ItsGeekToMe.co

Geek Note: Today’s column is the delayed Part Two of the two-part series on good and poor Password Practices that I started two weeks ago.  If you missed Part One, be sure and visit my website and check out I.G.T.M. Issue #951, Oct 12, 2025. That issue covered the dilemma of choosing convenience over security, and the bad habit of believing yourself to be clever while crafting passwords that can be easily cracked by modern hackers using readily available software.  We pick up where that edition left off.

• • • 

The third dilemma is one that’s often outside of the control of end users and is foisted off on them by well-meaning IT directors, or others in the position to enforce cybersecurity for websites or other institutions.  Specifically, it is the outdated practice of forced periodic password resets. Conventional wisdom used to say that making people periodically change their passwords would lead to increased security, because compromised passwords would be swept away.  The advice to change passwords every few months is now considered bad practice by experts like the U.S. National Institute of Standards and Technology (NIST). Why? Because it plays right into both of the previously discussed problems of convenience over security, and choosing easily cracked passwords. Forcing people to change a password encourages the predictable progression of “Pa55w0rd” to “Pa55w0rd1” to “Pa55w0rd2” and so on. Security is not increased in the slightest. In fact, it is actually weakened by making passwords sequential and easy for hackers to guess the next iteration. Even worse, forcing new passwords on people encourages them to write the passwords down, because it’s simply not reasonable to expect people to remember by rote the dozens of unique passwords that are required to securely run a modern digital life.

So, now that I’ve identified the worst of the digital sins (believe me when I say there are more – these are just the top 3) let’s talk salvation. Modern password security is less about cleverness and complexity of a password and more about its length and uniqueness.  Let’s start by embracing the concept of a passphrase rather than a password.  It’s a simple mathematical fact that as a digital string increases in length, it becomes exponentially harder to guess or crack.  Forget complex jumbles you can’t remember and opt for long passphrases – ideally 16 characters or more. A 24-character phrase like “GeekHouse77BatteryStable” is the equivalent of 192-bit encryption, and the phrase is infinitely harder to brute-force than “A1b@%5fT” (8 characters), yet it is much easier for a human to remember, and so less likely to need to be written down.   To craft your own, use a string of random, unrelated words and numbers, perhaps with some spaces or symbols if the site allows. 

The next cyber security enhancer is the use of Multi-Factor Authentication (MFA) sometimes called two-factor authentication (2FA).  This is the single most effective way to protect your accounts, because it works even if your password is stolen. While a password is something you know, MFA requires a second form of verification – something you have, like a temporary code from an authenticator app on your phone, or a code that the site e-mails or texts to you.  If an attacker steals your password, they still can’t get in without also stealing your physical phone, which is a much harder hurdle. Turn on MFA everywhere that it’s offered, especially for email and banking. 

Finally, there is the ultimate tool for combating password reuse and complexity: a password manager.  I’ve discussed these previously, such as in I.G.T.M. Issue #921, March 16, 2025.  A reputable password manager generates long, random, unique passwords for every single one of your accounts and remembers them for you.  There’s no need to write them down, or even change them, as the password manager does all these humdrum tasks for you.  The only thing you need to remember is one strong master password to access the password manager itself.  A password manager effectively eliminates the “convenience” excuse for poor practices. The best password managers will change the passwords periodically, and even alert you if any of your stored credentials appear in a public data breach.   This is a smart use of cybersecurity, and except for the miniscule risk of the password manager itself suffering a data breach, it is a convenient, and secure way to manage your credentials.

• • • 

There you go, Geeks!  Implement these practices and go forth safer and more secure online.  And don’t forget to pay a visit to my website and submit a question for a future edition of your favorite Computers and Technology column!

---

To view additional content, comment on articles, or submit a question of your own, visit my website at ItsGeekToMe.co (not .com!)