A (Pass)word to the wise: Stronger is better

Email, bank accounts, utility providers, social media, streaming services, food delivery, shopping sites – nearly everything you do online requires a password. Today we’re talking about good and not-so-good password practices and how you can stay one step ahead of cyber bad actors.

According to the Verizon 2020 Data Breach Investigations Report, over 80% of successful information breaches involved either brute-force password cracking – guessing a password through trial and error – or using credentials that were previously stolen. Given that success rate, it’s clear that hackers are willing to put a lot of work into getting your information. But there are ways you can defend yourself, and good “password hygiene” is your best first step.

Password hygiene?

In the same way good personal hygiene keeps you healthy, good password hygiene is a set of habits you can build into your cyber life to keep your information healthy:

  • Use a different password for every account (protects against Credential Stuffing)
  • Use unusual words, or use symbols and numbers in place of letters in common words (protects against Password Spraying)
  • Use long passphrases, such as “IPutNewWindowsInTheShed,” instead of just one word (protects against Brute Force)


Credential StuffingUsing credentials (username & password) stolen from one site, Attacker attempts to log in to as many other sites as possible

Brute Force: Attacker uses a trial-and-error method to guess the password to a single account

Password SprayingSimilar to brute force, but Attacker “sprays” the same password attempt across many sites at once before trying the next one

Of course, most of us are terrible at remembering long strings of random characters, which is why Password Manager applications exist. There are lots of options to choose from, but all use a master password as well as a randomly generated, temporary code to provide two layers of security (read more about why this works in the Multi-Factor Authentication section above).

Easy but not safe

Our last tip is about sites that offer to let you log in using your credentials from another site (Facebook, Twitter, Google, etc.). Is it convenient? Of course! Should you do it? For the most part, no.

Let's say you’ve logged into five sites using your Facebook credentials. If Facebook suffers a data breach – as it did in 2018 when nearly 50 million users had their information exposed – then your Facebook credentials can be used to access those five other sites, making even more of your data vulnerable. Exceptions would be on sites like the Canada Revenue Agency's; it lets you log in through your online banking account, which already uses MFA and has a higher level of security than social media sites. 

The bottom line? Practicing good password hygiene is something you can control, and it will help keep your information where it belongs.