A password policy is a set of rules that govern the way users create and manage their passwords. It could be created by the IT team in your office, it could be enforced by a website, but it could also be something you impose on yourself in an attempt to boost your online security and minimize the chances of getting hacked. Save for a few exceptions, the rules that work in an enterprise environment can also work for individual users. Here are a few good practices to bear in mind when creating your passwords.
1. Make sure you're not using a common password.
Every year, security companies examine the data that has been leaked over the last twelve months and put together a list of the worst passwords people have used. Take a look at the 100 worst passwords for 2017, and make sure that your passwords don't show up on the list. (https://13639-presscdn-0-80-pagely.netdna-ssl.com/wp-content/uploads/2017/12/Top-100-Worst-Passwords-of-2017a.pdf) If they do, change them immediately. The passwords you see on the list, along with many other entries, will be a part of virtually every password dictionary in the hackers' possession, meaning that they can be easily guessed.
In 2017, Troy Hunt, a security expert running a website called Have I Been Pwned, launched a new service (link: https://haveibeenpwned.com/Passwords) with which checks passwords and determines whether they're present in one of dozens of databases leaked by hackers. Mr. Hunt warns you not to check your current passwords in there, but if you have an old one that you consider changing, you might want to run a quick check. If it's been leaked, be sure to change it as a matter of urgency.
2. Stop using weak passwords.
A lot of the registration forms you visit almost daily come with password strength meters placed directly into the Password field. The idea is to display how strong a password is and entice the user to aim for a better result.
There are security experts who reckon that you shouldn't trust password strength meters too much. Indeed, some of the said meters would say that "P@ssword!" is a strong password, but we know that it's part of virtually every password dictionary out there. If a password strength meter tells you that your password is weak, however, you should definitely listen to it. These password strength meters are designed to calculate the entropy of your passwords. The password's entropy is a measure of how easily it can be brute-forced, and you really don't want to use passwords with low entropy, especially now, when hacking tools are sophisticated, and cybercriminals have significant hardware resources.
A strong yet memorable password should be long, and should preferably consist of several words (which makes it a passphrase). Ideally, some of the words should be intentionally misspelled, and a combination of uppercase and lowercase letters, numbers, and special characters turn a strong passphrase into a super-strong passphrase.
3. Stop reusing your passwords
Having to remember numerous passwords is one of the most unpleasant chores Internet users are faced with. That's why many of them simply walk away from it. Unfortunately, they either don't understand the risks, or they firmly believe that the worst can't happen to them.
Online services get compromised every day. A messaging board is much more likely to be hacked than the website of your bank. If a password you've used on a messaging board gets leaked, this shouldn't be too much of a problem for you. If the same password is used on your banking website, however, you're in trouble.
4. Don't use something personal (or related to the website you're signing up for) for your password.
Gone are the days when your pet's name made for a good password. If you're still doing it, hackers can guess your password simply by browsing through your Facebook photos. The same goes for birthdays, words related to your hobbies or personal details of your friends and family.
Using the name of the online service you're signing up for is also a bad idea. When researchers analyzed the data stolen from Adobe in 2013, they saw that along with the obviously horrific passwords such as "123456" and "password", "adobe123" and "photoshop" were among the most commonly used words to protect people's accounts. In some cases, when hackers do manage to breach a company, they can't get to the passwords in plain text. As you can see, however, even then, they could be able to guess your password if you haven't been careful when creating it.
5. Think about your password update policies.
Security experts have been arguing about this for a while now. In the past, common sense dictated that passwords shouldn't remain unchanged for more than a few months. Some websites even enforced mandatory password reset rules. As a result, users were forced to remember quite a few more passwords which led to some less than desirable results. "password1" would turn into "password2", and it would later be changed for "password3". This puts even more pressure on the users' brains without really doing much to improve security.
That's why, in recent years, experts have been advocating the removal of such policies. That said, leaving a password unchanged for years isn't really an ideal scenario, either. If you're going to have a password reset schedule, you need to make sure that hackers can't guess your new password by looking at the old one. If you can't do that, changing the password won't do anything to improve your account's security.
6. Don't write your passwords on sticky notes.
Again, there's a bit of an argument around this. People reckon that if burglars break into your house, the last thing they'll be after is your password, and this does indeed sound reasonable. Nevertheless, writing down your password on a piece of paper and leaving it in plain view just adds to the risk.
Hiding the said piece of paper in a physical safe is a better call, but it adds a certain amount of inconvenience, and you have to decide whether you can live with it. The better-safe-than-sorry advice is clear, though: Don't write your passwords down.
7. Use a password manager
Now, sticking to all these rules is a difficult task. Luckily, some years ago, users were presented with a one-size-fits-all solution – the password manager. First, a password manager will help you create strong, unique passwords for all your accounts. Then, it will remember them, and it will even fill them in for you. A master password which only you know is the only way to access your information, so it's much more convenient and secure than writing your passwords down as well.
Treating your passwords with respect is something many people fail to do. What they may not realize is that it's as important as locking your front door on your way out. What they also may not realize is that managing passwords don't need to be a difficult task.