Does Your Password Suck? A Good Password Manager Can Help

hacked password hash

Let’s face it, passwords suck. There are so many sites out there, and it’s practically impossible to have a different password everywhere that we can remember without cutting some corners. Unfortunately, when it comes to online security, you are only as safe as the weakest link in the security chain…and for the most part, the weakest link is your password.

For example, here are the top 10 passwords from the massive Adobe hack:

  1. 123456
  2. 123456789
  3. password
  4. adobe123
  5. 12345678
  6. Qwerty
  7. 1234567
  8. 111111
  9. Photoshop
  10. 123123

And here are the top 10 passwords from the recent Ashley Madison hack:

  1. 123456
  2. 12345
  3. password
  4. DEFAULT
  5. 123456789
  6. qwerty
  7. 12345678
  8. abc123
  9. pussy
  10. 1234567

Notice some similarities? If you use passwords like these, you are putting yourself at extreme risk, because even the crappiest of hackers can crack one of these in a matter of moments. This has become insanely easy because of cheap access to powerful GPUs (you can actually crack password hashes, which are what are most often hacked/leaked, online with tools like md5cracker).

As daunting as it may seem to keep yourself secure online, there are a handful of simple tips you can use to make sure that your online accounts are as hacker-resistant as possible.

 

1 – Never use the same password on more than one site – This may sound hard, but it’s super easy. How? Use a password manager like Roboform to store your various passwords in one secure location. Roboform allows you to securely encrypt and store your passwords in a “vault”, and has plugins for major web browsers as well as mobile apps so you can easily use your passwords across all of your devices.

Why does this matter? Because if you use the same password in multiple places, and one of those places is hacked, all of your other accounts sharing a password are now compromised.

 

2 – Use complex passwords – Looking at the above lists is a great example of what not to do for your passwords. A good password is long (16+ characters, if you can make it that long), uses a mix of uppercase letters, lowercase letters, numbers and symbols, and avoids common substitutions (8 for B, @ for A, etc.)

This is another area where a password manager like Roboform comes in handy, as it has a tool to generate random, highly complicated passwords such as 7fH@hk#98BJ!asP2&. Because you’re using a password manager, you don’t need to even attempt to recall such a complex password, which rocks.

Why does this matter? Because the longer and more complex the password, the harder it is to guess, brute force, or otherwise crack the password.

 

3 – Don’t fall for fishing scams – It’s pretty common for hackers and scammers to send emails that look like they come from legitimate companies asking you to log-in for one reason or another. When you click on links in emails like that, you’ll be taken to a site that looks, visually, just like the legitimate site…but as soon as you attempt to log-in, your info is compromised.

How do you avoid scams like that? This is another element of how a good password manager can help. You see, with a password manager like Roboform, if you try to input your credentials into a site that doesn’t match, it warns you. Crisis averted!

Of course, the best tip is to simply never click on a link in an email that takes you to a login page.

 

4 – Don’t use security questions (or at least don’t answer them literally) – Having security questions, while a good idea in theory, are actually a terrible idea. Most security questions reference things you should easily be able to recall…but they also tend to reference things anyone with access to Google and your social profiles could find the answers to.

How do you avoid this, when so many sites force you to create these? Password managers FTW! Just pick a security question, and then make up some totally insane answer that has nothing to do with the question…What is your mother’s maiden name? GOBSMACKDIDDLYSHAT. Then, just go into your password manager, find the entry for that site, and in the notes section, write the question and the answer you selected. Nobody will ever guess it, and you can reference your password file if you ever need it.

 

5 – Change your passwords periodically  – In general, you should change the passwords you use at least once per year, if not more frequently (quarterly is better). Granted, this is a huge pain in the ass, but you should still do it. Why? Because if someone gets a hash of your password (which is what usually happens when a site is hacked), they can work at cracking that password over a long period of time. The more time they have, they more likely they are to be able to crack it. By changing passwords frequently, even if a hash of your password is leaked, by the time it gets cracked, you will hopefully have already changed your password.

 

6 – Use 2 factor authentication (2FA) wherever possible – Most major sites, like Facebook, Twitter, Google, Dropbox, and numerous others support this. These are a last line of defense, and usually tie to a physical device you would have with you, such as your phone. When you log-in to a site with 2FA, you use your login and password as normal, and then have to enter a separate time-sensitive code from your device. Even if someone manages to get your password (say, a site is hacked), they still won’t be able to access your account unless they also have your device. Bam, take that script kiddies!

 

I’ve tested a few different password managers, including Roboform, LastPass, and others, and Roboform is by far my favorite. It’s cheap, secure, and works across numerous devices (it even integrates into mobile Safari, so you can fill password forms easily on the go). And of course, they haven’t been compromised, like LastPass, which I DO NOT recommend.

You can read up on its many features here: Roboform Features.

Curious to see if one of your accounts has already been compromised? You can use an email address to check here (it’s a site that aggregates all leaked/hacked data): https://haveibeenpwned.com/ – If your email shows up here, you should immediately change that password, as well as change passwords on any other sites that share that password.