My clients frequently have to share passwords with me, which gives me a glimpse of three common yet solvable password problems:
- Many organizations allow weak passwords
- Staff at organizations reuse “convenient” passwords
- How easily people email passwords or share them via other insecure means
Password breaches are a headache for everyone except for hackers and the robots that cruise the Internet doing their bidding. Good password security is not that hard and is especially important for social justice groups that don’t have time for dealing with security headaches. Here are four tips to better security:
1- Don’t try to remember all your passwords. Let a computer do it for you.
I use LastPass to create and store hundreds of unique passwords. There are other services out there that do this — How-To Geek has a great article to explain password management.
2- Pick strong passwords.
Strong password = mixed case letters, numbers, and special characters (whenever they are allowed). Use password generators, or your own unique mnemonic every time. Use passwords that are at least 14 characters long. If you’re using a service (as I suggest in tip #1), the extra characters won’t matter.
When it comes to security questions, don’t go easy there either. Any fact that is discoverable about you on the web (like your pet’s name or your mother’s maiden name) is not a good security question answer. You can use any answer to those questions — it doesn’t have to be a factual answer, as long as you store the answer so you can produce it on request.
3- Don’t reuse passwords.
Yes, really. Even for your social accounts or accounts you don’t expect to use much.
4- Don’t send passwords via email.
I like the service privnote. Once the message has been opened, it’s destroyed. So, if anyone did see your message, you will at least know that it was compromised (because it will be destroyed before your recipient can view it). Also, once you have given someone access to your passwords and they no longer need it, change the password. Passwords are not meant to be permanent.
Change passwords like you change your batteries — because sometimes they need to be changed.
Even if you take reasonable measures, password hacks can still happen. But with limited time and money for your organization’s web resources, you don’t have the time to deal with a time-consuming problem that is preventable.