In a previous post I showed that strong passwords are easy to make. But there is more to good password hygiene than to have a strong password. If you re-use the password or even have the same password on many sites, then it’s no good (no matter how strong it is).
Having a good password policy also mean that you do not re-use passwords, do not have the same password at different sites, no not have passwords close to identical with each other.
In this post I will show how you 5 + 2 ways to protect your strong passwords
1. Protect your email account above all
No matter what service you sign up for it requires you to give them your email address. The reason is not malicious – it is so you can reset your password if you lose it. If someone comes in possession of your email account, they have a good chance of resetting several other accounts and lock you out of them.
If you lose your email account, you can get locked out of Netflix, Facebook, Twitter and a bunch of other accounts at the same time. Have you ever thought about how you would reset your Facebook log in if someone hijacks your email account?
2. Use unique passwords for every account
Many people use the same password (which may, or may not, be a strong password) for many online accounts.
Whether the password is strong is besides the point if you use the same password for more than a single account. Having the same password on many sites increase the risk of losing access to more accounts – perhaps putting your email account at risk.
Let’s hope no one that reads this have the same password for his or her Facebook account and the email account! (If you do, take a quick break and fix it right now in another browser tab – I will be here when you come back)
3. Use a password manager
Use a strong password to get in to the password manager and once logged in neither length nor complexity will be a problem for you to remember.
Most password managers have plug-ins for your browser that fill in the credentials when you go to the site. Almost every password manager lets you synchronise your passwords between devices, which makes them even easier to use.
Many password managers also lets you synchronise between your computer and your smartphone. And most important, most password managers create long random passwords for you.
You only need to craft a strong password for your password manager.
Passman and Bitwarden are examples of two open source password managers for all of you that prefer open source software before proprietary code.
4. Don’t let the browser store your passwords
Storing your passwords in the browser is wrong in so many ways from a security perspective. They are extra insecure as they give access to passwords to whom ever that sits in front of the screen.
When browsers let you synchronise passwords between computers, they do it in a less secure way than password managers do. And when they don’t they make you use weaker passwords so you can keep them in memory.
Just trust me on this one – you want a secure vault holding your long and complex passwords and you want it to store it so you won’t lose them even if your computer crash or gets stolen.
5. Use two-factor authorization whenever possible
Two-factor authentication add an extra layer of security to using a username and a password to access any account. It does so by requesting one more credential when you try to log in.
It can be about filling in numbers that the app is texting you during the login process. Another way is that the app ask you to confirm that you want to log in via an authenticator app on your smart phone or tablet.
Both Google and Microsoft provide authenticator apps on Android and ios.
A third way is using physical keys like a Yubi Key or a Nitrokey to authenticate when logging in.
5+1. The locker symbol in the browser is key
Make sure that your browser show the locker icon in the address field and make sure the address in not misspelled. It is easy not to recognise a fake Internet address like https://faceboook.com (by tricking you to go to a misspelled address the hacker can make sure you see the locker symbol and still stealing your password).
The variant of http://facebook.com is no less suspicious, they spell it properly but it lacks the locker icon as it does not use an SSL connection. If the site does not provide SSL, which mean that the address doesn’t start with https, then I recommend you to not give away any form of personal information on that site as it does not comply with standards for online security.
5+2. Always log out
If you leave your computer without logging out you don’t protect yourself enough. Someone can infect your computer if they only can get access to it for a minute or two.
And if you have the vault of your password manager open, there is even more danger of exposing sensitive information. Not logging out can make all efforts to keep safe futile.
Haveibeenpwned.com is a site that let you check if the password you use are on the lists of used passwords. You only have to provide the password to see if it’s compromised.