According to a study by NordPass, the average user with an online presence has about 80-100 passwords. This explains to some degree why individuals tend to use easy passwords. Just take a moment to think about how many passwords you have. What’s the current state of your password hygiene? Do you use the same password to log into more than one account? Do you share passwords?
When I think about password hygiene, three things come to mind, password complexity, password recycling, and password exposure. The National Institute of Science and Technology (NIST) has said that particular attention should be given to password length over complexity since people tend to choose passwords that meet complexity requirements but are easy to guess. For example, ‘ P@ssw0rd123‘ seems secure but has predictable attributes that make it much easier to crack.
For some perspective, look at the chart below which depicts the time cost imposed on an attacker as password length and complexity change
Avoid using words with predictable substitutions and opt for phrases or generated passwords with 12 or more characters.
Research from companies like Google, Dashlane, and SecureAuth has found that roughly 50% of passwords are reused. This is assumedly done out of convenience, but the impact when a recycled password is exposed can be significant. Attackers are well aware of these human tendencies and will use compromised credentials from one account and attempt to gain unauthorized access to other websites. One notable case of password reuse was by Mark Zuckerberg, who had the same simple password for his LinkedIn, Twitter, and Pinterest accounts. This isn’t intended to be an inditement against the FaceBook CEO, but only to demonstrate that it’s an issue that afflicts us all.
Every account you create should have a unique password, even if it’s an account you never plan to use again. Do not get into the practice of reusing passwords.
There are databases on the internet and the dark web that contain several million stolen credentials. The passwords you use now or have used in the past could be on any of these lists. Several free services offer to check if your password exists on one of the lists. You should be careful before putting any credentials into any of these services without due diligence. I can offer a reputable service hosted by Troy Hunt called Pwned Passwords which is a good start for the uninitiated that also offers offline and API access.
Most of us have had to change at least one of our passwords at some predetermined interval. This was partly due to a long-standing best practice that required password expiration. There are still plenty of sites that use password expiry. However, NIST no longer recommends scheduled password changes and favors emphasizing users having reasonably complex and unique passwords across their individual accounts. You should be auditing your passwords regularly to identify exposure expecially in the case of long lived passwords with no compulsory password updates.
So given that the average user has upwards of 100 passwords that should be unique, reasonably long, and complex how can someone manage all these requirements at scale? The answer is to use a reputable password manager!
There are various opinions on the use password of managers. The highlights of the concerns are usually centered around the security of the master password and the storage of the password database. If you are diligent about using a demonstrably strong password phrase with two-factor authentication, then the risk associated with the master password being compromised can be mitigated. I generally don’t recommend the use of browser password managers. The three that I typically suggest are Bitwarden, Dashlane, and KeePass. All three of these allow you to automate checking if any of your passwords have been breached among many other features. You should definitely do your own research and use case analysis. Lastly, Forbes has an article on the best password managers of 2023 that provides more detail so you can identify one that fits your particular use case. Thanks for reading.