By Michelle Metcalf, NOPL’s Digital Services & Technology Coordinator
In the digital world we live in, passwords are a basic necessity. They’re the first line of defense to prevent unauthorized access to information. The strength of that line of defense depends on us. But we could be making common password mistakes that make it easier for bad actors to access our information. What are they, and how can we fix them?
Mistake #1: Simplicity & Familiarity
Many people use passwords that are too short, or they base their passwords on family or pet names, hobbies, or publicly searchable information like a home address. In some cases, they use simple patterns that might be easy to guess. Those things are waaaay too easy for someone to guess.
The Fix: Strong Passwords
Strong passwords are:
- long – 12 characters or more
- complex – include numbers, symbols, and both uppercase and lowercase letters
- difficult for someone to guess – they don’t follow a pattern and may include random words
If you’re like me, as soon as you’re asked by a site to create a password, you forget every word in your vocabulary. The mind. Goes. Blank. Here are a couple of tools that I’d recommend that can help with this:
- A password manager: Personally, I use an app called BitWarden, but there are a number of different ones available – 1Password, Dashlane, and iOS’s Keychain, to name a few. These managers will generate new passwords for you if you choose, and they’ll be nice and strong.
- Dinopass: Dinopass is actually a password generator for kids with the option to create simple or strong passwords. I don’t always use the passwords it generates, but it helps get the juices flowing if I need some ideas for passwords. If you do use the passwords it generates though, definitely choose the strong option!
Mistake #2: Reduce, Reuse, Recycle
Reduce, reuse, recycle works great for sustainability and reducing waste. It doesn’t work well for protecting your accounts! Let’s say you create a password for online banking. To reduce the number of passwords you have and make things easier to remember, you reuse the same password on several other sites. If one of the other sites gets hacked, your online bank accounts could be compromised because you recycled the password.
The Fix: Don’t Reuse Passwords
Your passwords should all be unique. You can’t unlock your house by using your car key, right? So don’t unlock your bank account with your email password. Yes, this could mean having A LOT of passwords to remember. That’s when using one of the password managers I mentioned above would come in handy. With a password manager you set a master password to open and unlock your vault of securely saved passwords.
Mistake #3: Sharing Passwords Insecurely
You might have the strongest password in the world, but if you share it with someone who stores it in an email account protected by a poor password, it won’t make a bit of difference.
The Fix: Secure Your Passwords
If you must share a password with someone, make sure it’s someone you trust and who will protect it like you will, and share it in a secure way. In addition, never send someone a password in an email, text, or messaging app where it would be in plain text and potentially easy for someone to find and use.
Mistake #4: Taking the Bait
Sadly, most bad actors don’t have to work very hard to get access to passwords. They use strategies to trick people into giving them up – these are collectively referred to as phishing. One method they use is to call and pretend to be a representative from a business you use and try to convince you to give them private information. Another way is by sending an email pretending to be from a website, service, friend, or colleague, and giving you a link to follow. When you click on it, you’re either directed to a fake website that asks for your private information, or the link launches malware onto your computer.
The Fix: Don’t Take the Bait!
Never provide your password over the phone or internet in response to an unsolicited Internet request. A credible institution will NEVER ask you to verify your account information online. Emails and web pages created by phishers may look exactly like the real thing. They may even have a fake padlock icon that ordinarily is used to denote a secure site. If you did not initiate the communication, you should not provide any information.
I have much more to say about these types of scams (aka “phishing”) in an upcoming blog, but in my next post, I’ll be talking about MFA or multi-factor authentication – so be sure to check back!