I’m not the originator of comparing passwords akin to underwear, but it’s such an accurate depiction of how to work with passwords! For you and your organization’s sake, please treat your passwords like underwear! Passwords are sensitive, and need to be treated as such. Here are 6 philosophical maxims of how to treat your passwords.
1. Keep them out of sight.
(You wouldn’t reveal them to others)
It’s embarrassing and exposing when someone sees your password laying around or inadvertently gets a hold of it. Don’t get caught with your pants down, keeping passwords in a book, on a sticky note, under your mouse pad or keyboard is generally the first place people look for passwords. Keeping a Clean Desk Policy, a habit of decluttering your desk, is a recurring way to make sure sensitive information is unavailable to prying eyes.
2. Keep them to yourself
(A shared password is a dirty password)
Keeping your passwords to yourself cuts down on who is allowed to access your accounts. “On the back end”, many services allow your admins to see logs, showing which account did what at a timestamp. If you allow others to use your accounts by sharing passwords, the actions that they do look as if they’re coming from you.
3. Eliminate Reuse
(One time use per account)
Reusing the same passwords across different accounts creates a single point of failure. There is a common technique called Credential Stuffing where if a password is leaked from one service, an attacker will try to use your username and that leaked password on a different service. By using only one password per account eliminates the ability for attackers to credential stuff their way into your account.
4. Make them exotic
(16 character minimum, numbers, letters, capital letters, MFA on everything)
There is a common conflict in cyber security, convenience and security are always in tension. If you want something easy, most likely it will not be secure, but if you want something secure, it most likely won’t be easy to use. The goal is to find an acceptable balance between security and convenience. Longer, randomized, unique passwords make it harder for attackers to blindly guess your password.
Password crackers have speeds in which they can bruteforce (randomly/sequentially guess) thousands of passwords in a second. The longer the password, the difficulty increases exponentially. In fact if you enable Multifactor Authentication (MFA), even if the attackers successfully crack your password, they still need the 6-digit rotating pin to get into your account. Turn on MFA on everything and use exotic passwords.
5. Change often
(A fresh password is a clean password)
Change about once every year or two for accounts with important or sensitive information. Changing your passwords is a good way of keeping your active password out of a password list. Password lists are created when a company has a data breach and malicious actor access their password storing systems. They then add each leaked password to the list. When they attempt to break into accounts, instead of randomly guessing each letter, they’ll start with a list of leaked known passwords. This greatly reduces the time it takes to break into an account even on different platforms or services.
You may have the strongest, most exotic, unshared password on the planet, but if the company or service mishandles your password, it could still end up on a list. By rotating your passwords, especially for sensitive accounts like banking, healthcare, or business critical applications, keeps your active password off of a list. Even if your old password was on a leaked password list, the newly randomized one is not. In fact, HERE is a list to some common password lists from Daniel Miessler at SecLists. If you see your password on any of these lists, change it now!
6. Keep them Tidy
(Use a password manager for your sanity)
Password managers are tools that allow you to store your passwords in a secure and organized way; in a vault safely behind encryption. It would be impossible to do any of the above suggestions well without a password manager. Most password managers are able to check if your passwords exist on a leaked password list, rates their strength, automatically generate randomized passwords, alerts you if there’s password reuse, and most importantly remembers them for you. Password managers are absolute life savers when it comes to maintaining your passwords and keeping your accounts secure.
If you Treat your passwords like underwear by using a password manager to keep your passwords out of site, to yourself, used once, exotic, and frequently changed you are much better equipped to keep your family, your company, and yourself safe on the internet.