What It Really Takes to Make Your Existing Passwords More Secure (3/31/2021)

Practical Computer Advice

from Martin Kadansky

Volume 15 Issue 3

March 2021

What It Really Takes to Make Your Existing Passwords More Secure

The problem

We’ve all seen that advice on choosing “strong” passwords:

Choose long passwords.
Each password should combine uppercase letters, lowercase letters, digits, and punctuation.
Choose a different password for every account. Don’t re-use the same password, nor any variation of it.
Don’t use personal information about you, e.g., your name, birthdate, home address, etc.
Maintain a password list, and store it in a secure place.

That sounds exhausting, right? You’ve probably already got dozens of existing passwords. Who has the time to do all of that? Why bother? Why would anyone target you?

Unfortunately, the reality is that online security matters now more than ever. Many hackers use computers to try to mechanically break into thousands of accounts, so it is unwise to assume that no one would ever go after you. You are a potential target along with everyone else. It’s rarely ever personal.

The most common goals of a hacker are to steal your money or to steal your information and sell it to other criminals. Any account they can break into could take them one step closer to doing that, no matter how inconsequential it might seem to you.

I recommend implementing this advice in a straightforward, methodical way, one step at a time.

For your existing passwords:

Have (or start) a password chart, and commit to keeping it up-to-date.
Pick an account whose password you want to improve.
Come up with a new, strong, unique password for that account.
Sign in to that account with your existing password.
Change the password.
Add that new password to your password chart.
Update any other related places.

Then, when you have to create a new account (or choose a new password for an existing account), you’ll already have a good approach to picking a strong, unique password for it and a good place to store its information (your password chart).

See below for my advice on doing each of these steps in a reasonable way, which should make improving your passwords easier to accomplish.

Step 1: Have (or start) a password chart, and commit to keeping it up-to-date

This is the backbone of any effort to get serious about your passwords. Here are the basics.

First, you’ll need to decide which approach you’re most comfortable with:

A password chart that you’ll type in and maintain on your computer (possibly also coordinated with a mobile device), which might be an encrypted password manager software program or something similar,
Or a paper password chart that you’ll maintain by hand.

A good password chart:

Should enable you to keep all of your entries in order alphabetically, making it easier to find things later, so it should be easy to insert new entries right into their appropriate place. For a paper password chart, a loose-leaf notebook or a collection of index cards will be a far better choice than a spiral or bound notebook.
Should enable you to make changes easily. For a paper chart, writing everything in pencil is probably better than using a pen.
Should be reasonably easy to back up. For a paper chart, you could photocopy or scan it periodically.
Should be stored in a secure place. A computer-based chart should be encrypted, and a paper one should be kept under lock and key.

Next, I recommend that you:

Gather together any password notes you may have accumulated, including loose pieces of paper, notebooks, emails, etc.,
And then enter all of them into your password chart.
Then, when you’re ready, shred your original notes to avoid any confusion that might be caused by having similar (but different) information in more than one place.

See “Where to go from here” below for links to more information about doing this well, especially storing your passwords securely with good encryption, which means:

Never keeping them online or “in the cloud,”
Never storing them in the Notes app on your mobile device,
Never keeping them in an unencrypted Word or Excel file on your computer,
And never sending any passwords via regular (unencrypted) email or text.

Step 2: Pick an account whose password you want to improve

This is where the process of improving your security begins.

Pick an account to start with. If you can’t decide, I suggest:

Start with your email account, then your financial accounts (online banking, credit cards, retirement, etc.), then any accounts that you use at least once a month, then the rest.
Or, start with an account that you use every day.
Or, start with the first account in your list.
Or, start with any account.

Making any progress is more important than being so worried about doing this perfectly that you never get started.

When I help clients work through this process, they often ask me why they should bother updating the password for online accounts that they consider to be unimportant. I point out that:

You might have some accounts from which you order goods to be delivered or on-site services, like a water-cooler service or paper delivery of a newspaper or a consumer product company like Amazon or a streaming service like Netflix. If a hacker broke into those, they might notice that you never take deliveries on Fridays or that you’ve suspended services for the month of April. That might imply that you’re away (or not paying as much attention) during those times, which might prompt a hacker to be more aggressive about breaking into your other accounts, or even (if they’re in your area) to break into your home or office.
If a hacker broke into an account that you haven’t used recently, and that account indicated it had been a while since you signed in, that might also prompt the hacker to be more aggressive.
Any account that a hacker can break into may enable them to collect more pieces of information about you, e.g., your home address from this account, the last 4 digits of your SSN from that one, your email address or home phone number or cell or date of birth or password habits from another, all of which contribute to their ability to commit identity theft.

This is why I tell my clients that, for these purposes, every online account matters.

Step 3: Come up with a new, strong, unique password for that account

Next you’ll pick a new, proposed password for that account. (You won’t know whether it will be accepted until later in the process.) It should be:

Long: Use at least 8 characters, 9 or more is even better.
Unique: You’ve never, ever used it before.
Distinct: It doesn’t even resemble any password you’ve used before, e.g., don’t use Sparky4!7 if you’ve used other “sparky”-related passwords before.
Strong: Include at least one uppercase letter (A-Z), one lowercase letter (a-z), a digit (0-9), and at least one punctuation character (!@#$%^&* etc.).
Unambiguous: Either avoid using similar-looking characters (5 vs. S, the letter O vs. the digit zero, etc.) or carefully note the differences, e.g., “5mileyFace! -- starts with a five, not an S.”

Consider using the following techniques:

Two or more unrelated words using mixed case and “glued together” with numbers and punctuation e.g., bluebird47LASAGNE! or mary#83PUPPY3*9acidic
The first letters of the words in a phrase or song lyric, e.g., Turn “Don’t it make my brown eyes blue?” into “Dimmbeb?” or “We the people, in order to form a more perfect union” into “Wtp,io2fampu”
Use a password generator to suggest random passwords for you to use, e.g., f4*(A7+b. If you use a password manager on your computer, it might be an existing built-in function, and you can also find them on any number of websites.
Close your eyes and hit random keys on the keyboard.
Variety is important, so you could use one technique for the password you’re changing now and then another for the next.

Step 4: Sign in to that account with your existing password

Sign into the account that you chose to work on.

If that works, you’ve confirmed that you have the correct username and current password.

If that doesn’t work, you’ll need to reset your password, typically by clicking “Forgot my password.”

Step 5: Change the password

After signing in to your account, find the place where you can change your password. Every website and app is different, so look around for “My Account,” “Settings,” “Profile,” or your initials, or an icon at the top right of the screen.

If you can’t find it:

Mobile apps often don’t include all account-related features, so you’ll probably have to use your computer to sign in to that company’s website instead.
google: XYZ change password [where XYZ is the name of the company]

Once you’ve found the right place:

You may have to enter your current password again to authorize this change.
Type the new password into the appropriate place. You’ll probably have to type it twice.
If it’s a complicated password to type, consider using Copy and Paste to make it easier, although some websites may prevent you from doing that.
If there’s a “Show password” button (or an “eye” icon), click it so you can see what you’re typing.
Click the appropriate button to finish, e.g., “Save,” “Change password,” “Submit,” etc.

If the new password you’ve entered doesn’t meet their requirements, adjust it and try again. The most common issues are:

They don’t permit some of the punctuation characters you’ve chosen.
Your password is too short.
Your password doesn’t contain the variety of characters they require.

While you’re there, consider also turning on 2-factor (or multi-factor) authentication for additional security. Some companies now require it and don’t give you the option to turn it off.

Step 6: Add that new password to your password chart

Once you’ve successfully changed your password:

Immediately add it to (or update it in) your password chart.
Be accurate, especially regarding uppercase and lowercase.
If you had to adjust your new password, be sure to add the password that was actually accepted.
If it wasn’t easy to find, note where you found the place to change your password, e.g., “On XYZ.com, click the ‘gear’ icon at the top right, then Settings, then Security, then Change Password.”
Also note today’s date so you’ll have a record of when you did this, which can be helpful later, for example if you wanted to know which passwords you had not changed in more than 3-5 years.
Keep a record of your previous password as well, just in case something goes wrong.
Note any ambiguities, especially when using 5 vs. S, the letter O vs. zero, capital I vs. lowercase L vs. the digit 1 vs. the vertical bar (|), etc.
For example, “amazon.com 3/31/2021: Changed password from abc123 to lg98W4!54 [1st character is a lowercase L]”
Keeping an accurate record of your passwords in one place will save you time in the future, not only when you need to look one up, but also by avoiding having to do a reset because you’re not sure what it is.

Step 7: Update any other related places

Depending on the account whose password you’ve just changed, you might also need to update other places where that same password may also be stored. For example:

Your email password might also be stored in your email software on your computer (Outlook, Thunderbird, Apple Mail, etc.), on your mobile devices (iPhone, iPad, Android, etc.), and also in your backup software if it sends you email notifications.
Any password might be stored in your web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, etc.).

Pick another account and keep going!

If you’ve made it this far, good job! Keep your momentum rolling by going back to Step 2 above, picking another account with a password that you’d like to update, and then going through the process again. The more you practice this method, the easier it will become, and the more you’ll accomplish!

Other related issues

Here’s my advice on a few related issues:

Your computer username and password (the one you use to sign into your computer when you power it on): You should add these to your password chart, but only change them to be more secure if they would be easy for someone else to guess.
Your mobile device passcodes (iPhone, iPad, Android): Same advice.
Your Wifi network name and password: Same advice.
Should you change your passwords periodically? Apart from the reasons above (making each of your passwords unique, strong, etc.), you should only change a password when there’s a good reason, e.g., when a specific account might have been compromised. People who are forced to change their passwords frequently often choose less-secure passwords, e.g., if they were using “sparky42,” then they’re more likely to choose “sparky43,” etc.
The fact that you have a password chart (and where to find it) should be listed in any “important information” document that you might draw up for anyone who might need to manage your affairs in case you become disabled or die, as well as to remind you if you might not remember the details.
Should you store passwords in your web browser? This is a bit complicated, See “Where to go from here,” below.

Summary

Here’s my overall advice:

Stop using the same (or very similar) passwords for everything.
This can be a somewhat messy and time-consuming process, but it’s actually a lot simpler to do than the detailed information above makes it appear.
Take it one account and password at a time.
Don’t expect to finish this in a day, or even a week.
Commit to keeping an accurate record of every password.
Consider asking someone you know and trust to help you. This sort of help can be provided remotely.
This is worth your time and trouble.
No account is insignificant.
You can do this.

Where to go from here

google: change password
google: 2021 password advice
google: password generator
google: why do hackers break into accounts
http://www.kadansky.com/files/newsletters/2019/2019_12_31.html - “Passwords: Give Them to Your Executor & Power of Attorney In Case You Die or Become Disabled”
http://www.kadansky.com/files/newsletters/2019/2019_11_30.html - “Organizing Your Passwords on Paper: A Simple Approach”
http://www.kadansky.com/files/newsletters/2019/2019_09_30.html - “Convenience vs. Security: Should You Use Your Web Browser to Remember Your Passwords and Credit Card Numbers?”
http://www.kadansky.com/files/newsletters/2017/2017_11_29.html - “Did You Change Your Email Password? Here Are 8 Other Places You May Need To Update Next”
http://www.kadansky.com/files/newsletters/2016/2016_11_30.html - “The Best and Worst Places to Store Your Passwords - Are Yours Secure?”
http://www.kadansky.com/files/newsletters/2015/2015_07_29.html - “Hackers Can Break Into Your Online Accounts *Without* Guessing Your Password! Use This Simple Tip to Protect Your Email and Other Accounts”
http://www.kadansky.com/files/newsletters/2013/2013_02_28.html - “Does typing a password you cannot see drive you crazy? Me too!”
http://www.kadansky.com/files/newsletters/2007_11_28.html - “Using the same password for everything is ok, right?”
http://www.kadansky.com/files/newsletters/2007_10_19.html - “Passwords, passwords, passwords! How can I keep track of them all?”

How to contact me:

email: martin@kadansky.com

phone: (617) 484-6657

web: http://www.kadansky.com

On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to martin@kadansky.com and I'll add you to the list, or visit http://www.kadansky.com/newsletter

Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter

Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.

I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.