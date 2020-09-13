Brett Pearce / CNET



Even though the tech industry is working on better alternatives to passwords, you’re still going to have to use them for a terribly long time. Some of the advice you’ve heard in the last few decades is out of date, so here’s an update.

The basic rules about password security still apply: use a different password for each account and make your passwords difficult to guess. But cybersecurity experts advise that we should discard three old rules: never write down your passwords, don’t tell anyone your passwords, and change your passwords frequently.

That advice came at a different time, when the biggest threat was from someone with access physical to our computers. Now our lives are completely entangled with Internet services and applications. The hackers they can be anywhere in the world. As a result, we have to think differently about how to keep our accounts protected.

Like it or not, you will still have to use passwords, so this is the best way to choose them. You can still use a random string of gibberish as a password or a long combination of unrelated words, often called passphrases. Avoid using a single word from the dictionary or making well-known substitutions, such as the @ sign for the letter a. Consider using a password manager to handle the hassle of generating and storing your passwords.

Here are some tips from cybersecurity experts:

Write your passwords somewhere

As soon as the first users started logging into the computer terminals, they were told to memorize the passwords and avoid typing them.

It all started with MIT’s Compatible Timeshare System, which is believed to be the first computer system to require a username and password. Beginning in 1963, MIT users accessed personalized accounts by logging into shared computer terminals. For decades, the worst thing you could do was type in your password and leave it near your workstation where anyone else could find it.

That is no longer true.

“That advice is totally counterproductive today,” says Mark Risher, Google’s director of account security. “It is best to write them on paper.”



Jotting down your login credentials is the easiest way to remember a different password for all the dozens of accounts you have. Sure, there is a risk that someone will have access to your records, but a much greater risk is that an attacker from afar exploits a password that you have reused on various sites.

How to do it safely: Password books are sold online and in office supply stores. Store one safely in your home and you’ll be fine, experts say.

Of course, if you have reason to believe that someone in your house might hack you, this might not be the right option for you.

And it’s not convenient to keep your password notebook under lock and key if you use it frequently or need it away from home. But at least to ensure that some primary accounts have strong, unique passwords, it’s a start.

Share your accounts

Telling people not to share their passwords is almost as bad as it is unrealistic.

People share passwords with their friends, associates, and family for many reasons. You only need an Amazon Prime account at home, for example, and many partners combine their finances. And keep in mind that one day you or your family members could die or be disabled.

Many people are comfortable sharing social media and email passwords with their partner, according to a February SurveyMonkey survey.

Obviously, this has its risks. Sharing passwords can be dangerous if the relationship turns sour or if one partner is in control, say domestic violence experts. More generally, sharing passwords with another person doubles the number of people who can expose your information to hackers.

Do it safely: First, check if your service allows multiple users to access the same account. For example, Amazon allows you to share your Prime account with your family members and they all maintain their own password. Many banks offer similar features.

Second, don’t recycle the passwords for another account. That way, if your partner falls for a scam of phishing and deliver one of your passwords, that will not affect your other accounts.

Don’t change your passwords frequently

Regularly changing your password seems like a sensible way to hack into hackers that could have accessed your account.

However, researchers showed almost 10 years ago that this advice does more harm than good. In short, forcing people to reset their password makes them choose weaker passwords.

At the University of North Carolina at Chapel Hill, researchers examined the password habits of students, faculty and staff who had to change their passwords every three months. They found that users had made small and very predictable changes to their passwords, changes that would be very easy to determine by a hacker.

Do it safely: You must still change your password every time you know that it has been compromised. You can register with the Have I Been Pwned site to receive alerts about hacks that may have affected you. You can also use browsers like Firefox or Chrome or an Okta browser extension that will warn you if one of your passwords has been found in a filtered data set.

Finally, use the two factor authentication make it available in your accounts, so that even if hackers have your password, they won’t be able to access your accounts without a lot of extra work. SMS-based authentication, while vulnerable to some hacking attacks, is better than nothing. Authentication apps like Google Authenticator or Authy are stronger, and for really important accounts like Google or Facebook, you can use hardware security keys.