(Disclaimer: I’m going to try to write this for a generally non-techie audience, but some techie stuff is inevitable. It’s an important topic anyway. Your mileage may vary. Etc.)

Identity theft. Banking fraud. Social media hacking. These are just a few of the worries we deal with nowadays. There’s no such thing as a perfectly secure system, and odds are good that any system or site that you use will experience some kind of security breach in its lifespan. Your best defense hinges on two actions: Controlling your level of risk exposure, and making it as difficult as reasonably possible for the bad guys to make your life miserable.

You don’t have many options for the first action. If you’re going to use Dropbox because that’s what your collaborators all use, you’re kind of stuck with the level of risk involved with being on Dropbox at all. Whatever service you use, be aware of how much of your stuff you’re sharing with that service. If you’re on social media, be aware of what you’re sharing and with whom. Consider what happens if the bad guys get access to that stuff. Doesn’t matter if they hack your password or the whole service, it’s still Your Stuff in Their Hands now.

This is particularly true for anything involving your money. Online banking. PayPal. Patreon. If you choose to use these services, make sure you become familiar with their security measures and get signed up for any alerts. (Unless you have unlimited money, of course, and love to share it with random people. In which case… hi! Be my friend?)

The second action is what brings me here today. Most normal, regular, decent people are terrible at dealing with passwords. Let’s be clear: I’m not saying people are somehow “stupid” on account of this fact. Passwords are a gigantic pain in the posterior! What a terrible way to have to interact with everything on the Internet that we need a login for! I do not blame anyone for being bad at passwording.

It gets worse when you try to learn how to be better. Over the course of the Internet’s lifespan password policies went from “policy? what policy?” through a series of increasingly arcane rules, some of which should be obsolete but folks hang onto them because dogma is everywhere. What do you do? Here are my guidelines:

The days of “letter replacement” passwords should be over and done. A password like “p@$$w0rd” is basically useless now. (Especially that example. Please, never use that.) Special characters are fine, but just using one or more does not a good password make all on its own.

I admit I’m speaking more to my fellow IT techs with that one than to regular folks. It’s still good to keep in mind!

Longer is better. (Yes, I’ll wait while you get the jokes out of the way. Done now? Good.) Look at the requirements for the service. When you create or change your password, does it give you a list of requirements? (If not… consider signing up for a different service.) Note the length requirement. It’s probably something like “8 to 15 characters.” You don’t need to use all 15, but get within a few characters of it. Why? Because if the bad guys try to get in to your account through the front door (as it were) the more characters you used the longer (much, much longer) it’ll take them to go through every combination of letters and numbers and such. Odds are they’ll get bored before they get in.

Let’s put it this way: If a password 8 characters long takes them a day to crack by trying every possible 8 character string, a 12 character password will take them months using the same computing power. (I’m simplifying this a whole lot. The principle is what’s important, not the actual math.) Past a certain point they will give up and move on to the next potential victim. You’ve become Not Worth Their Time, and that’s the best you can hope for.

To be frank, of course, if they’ve decided they really want your stuff? They’ll probably get your stuff, if they have the resources and time and a bit of luck. But still, make them work for it. The rat bastards don’t deserve your having made it easier for them.

The bad guys start with a list. Don’t be on that list. They use the list first, then they go through the “every combination of letters and numbers” I just mentioned. The list? It has stuff like “password” and “1234” and “4321” and “drowssap” and “rover” and “fluffy” and you get the idea. They’ve collaborated and built this list over the course of years of successfully getting into stuff belonging to people like you. The bad guys are smart, organized, and know that most people will pick the simplest password they can when given the choice (and no incentive/training otherwise).

Your password should never be just a string of numbers, should never be a variant on the word “password,” and should never be just a name. Especially not your own name.

“Okay,” I hear you ask, which should probably concern you about my mental state, “What should my password look like?” One of two options, here.

  1. Something utterly garbled and un-guessable, such as that created by a password manager (see below).
  2. Something long enough and just complicated enough to meet the requirements. Remember, length is more important than complexity as long as you don’t use easily guessed information. So, something like “Careful!4Focus” is valid because it’s 14 characters, has no identifying words that are specific to you as a person, and it meets the “you must use letters, numbers, and a special character” thing that the website probably insists upon. Play with this idea a bit! To a password system, an upper and lower case letter are completely different things. “careFul!4focuS” is technically speaking nothing at all like the previous example.

Passwords should be unique. Note the “should be” in there. If the bad guys get your Spotify password, that should absolutely not allow them to log into your online banking account. No account hack should let the bad guys into any other account with money attached! You can fudge this guideline a bit for truly unimportant stuff, but it’s up to you to decide what’s important and what isn’t. Be aware of the potential consequences.

As a side note: Consider carefully whether you want to have websites “remember” your debit/credit card info. It makes purchases easier for you, absolutely true. It also makes purchases easier for them if they get into your Amazon or Domino’s Pizza or other online shopping account.

So, now you have to maintain a bunch of passwords. Now what?

Consider a password manager. I’m a fan of KeePass but that’s not the only option available. What you’re looking for is a program which will keep your growing mess of passwords organized and available at your fingertips, but will keep them hidden from casual prying eyes. KeePass, like most of its competitors, will let you set a master password (you do have to remember that one) which unlocks access to all the other passwords. Then it will let you generate new super-complicated passwords or just let you hand-enter and store the ones you created yourself. Either way you prefer. A lot of password managers will even auto-type your username & password into websites for you.

This is a big complicated step! I’m fully aware of this. You don’t need to go this route…. but you need to do something. If you’re going to write them down, fine, but now you need to secure that piece of paper somehow, and in a way that lets you get at it when you need it. It’s up to you. Maybe you’ve got a system! Systems aren’t inherently bad, just be aware that the bad guys will be trying to figure out your system as well, so make it as non-obvious as you can.

(And there’s the even more complicated issue of having access to all these passwords across multiple devices & locations. Personally I use a secured KeePass file on a Dropbox share, though I’m considering ways to add more layers of security to the arrangement. The challenges never end, folks.)

Consider Two-Factor Authentication. Also known as “2FA” or “MFA”, the long-and-short of it is that instead of just an account name & password, now you have the account name & password & also some code, probably delivered via an app on your smartphone. The “factors” refer to the idea that your account is now protected by something you know (password, factor 1) and something you have (smartphone, factor 2). Sure, if the bad guys manage to get at your password and your smartphone, you’re out of luck… but that’s sure a lot of work, isn’t it? “2FA” is a bit of a hassle for you, yes. It’s a phenomenal hassle for the bad guys, though, so it’s generally a good idea for stuff you really need to have secured. Like, for instance, your bank account.

Last, and absolutely not least:

Ask your friendly neighborhood tech wiz. I guaran-damn-tee you, any techie worth anything at all will be delighted to hear something like, “Hey, I’ve been bad at passwords and I want to learn to do better, can you help?” The biggest hurdle we face in this battle is getting people to even care. Showing that the concern is real for you is going to go a long way toward making them happy to assist you.

In conclusion: Use the Internet carefully and wisely, and use the best password scheme you feel capable of handling. The identity and money you save may be your own.