11 Best Practices for Password Security

We all know the password mantra: Make it long, strong and unique. Also, include upper-case letters, lower-case letters, numbers and special characters. And don’t forget to use different passwords everywhere — at least eight characters, but preferably more. Plus, remember to change them frequently. Phew! And as if all that weren’t enough, here’s another: Never write them down. 

Therein lies the rub. We log into hundreds of different websites these days. How is anyone supposed to remember that many strong passwords? The truth is, we can’t. 

So, what do we all do? We cheat! We use passwords like “NetflixSpring2022!” or “AmazonSummer2022!” all over the place. Sure, those follow all the guidelines. But, if I’m a hacker and I see your password, then changing it isn’t going to throw me off for very long. And I can probably guess your bank password, too. 

The problem is simple enough: What makes for a good password also makes for a hard-to-remember password. It’s a well-known “law” in the computing world that there is a tradeoff between security and convenience. Strong passwords definitely fall into this category. 

There is a magical solution to this problem: password managers. They represent one of the rare joys in the IT world that can increase security and convenience. So, let’s dig into them. 

What Is a Password Manager? 

A good password manager is an encrypted database of all your usernames and passwords. It will integrate with your web browser so that it can fill in your passwords automatically (or make them easy to copy and paste). 

Allow me to sharpen this point a bit by means of repetition: These password managers are encrypted! That means you can write down your passwords and they will remain safe. That also means you don’t need to make them memorable anymore. That, in turn, means you can use T5Q4t$ZGSrtue*uCF*f! as your password, and you’ll never have to worry about mistyping it, forgetting it or having someone guess it. And you can use a different password on every website with ease! 

Best Practices for Password Managers 

Once your password manager is set up, you should only have to remember two passwords for the rest of your life: The first is your computer password; the second is the one that unlocks your password manager. 

What follows are 11 best practices to make sure you are set up right. But keep this foremost in your mind: Protect the keys to the kingdom! Since all your passwords are in one place, you’ll want to get extra protection here. Thus, the first set of best practices pertains to the password manager itself. 

#1 Use a real password manager, not your browser’s password tool. All modern web browsers will offer to save your passwords for you, usually doing so by default. Be wary of this. Some of them are not well encrypted, and most of them don’t offer the features that dedicated password managers do. They also tend to be easy to break into from other browsers you’re signed into. 

#2 Disable/clear your web-browser password tool. If you are going to use a third-party password manager, then disable the password tool in your browser. Otherwise, you may get confused about where the password is being saved. While you’re at it, after you’ve migrated all your passwords into the manager, delete them from the browser tool entirely. 

#3 Use a great password manager password (PMP). This is sometimes called the “master password” or the “account password.” It’s the password that unlocks the password manager. Make this one good — really good. Whoever has this password has all your passwords. I suggest using a passphrase — not just a password — and including punctuation. Something like “TaylorSwiftIsAGoddess!!<3” is long, complex and memorable. Change it once a year. 

#4 Use two-factor authentication (2FA)/multi-factor authentication (MFA). Add 2FA or MFA to unlock the password manager. It’s a small bit of inconvenience you’ll have to put up with once a day, but it will increase the security of your accounts tremendously. 

#5 Don’t store the PMP or your computer password. This may sound strange, but some people want to store their PMP inside their password manager. Don’t do this. Don’t store your computer password there, either. If someone walks by your computer and sees it unlocked, they will get all your passwords by checking to see if the PMP is there. 

#6 Encrypt and lock your phone. Phones are easily lost. If you want to install your password manager’s mobile app, then protect it! Enable encryption on the phone and set up biometrics to unlock it. Face ID and fingerprints work well here. The last thing you want to do every day is type “TaylorSwiftIsAGoddess!!<3” on a tiny keypad and hope you don’t fat-finger it. Biometrics make it easy to access your passwords securely. 

Your Day-to-Day Passwords 

Now that we have the password manager set up right, we can move on to your day-to-day website passwords. 

#7 Change all your passwords. This is tedious, but it’s important. Now that you have a password manager, go through all the websites that you log into and change their passwords. You don’t need to do it all at once. However, each time the password manager doesn’t have the credentials to a site, you’ll know it’s time to update that site with a better password. 

#8 Use the password generator. Most password managers can automatically generate long, strong, unique passwords. Use that tool. Let it generate a complex, randomized, 16-character password. Then, you can simply copy and paste it into the password field on the website. 

#9 Don’t reuse passwords. You don’t need to reuse them anymore. You’re not relying on your memory, so there’s no reason to use the same password in multiple places. 

#10 Watch for password hacks. Many password managers will alert you when you’re visiting a site that is known to have been breached. In that case, change your password immediately. It’s also a good idea to check https://haveibeenpwned.com occasionally to ensure your passwords aren’t being sold on the dark web. 

#11 Still use 2FA/MFA. Even though you have great passwords everywhere now, hackers can still steal them or trick you into giving them up. Set up 2FA/MFA everywhere that supports it. It’s one of the best things you can do to protect your account security. 

Setup Time and Practice 

Like most things in the computer world, this might take a bit of setup time and practice to get right. However, once everything has been configured and updated, password managers can make logging into websites faster and more secure than ever. And you know that nagging voice in your head that always says, “You know you should have a better password, right?” Well, you’ll never have to listen to that voice again. Have one strong password for your computer, one strong password for your password manager and leave that voice to pester your friends — the ones who are still looking up their passwords in spreadsheets and on Post-It notes. 

About the Author

Tim Singleton is president of Strive Technology Consulting (StriveIT.com), a member of The ASCII Group since 2019.