Psychology?
Human behavior is all about psychology, isn’t it? It is the study of our mind and behavior. And why should our use of passwords not fall into this category? The folks at LastPass recently published a report about their findings concerning password behaviors. [Note: link will open in a new browser tab/ window.] They found that 62% are still reusing passwords. Yes, in 2022. Even when people became aware, only 25% started using a password manager/ wallet. Yes, even Web Professionals Global did a recent post encouraging individuals to use a password wallet. To learn more about their findings, please visit the LastPass link above. It is easy reading and has a lot of useful information. Given that many may not be using a password wallet, what can we as professionals suggest?
Option 1 – be consistent
Each site you visit should have a unique password. Period. Of course, if you insist on not using a password wallet, what sort of methodology could you employ? Here is one simple example. Obviously, you may want to try something different but analogous to this approach.
Consider you want to have a unique password at Amazon and Facebook (perhaps you use both frequently). How could you make a unique password for each site and remember it without using a password wallet or writing them down and pasting them under your keyboard (what could be more secure – yes, we are being sardonic).
Consider that the word Amazon has 6 letters and a com top level domain. One could consistently count the letters in a domain and use the first and last letters – for example A6N (in the same way we end up with A11Y for AccessibilitY and I18N for InternationalizatioN. Such a password would be incredibly easy to crack. So, we begin with the top level domain as part of a passphrase. Thus our password for Amazon becomes COM-A6N. Still pretty easy to crack as it is less than 9 characters. We could append our favorite flower to this passphrase followed by a number such as COM-A6N-sunflower42. Now we are getting somewhere. Facebook would become COM-F8K-sunflower42 and so forth. Of course, we could add more consistent words to our phrase. Longer passphrases are more difficult to crack with various tools. Obviously, if someone were to guess our scheme, they would be able to access our accounts easily. By itself, this may not be the best option. However, it still beats reusing the same password over and over, doesn’t it?
Option 2 – Why use your name or email?
While we are working along these lines, one often is asked for a username. Of course, many simply rely on the tried and true first initial last name or some combination of initials and surname. It doesn’t have to be that way. If you are able to specify your own username (and that can be a big if as many sites now ask for your email and simply use that as your username), do so (and be creative).
For example, instead of mdubois or markdubois as a username at a site, I could use favorite fossils as a username. For example, trilobites or trilobites42. There is nothing tying me specifically to that fossil so that should be reasonably safe for a username. No, hackers, don’t bother as I am way ahead of you on this.
Option 3 – Always 2FA
We have mentioned this before, but if you really can’t use a password wallet for some reason, at a minimum, you should always activate 2 factor authentication (2FA). Yes, we addressed this as part of our discussion on web security in 2021 and employee burnout in cybersecurity in 2022. Not only do you need to know your password, you also need to have something (such as a mobile phone with an authentication app). Simply knowing the username and password is not enough. Many sites allow for the use of 2 factor authentication these days. If they don’t you should contact them and ask for it specifically.
Combination?
If you really can’t use a password wallet, consider combining all the above approaches. Set your username to something meaningful to you but not readily obvious to others (in my simple example trilobites42). Set your password to something you can easily figure out by looking at the site and knowing something specific. For example, COM-F8K-sunflower42. And employ 2 factor authentication as well.
But wait, didn’t you tell me to change my passwords periodically in your prior web security article in 2021? Yes, we did. So we could expand upon the passphrase theme and use a password of winter23-COM-A6N-sunflower42 for our Amazon password. then, we could change that to spring23… when the time comes. We would change our passwords every quarter and each would be unique for that site. I know some sites will not let you change a password which is similar to the one you presently use. Just be consistently creative on your sites.
And, you can always reset passwords if all else fails and you forget. Or, you could just use a password wallet? Really, they aren’t that tough to use. Yes, it is important to grow beyond your comfort zone and these tips are meant to serve as a starting point. If you don’t want to use a password wallet, be creative. Use the above ideas as a starting point, not the end result. We know you are creative. Apply your creativity to the creation of your unique passwords on each site.
Editorial sidebar
While we are thinking about passwords and resetting them, what about all those security phrases you are asked to update with your bank and related institutions. Given all the social media “quizzes” which mine information such as your high school mascot (really, why on earth would anyone willingly share that information – oh, yeah – so they can see what they would look like as a dog or whatever – c’mon folks – never fall for those online quizzes – they are just stealing your information). But, wait, I already know what my spirit animal looks like. Oops. How does one deal with this if your personal information is already out there. Make it a point to lie on those security questions. For example, if one of the questions is what was the name of your high school – lie. In part. Perhaps append a noun to everything. Again, you just have to be consistent. For example, I would tell the security answer to the high school question that I went to Washington Grass high school. My father’s middle name was Fred grass (no, it wasn’t even Fred). Now I have a little more security as I must know the actual answer and the word I append to everything. Again, be consistent. Not a perfect solution by any means, but if your information is already out there…
What are your thoughts? As always, we look forward to your comments and insights.
Best always,
Mark DuBois, Executive Director
Web Professionals Global (aka World Organization of Webmasters)