Karl Voit has an useful post on good password security practices. There’s not really anything new in the post but it brings together most of the best practices in a single place.
The main problem is that you no longer have to be a nation state to build a machine capable of trying millions of passwords a second. Throw a few GPUs into a pretty much standard PC and you’ve got an excellent password cracking machine. Given that fact you absolutely can’t afford a weak password. Even worse are the common 123456 and password type passwords. Voit points out that the top 10,000 passwords are used by 98.8% of users. Don’t be one of those users. It probably takes less than a second to recover your password if you are. Brute force isn’t the only way to discover your password, of course, and Voit discusses some of the others.
Passwords are never going to be absolutely secure but you can do better than almost everyone else (remember that 98.8 percent?) by following a few simple precepts. That mainly means:
- Getting and using a password manager that will generate long, random, unique passwords for you.
- Never, ever, reusing a password. That way even if one of your passwords is recovered it effects only a single site instead of many.
- Using secure software that won’t leak your passwords. This is harder than it seems. Voit suggests using only open source software to help with this.
- Staying alert and aware. That means don’t click on any email links. Always use your bookmarks to open a site. The next time you get an email from big company XYZ thanking you for your order and, by the way, if you want to cancel click here, hover over the link; there’s a good chance it won’t point to XYZ’s domain.
All of this is a bit of trouble but necessary to stay safe. As Voit says, security is pretty much the opposite of usability. Read Voit’s post. If you do and follow his advice you’ll be safer than almost everyone else.