On an upcoming episode of Mac Geek Gab, you’ll hear a tip from Allison recommending not to follow the common Internet security recommendation to regularly change passwords, except when enforced.
In 2016, while on leave from Carnegie Mellon University, Lorrie Faith Cranor was the FTC’s chief technologist. She published an article indicating that such password changes are often not as effective as mandating companies suggest.
Lorrie writes: “Users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”
The article is worth a read, including the scientific studies she references.
I also mentioned Lorrie in my first post on 1Password in 2015, noting her TED Talk on password security.
How to Store Passwords
Many of my clients are commonly overwhelmed by their passwords, have a tedious process for referencing them, and often have to reset at least one during our time together.
For starters, I strongly recommend using a password manager and entrusting it with your private information. It’s best to choose one that works consistently on all devices and in all web browsers that you regularly use. I still recommend 1Password and have been discussing it here for almost a decade.
Once all your logins are imported or input, I invite you to set aside the notebook on your desk or hidden file in the drawer that you don’t actually carry with you everywhere. And to let go of using Contacts, Notes, a word processing document, spreadsheet, or any other insecure method you’ve adopted for storing this stuff.
Then, I encourage you to welcome a little learning in your life: How do you allow a password manager to autofill your login when a website permits? How do you look up a login and paste it when the website is finicky. You can even copy on your iPhone and paste on your Mac, or vice versa, if that’s easier for you. I’m happy to coach you.
How to Create Passwords
Please stop creating your own passwords. Unless your personal system is unpredictable when designing a new password, what you create with your mind is unlikely to be deemed secure.
Use a generator! Permit your password manager of choice to create secure passwords, which it then stores for you. Learn how to select these passwords when on websites where you are creating or resetting a login.
(The only passwords I recommend you create with your mind are for your computer, your Apple ID, and your password manager.)
Why Change at All?
Besides websites that enforce password changes with some periodicity, there are two primary reasons to do so:
- If you believe your account has been compromised, such as by referencing Have I Been Pwned? or because your password manager says so, change your password.
- If a password manager indicates a password is weak, let it make a strong one for you and use that one on the associated website.
Moving Beyond Passwords
In truth, passwords are not the best method of authenticating on a website or application. Passkeys are starting to become more widely supported, introduced to Apple software platforms and some web browsers last year, and added to 1Password last week.
Passkeys use biometric information, such as a fingerprint or face, to authenticate. When available, I recommend registering and using a passkey instead of a password. If you use 1Password, visit Watchtower to find out which of your logins support passkeys and accept the invitation.
Reply or comment on this