Considering what I have learnt this week (in this post), I’ve decided it’s time to cast a critical eye over my own password management practices. I’ve broken a handful of rules:

• I’ve used the same password on multiple platforms and systems
• I’ve kept the same password for close to 10 years
• I’ve got a 1 at the end
• My email has been leaked in published attacks
• I’m lucky not to have been hacked – that I know of.

So I’m going to outline how to use a password manager, so that you can have strong, unique passwords for each service you use (think: banking, streaming services, superannuation, anything you need to login to). To do this I’ll share my experience.

Why you need a strong password

Your password is your secret key into your accounts, it lets you in and keeps attackers out. In cyber security parlance, we call this breaking access symmetry: you can enter, bad guys can’t. Attackers have a swathe of sophisticated tools at their disposal. They have lists of billions of passwords from leaks; they have lists of common passwords; they know that 27% of passwords with numbers just have a ‘1’ at the end; they can automate login attempts. This is why you need a strong randomly generated password – you don’t want it on one of these lists, you’ll be toast in less than a second if you are targeted.

But Luke, I know a bit about security and I know that my password is hashed, so it can’t be used. Well, you are correct, except attackers have thought of a few ways around hashes including rainbow tables. A strong password will make a rainbow table next to useless.

Check your password

It’s always good to know where you began, so first check your current password strength and whether or not it has been leaked.

• You can check password strength here: https://www.security.org/how-secure-is-my-password/  (don’t use your actual password, change letters and numbers but just keep the same form)
• Check to see if your email or password have been leaked: https://haveibeenpwned.com

My old password was strong, it would take a hacker up to 15 bullion years to crack, but my email that I use had been in several leaks – fortunately these did not include passwords.

Updating your password

I’ve decided to start using a password manager, I use LastPass, but there are a number of quality options out there. I understand that it is a single point of failure, but I will be vigilant and update my strong password regularly. This is less of a risk than keeping the one password for every account. It will also make updating passwords easier. 

I have updated my passwords for a variety of emails, financial institutions, super, hardware and apps that contain information I definitely don’t want shared. Where possible I’ve gone with 20 characters, uppercase, lowercase, symbols and numbers. My settings may well be overkill with a Brute Force of 3 sextillion years, but for the sake of four extra bytes and a nice round number at 20, why not?

TIP: It’s difficult to remember every account I have passwords for, so knowing I have probably missed more than a few I’ve taken the following step: I’ve disable default password storing on my device and switched to my password manager. This means everytime I try to log into a site and the password isn’t one I’ve added to the manager, I can: a) consider if I really need this account b) reset it and add it to the password manager.

This took me a few hours to do, but I’m glad it’s done and I actually feel like a weight has been lifted. I’ve set a calendar event to remind me to update my passwords every 6 months. The password manager will make this easier.

How to secure your passwords

• Sign up to a reputable password manager such as LastPass. This will be protecting all of your passwords, so create a good password for it – 16-20 characters, uppercase, lowercase, numbers and symbols. Do not put a 1 at the end (27% of passwords with numbers have this). You need to be able to remember this one, so try using a passphrase like sky^2Ride_3Ice-Cream (don’t use this exact one, or a variation, use your own words and symbols/numbers). 
• Add details for your service accounts that you use (Facebook, banks, super, email, apple/google etc)
• Ask the password manager to create random passwords for you (a different one for each service), using the maximum that your service will allow (ie some banks limit the length and characters you can use). If you can do whatever you want, I recommend 20 characters long, including uppercase, lowercase, numbers, punctuation and symbols.
• Set a calendar reminder for every six months to update your passwords. This include the password for your password manager and the services it remembers (don’t worry the password manager will make this easier to do). 
• Whenever you hear about a password breach of a service you use, update it’s password, use it as a prompt to update all of them.

Join me in secure password land

Passwords are something so common that it’s easy to forget their importance. Every security feature in the world won’t protect you if you have a weak password, ti really is important. So I hope you’ll join me in taking a proactive stance in managing your passwords and improving your cyber security.