Article

It’s International Change Your Password Day—Do You Practice Good Password Hygiene?

calendar with note to change password laying on a keyboard
By Lyle Frink

4 minutes

Follow this six-point guide to better personal password management, whether you use a digital manager or keep them written down at home.

This article was adapted with permission from the Avira blog.  Read the original post here.

February 1 is International Change your Password Day. It’s time to look at yourself and your devices, and ask the question: Do I practice good password hygiene to keep my online life—both at home and at work—secure?

The odds are that you aren't, and as a credit union leader or employee, this could have serious implications for your organization, financial accounts and private life.

Size Isn't Everything

When it comes to passwords, size isn’t everything. In the SplashData 2018 ratings of the worst passwords, the biggest mover in the top 5 was “123456789”—up three places to third position—while “123456” and “password” clung on to their respective first and second positions.

2017 Rankings 2018 Rankings Rankings Change in 2018
1. 123456 123456 No change
2. password password No change
3. 12345678 123456789 Up 3 places
4. qwerty 12345678 Down 1
5. 12345 12345 No change
6. 123456789 111111  
7. Letmein 1234567     Up one
8. 1234567 sunshine  
9. Football qwerty Down 5
10. iloveyou iloveyou No change

"123456789” is a good example of size alone not making for a secure password. Additional factors include how easy it is to guess, the complexity of the password with its mix of letters and special characters, how many times the password has been reused across various accounts, and whether those passwords have been leaked somewhere else.

Here's our six-point guide to better personal password management—regardless of whether you use a password manager or keep those passwords written down at home.
 
1. Get creative.
It's tough enough to create a secure and memorable password that combines 12 upper- and lower-case letters, numbers, and special characters—that’s why you need to be creative. Take a memorable sentence, event, or tongue-twister—and use this as the basis of your password. Let's take the Oscar-winning film One Flew Over the Cuckoo's Nest as an example. This can become 1flwOvr*Cuku: It meets the requirements in terms of size, complex mix of characters, and—most importantly—you might even be able to remember it.
 
2. Recycle everything (except your passwords.)
Everyone knows the recycling drill: Separate waste into different containers for paper, glass, compost, food scraps, and trash. Empty bottles can be refilled, and food scraps eventually transformed back into food. However, there's absolutely no recycling bin for passwords.

In practice, though, password recycling is quite common. In an online poll from Avira, conducted last year in Germany with 718 respondents ranged age 20-65, 26 percent of respondents admitted to recycling passwords between various sites. While people know on an intellectual level that giving hackers a “one-password opens all” solution is bad, it's still the easiest approach to dealing with password selection. 
 
3. Don’t be a serial passworder.
Growing up with thrillers and mysteries, we're familiar with the pattern: The criminal repeats their modus operandum, uses the same weapon, and stalks the new victim in the same way. Police put the clues together, add a bit of deductive logic, and voila—they have the suspect.

With passwords, people often do the same. They have a base password, then they modify it slightly for additional accounts or mandatory password changes. This can be as simple as “1password,” “2password,” “3password” or more complex, such as “2flwOvr*Cuku.” A quarter of Avira users surveyed admitted to using the same root password—but tweaking it slightly as needed. The problem is that hackers also know this method of password generation. Don’t do it. 
 
4. Change passwords like your socks.
Passwords are just like socks: They should be changed on a regular basis—and more frequently after getting mud on them. Even secure passwords should be changed. It’s not about you—the reality is that it’s impossible for you to know how other people are handling and safeguarding your data. Then there's the mud: If you've entered your details into a suspected phishing site or if your account provider has been hacked, you'll need to change your account details ASAP. 
 
5. Take the best approach that suits your needs.
It’s important to take the best approach that suits your needs when it comes to creating and remembering passwords. If you have just one or two passwords and you do all your online shopping exclusively on your desktop computer, you can create secure passwords and remember them using a yellow sticky note or notebook management system—as long as you aren’t worried about your friends and family having access to your account information. (Hint: Don’t use the sticky note system at work!) If you're on the go and use a variety of devices and accounts for your online activities, it’s time to look into a password manager solution, like the Avira Password Manager, that can create, critique, and sync passwords between devices. 
 
6. Improve your status.
Most of us have already been online and accumulated a variety of insecure passwords and accounts before we've even thought about getting a password manager. As there is no clean slate, a good password manager helps you improve your cumulative security status—uncovering repeated passwords, looking for hacked accounts, and helping you to create passwords.cues icon

Lyle Frink is an editor at Avira, a multinational software company based in Tettnang, Germany, that offers security and antivirus solutions. As a PR consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries.

Compass Subscription