that you have no way of knowing how good someone else’s security is. Do they have a keylogger installed on their computer? Is their WiFi network really secure? If you don’t know that, you can’t be sure that your password is in safe hands.

3. Avoid weak passwords. This goes for things like “password” or “iloveyou”, or even the marginally more clever “pa$$word123” or “il0vey0u.” But it also applies to just about any common word that you can find in a dictionary! Here’s the thing: Computers are scary fast. It might take you all month to test out a million different password combinations, but an automated computer script can do it in no time flat. Hackers use computers to pre-compile giant lists of common passwords and all their variations. Poorly constructed passwords are low-hanging fruit for a password-cracking program.

4. Don’t rely on resets. For years, security pros told people to change their passwords every 60 to 90 days. But they say that this advice is now outdated. That 60 to 90-day figure came from the length of time it used to take to crack passwords. But at this point, your password is either sufficiently long, complex, and random—or it isn’t. Changing passwords frequently no longer serves any useful purpose. But it does incentivize people to create easy-to-remember passwords: exactly the kind of passwords that are simple for a computer to crack. So at this point, don’t change passwords unless you think you’ve been exposed in a breach.

Do this instead

Now that you know what not to do, let’s talk about password best practices:

1. Use strong, unique passwords. We’ve talked about unique: Don’t reuse passwords. Ever. But there’s some debate on what “strong” actually means here. Most everyone agrees that the bare minimum is a password made up of at least 8 characters, preferably a mix of uppercase and lowercase letters, special characters, and numbers. That said, many security experts recommend introducing an element of randomness when creating a password: including three to four words chosen at random for added security.

2. Write your passwords down. Yes, we know it sounds strange. But not everyone can (or will) use a password manager app. For these folks, writing down passwords in a notebook—and then keeping that notebook in a safe place—is a reasonable alternative. In the absence of better solutions, it’s a far safer option than just reusing passwords!

3. Check for compromised passwords. Many web browsers can monitor your saved login details and warn you if an account has appeared in a known data breach. Safari, Chrome, and Firefox all have this feature. You can also check to see if you’ve been in a breach at HaveIBeenPwned.com.

4. Use a password manager. It’s the gold standard for a reason. Password managers allow you to create long, complex, and random passwords for each and every site you use. They store them securely, and autofill them for you when you need to log in. For most people, the main concern about password managers is unfamiliarity. But it only takes a week or two of using a password manager to feel comfortable with it — and most people who try one out, at least in our experience, say that they’ll never go back!

Do you have a security question? A privacy topic that you’d like to hear about on a future Checklist? Write to us and let us know!