Toronto Metropolitan University's Independent Student Newspaper Since 1967

A person types at a computer thinking "Password123. That'll stump those greasy hackers!"
All Business & Technology

Igabyte: Your password sucks, but you don’t have to

By Igor Magun

We need to talk about passwords, because there’s a good chance you’re still doing them wrong.

Many people have, at best, a select few passwords protecting all their online accounts. Odds are, they’re not very strong and one may have been compromised in a password breach.

The site Have I been pwned?, which allows you to check if any of your account details are known to be compromised, currently has over two billion accounts on record. This includes hundreds of millions of accounts from popular sites like LinkedIn, Tumblr and Dropbox.

If you reuse your passwords, one breach can leave your other accounts vulnerable. Many websites still use poor password practices, so these breaches aren’t going to stop anytime soon.

Generally speaking, a good password manager is the best way to solve this. Managers like 1Password, Dashlane and LastPass all generate strong passwords and store them in an encrypted format. So long as you have a strong master password, you’ll never have to remember anything else–the software can generate and store strong, unique passwords for all your accounts.

There are alternatives to password managers that are still better than reusing passwords, but they can be problematic.

Article continued below.

A man dresses like Gandalf the wizard. He has a grey beard, hat and robes. He is holding a big stick.

“YOU SHALL NOT password unsafely!” Photo courtesy Pixabay.

You could, for example, use a passphrase and have a different variation of it for each website you use. But since you’re reusing the base passphrase, this still comes with risk. There’s a good chance a hacker could guess how the password changes from site to site. In fact, a group of computer scientists developed an algorithm in 2014 that, given one version of such a password, could guess other versions 30 per cent of the time within 100 guesses.

There’s also the low-tech option of keeping a notebook of passwords at home. But this is just a less-convenient password manager that leaves you in charge of creating and storing the passwords, so I can’t recommend this for most people. The passwords you create would likely not be as strong as those generated by a password manager, and there is the risk that someone could steal the notebook.

In short, it’d be best if you used a password manager with a strong master password, like one created using Diceware. Diceware uses the randomness of dice to assign a number, with which you select words from a word list to make a password. A length of six or seven words should be sufficient for the next several years, though advances in computing power will eventually make longer passwords necessary.

Generating new passwords for several websites can be time-consuming, but you can start small. Begin with your most important accounts, like email and banking, then work your way through the rest of your accounts when you have more time. Both LastPass and Dashlane have free offerings too, so you won’t have to spend any money.

But whatever you end up doing, please just stop reusing your passwords.

Leave a Reply