Best Practices for Passwords
Everyone Should Use a Password Manager
As the number people and businesses using online services increases, so do the opportunities for cyber criminals. Stay ahead of them by following these best practices for passwords.
Edited December 30, 2024
A password manager and two-factor authentication are essential for keeping your online data safe.
Using weak passwords like "password", your pet's name, or your birthday is risky. Reusing passwords on multiple sites is even more dangerous. If one account gets hacked, all your accounts are in jeopardy, regardless of their password strength. On top of that, creating and remembering unique, strong passwords for numerous sites can be challenging.
This is why you should start using a password manager. Along with two-factor authentication, it's the best way to stay safe online.
What Not to Do
First, let’s talk about what you should never be doing.
Use a simple password that is obvious.
123456, password, qwerty, 111111, etc.
Re-use passwords adding new numbers to the end so that they’re predictable.
GeauxTigers1, GeauxTigers2, GeauxTigers3, etc.
Use the same password for more than one account.
Write your password on a sticky note and place it on your computer’s monitor.
Share your password with your friends and colleagues.
In your password include things like a birthday, telephone number, or pet’s name. Anything that’s publicly available on a social networking site is a great option.
Open everything and click anything — all links are safe.
Everyone needs to know everything — share it. Discuss sensitive matters with anyone, anywhere, anytime.
Always keep your computer’s screen unlocked.
What to Do
Use a Password Manager
Password managers work by having you remember just one very strong password that's used to access all your accounts' unique passwords.
They make you less vulnerable by generating strong, random passwords every time. Think of them as a sticky note for all your passwords — except it is not left on your desk, visible to everyone, and the passwords are made to be very secure.
1Password combines great features, compatibility, security, and ease of use. While a good password manager doesn't have to cost anything, if you can, 1Password is worth the $36 per year.
If you want a free option, Bitwarden is all you need and costs nothing.
For those entrenched in Apple’s ecosystem of iPhones, iPads, and Macs, their free password manager — aptly called Passwords — is an excellent option. If you find yourself logging into an account on a non-Apple device, it’s easy enough to search for your credentials in the Passwords app or by using Apple’s web browser extension.
Speaking of web browsers, some like Google Chrome offer to save passwords for you which is tolerable, but lacks in interoperability. If you want to have your passwords with you regardless of the web browser or operating system you’re using, a dedicated password manager will help fill that void.
If you must create your own password, try these tips:
Use at least 12 characters.
Use a description, short phrase, or nonsensical words mixed with numbers and characters. For example:
FiddleTouristCheerfulFootpath8578$&
Use Multi-Factor Authentication
When available, use multi-factor authentication. MFA works by adding an additional layer of security. For example, after you log into a website, it will request another form of identification such as a one-time passcode which is usually six digits.
According to Nick Asbury writing for Sideways Dictionary:
It’s like Cinderella’s slipper. She can give her name and confirm where she was before midnight, but it’s only when the slipper fits that Prince Charming knows she’s for real. The Prince was an early adopter of MFA.
Not every website, app, or service offers MFA, but if they do it can usually be found in their settings → password/security section. To see if a certain website supports this, 2FA Directory is a good resource.
There are various forms of MFA. While they all technically refer to different implementations, the underlying idea is the same and, therefore, their names are sometimes used interchangeably:
Multi-factor authentication or MFA
2-step verification or 2SV or TSV
Two-factor authentication or 2FA or TFA
One-time passcode or OTP
Delivery of MFA Codes
Websites, apps, and services may offer different methods of generating MFA codes. Other times, they will only offer one. Any method is better than none. That said, some are better than others if you are given a choice.
Good = text
Only choose this method if there is no other option.
While better than nothing, MFA codes sent via SMS are susceptible to being intercepted if, for example, your SIM card has been duplicated by a malicious actor thanks to social engineering. Phone carriers have also proven in the past to be lazy, insecure, inept, negligent, unprepared, sloppy, blind, and apathetic when it comes to securing your information.
Better = email
There are fewer opportunities for a man-in-the-middle attack with this option.
Best = password manager or authenticator app
This is the gold standard and should be used when available.
Conveniently, password managers like 1Password, Bitwarden, and Apple’s Passwords support storing MFA codes in addition to passwords. Alternatively, there are dedicated authenticator apps like Google’s Google Authenticator that manage your accounts’ MFA codes only. Any one is great choice.
