One area of online security that is often overlooked or misunderstood is password usage.
Passwords are a huge point of attack for online hackers, because so much information can
be acquired once they have one or more of your passwords.
Password Best Practices
Here are some best practices for creating and maintaining secure but usable online
• Make sure your password is at least 10 characters long, and includes numbers,
special characters (#, %, *, !, &, etc.), and both upper-case and lower-case letters
(also known as a ‘strong password’). This variety of characters makes it harder
for hackers to decipher your password;
• Better still, make your password longer and use just uppercase and lowercase
letters (also known as ‘passphrases’). Removing numbers and special characters
might seem like the password is less secure, but some experts in the field of
digital security (e.g. the National Institute of Science and Technology) have stated
that a passphrase that is comprised of 25 letters is stronger than a password
comprised of just 10 characters, numbers, and special characters. In addition,
these longer ‘text-only’ passwords can be easier for you to remember, because
you can string several words together into a ‘pass phrase’. For example:
“MyCatLikesToEatMySlippers”. Just remember to make your passphrase unique
and difficult for someone else to guess, just as you would your passwords;
• Don’t use obvious words for any of your passwords like ‘password’, ‘qwerty’, or
• Don’t use an easily-guessable word like a pet’s name, the website or company’s
name, your street name, etc. for your password;
• Change your password frequently. At least once every six months is
recommended, but once every three months is preferable;
• Use a different password for every single website and online service. While this
can be a hassle to remember them, it means that if one of your accounts is
breached, there is far less risk of the hackers getting into any of your accounts
with other companies or organizations;
• Use an online password manager (for example Bit Warden or Last Pass) to save
your web-based passwords in a central place on your computer or device. Or if
you prefer to go ‘old school’, use a physical password book to write down all your
online passwords, and then place that book near your home computer, but still is
a discrete and less noticeable location;
• Make sure every device that can access the Internet is password-protected with
a secure and difficult to guess password – including your router device.
A passphrase is an alternative to a password, and are gradually becoming popular with
some online services. Passphrases are longer than passwords but often contain no numbers
or special characters.
Lost Password Retrieval
If a company sends you your password in an email that’s a big red flag! If you lose your
password and follow a ‘forgot password’ link on the company’s website, they should send
you an email with a long complicated link in it. Clicking on this link will prompt you to select a
new password. This is a much more secure approach to password retrieval, because:
• It implies the company are storing your password in a very secure way – ideally
in a way where they cannot even tell you what your password is and require you
to select a new one;
• It also implies that the company take online security, and your information with
them, very seriously.
On a side note, if you receive an unsolicited and unexpected email from a company you
use prompting you to click on a link to change your password, this might be a sign that
someone is trying to gain unauthorized access to your account with that company. Or it
might be a phishing attempt (as we discussed earlier). Either way, it might be a good
idea at this point to update your password with that company.
• Use a unique and difficult-to-guess password or passphrase for each website that you
• Change your passwords regularly;
• Don’t trust websites that email you your forgotten password as plain text.