Password Best Practices

General management guidelines

These rules are meant for the average person to make this simple yet strong. You want to minimize the places that passwords are stored. Generally, you don’t need to change your passwords and can consider using the same one for life, unless it has been compromised.

Primary ecosystem password

You are expected to have an account with one of the following major tech companies: Google, Microsoft, and/or Apple. This should be the ecosystem you primarily use.

This is the one account you need to protect with a strong password. Though it should be relatively easy to type but maintain a minimum password length and complexity. e.g.

• Ten or more characters
• A mix of capitalization
• Includes symbols (Avoid just adding ! at the end, etc.)
• Include numbers

This should be written down and never messaged anywhere. You should never use this password for anything else. If you are saving the password somewhere on your computer, be aware that it needs to be somewhere you are aware of and not easy to access. Do not save this password in the ecosystem because if you ever need to log in and you don’t know the password, then you can’t get to it.

Operating System Password

Most likely you are using Windows or MacOS and need a password to log in. You should not use this password for any other purpose. It should be something easy to remember and easy to type quickly but strong like your ecosystem password. The alternative of Windows Hello or Apple Face ID is recommended as it is secure and convenient. They also provide other benefits.

Other passwords

These passwords need to be managed separately from other online systems so it would be good to have a record of these somewhere.

1. 1. Home/work Wi-Fi password – Not critical to protect, however, anyone with this password could access files and other resources within your network.
   2. Phone pin code – Memorize. Crucial to keep private. Explanation below.
   3. Password Managers *Optional to use – A separate password manager is distinct from your browser’s built-in password manager. It is ideally used for storing and managing passwords unrelated to website logins, though it can auto-fill website credentials with more complex setup. This is a secure place to store your ecosystem’s account password, as well as passwords for websites you want to access easily and safely.

1.  

Website with login account creation

Ecosystem stored logins

If a website offers the option of using something like, you should use it. Choose one of the “Continue with”. (It may show as “Sign in with” or similar). Choose your ecosystem. You would not need to create a username or password making it convenient to log in. Account creation is done automatically and is linked to the ecosystem.

Other ecosystems options include: Facebook, WeChat, LinkedIn, Amazon, etc.. They are limited to affiliated websites. I recommend using them if you have those accounts.

Cons: If you did not create an account with a username and password, then you would not be able to share this account with another person that you trust. i.e., your spouse might want to log in to your XXX website, but can’t unless she is logged into your Google, etc. account on your web browser.

Site stored logins

If ecosystem options are unavailable, then you’ll need to create the account with a username and password. If the username needs to be an email, use the email that you regularly use and have access to because it is often used for 2FA (Two factor authentication).

When you are prompted to create a password, rather than typing one, click in the password field and you should have the option to generate a strong password. Choose that option. You do not need to keep track of these anywhere as they are stored in the browser’s password manager.

This will store the password within the ecosystem’s password manager. You will need the browser to be signed in with the sync option enabled on your devices.

Sometimes, the browser password manager does not recognize a field as a password entry box and will not offer to generate one. This may also cause the issue that it won’t autofill when prompted to log in. You can manually add these into the same password manager and it might autofill anyway.

CAUTION: When you log in, you may see that your browser says Update password?:

If you did not intentionally change your password, you may have typed something in another field that the browser thinks it is a password and prompts to change the password to that. You should click the X or No thanks. Unless you know for sure you are entering a new password, then click Update password. This is to avoid losing the correct password stored in the password manager. *If needed, you can usually do “Forgot Password” to fix it later.

Password and Passphrase is the same thing. It is just terminology. The term passphrase is to encourage users to create a longer “password” and implies that spaces are valid. Sites do limit the length of passwords so usually passphrases allow longer lengths.

It is fine to create your own passwords for the convenience of logging into websites on shared computers. However, avoid creating passwords with patterns like: AH1979!Amazon, AH1979!Netflix, AH1979!Google, AH1979!Facebook. Hackers use AI to easily interpret password patterns like this and try passwords on other sites like AH1979!PayPal etc. Once a password has been cracked for one site and you use the same or similar password on another financially sensitive website, your money will be gone in seconds due to bots that run scripts automatically. Though passwords like the above samples are strong and can’t be reasonably brute forced, a breach such as the one back in 2019 when Facebook exposed 540 million records of the usernames and passwords can easily result in an attack. As a hacker, programs could just automatically filter the passwords for anyone that has a pattern like *facebook, then try going to PayPal and using *paypal. (*fb -> *pp, etc.). A hacker with a powerful computer can test billions of passwords a second* (more than all Facebook passwords leaked). A strong 10-character password will take 1.7 million years at 1 billion password checks per second. *This applies only for offline encrypted databases. Online logins will be slower but poorly protected websites can still test quickly.

Passkeys

There may be an option to “Sign in with a passkey”. Think of this as a physical key. It uses a separate device (usually your phone) which is used to “unlock” access. It is more safe than a physical key as you need to authenticate using biometrics such as fingerprint, face unlock or pin on your phone. It is best to use this as it is passwordless. This inherently features 2FA (see below). This is just an alternate means to log in. You can still choose the option to enter the password, but using passkeys will bypass the sign in prompt altogether when already authenticated.

Storing Banking Passwords

Many financial institutions websites will not allow storing passwords in browsers’ password managers. These can be manually added to the browser’s password manager. I am personally okay with storing it there. You can usually copy and paste the password from the password manager manually and the autofill might work anyway. If you are good with keeping passwords safe when written down on paper, you may choose to not store these passwords in the password manager if you want to be extra careful.

Updating Existing Passwords

Ideally, you would want to “upgrade” your existing weak passwords with strong ones. Go into the Google Chrome web browser’s password manager and review important accounts. The password manager identifies passwords that have been compromised, so it is important to change those ones. You’ll need to log into the site to change the passwords and have them updated in the browser password manager.

Two-factor Authentication (2FA)

It is a very good idea to use this, and it might be required with certain websites. You would typically have the option to use an SMS message or Email. Use Email as it is more accessible as you may not have your phone. I recommend deleting these emails and text messages after use. Email is also more secure than text because your SMS theoretically can be intercepted and vulnerable to SIM swapping. This requires an additional step to log in, but generally, once you do the authentication process, your browser would be trusted, and you won’t need to do this for a certain period of time.

The term Multifactor Authentication (MFA) is essentially the same concept.

Trust this browser

You may see “Trust this browser or this device” checkbox option when logging in. Go ahead and check it if you are on one of your personal or work devices that only you use. This will forgo the 2FA for typically several days to several weeks before you’ll need to 2FA again.

Authenticators

Some websites, programs or even your Windows login may be set up to require authenticators. These are done by apps on your phone that are linked to the service. When you log into the system, your phone will push a notification where you need to accept on your phone and then the login should automatically continue. You won’t need to go through the work of deleting extraneous text messages and emails as this replaces that authentication method. However, it requires your phone to be present.

Notes

Simplicity

Following these practices. This will provide a strong level of security. There are more complex and better security using methods such as hardware security USB keys, special password management browser extensions or third-party password databases, but these guidelines require no special installations and is simple and convenient to use.

Password leaks

FYI: In general, reputable companies would not be able to figure out your password because how the information is encrypted. Not guaranteed, like the Facebook fiasco. Sites using passkeys would not have this problem, but if they also use passwords, change it ASAP.

Public computer best practices

If you are using a public computer or any computer that is not yours, do not sign into your ecosystem’s account on the browser to sync data. If you need to get to your stored passwords, you can instead log into your ecosystem’s website. You can get into your password manager from there.

When you finish your session make sure you “log out” on all the website you used during your session. Clearing browser data will effectively do this. Logging out of Windows is not sufficient.

Warning

Obviously, revealing passwords to other people is not a good idea. Sharing a Netflix login password would have a lower consequence though it does have financial components.

Here are three passwords you should never share. Here are reasons why:

1. Your Google/Apple/Microsoft account
   • This goes without saying. Always Enable 2FA to make if very difficult for someone else to be able to access. However, if they have unlocked access to your phone, then you are facing catastrophe. Even if it is locked, perpetrators can take the SIM card to get your SMS messages to authenticate.
2. Your Windows password
   • This is even worse. If a perpetrator has access to your computer, they can open your web browser and the access its password manager. All the passwords are fully viewable for all your sites that you have used for autofill. Most people do not log out of their online accounts. For example, you may notice that you don’t need to type in your Google account password when you go to Gmail. Thus, 2FA protection will be ineffective for your other accounts. If you share a computer with others, you’ll want to ensure you trust them. Create separate browser profiles so you don’t mix your credentials.
3. Your phone’s pin code
   • This is the worse. With your phone pin code compromised, the perpetrator can determine your Google account email address on your phone and can log in by choosing “Forgot password”, then use a SMS message to the phone to log in. Also, your phone is usually configured to receive the emails.
   • Don’t use your birthday or other important dates.
   • Don’t use the same code for other purposes, like home alarm, etc.
   • Try to use more than 4 digits.

Summary

This is the way to make it easy while maintaining strong security:

• Choose “Sign in as Google/Microsoft/Apple” whenever possible.
• Otherwise, have the browser’s password manager generate the password.
• Use passkeys if available.
• Don’t use patterned or easy to guess passwords.
• Enable two-factor authentication.
• You can choose Trust this browser or device.
• It is critical not to share your phone pin code and Windows login password. Though sharing with someone you absolutely trust is acceptable.