In the last 24 hours, news broke that a serious Cloudflare bug has been causing sensitive data leaks since September, exposing 5.5 million users across thousands of websites. In addition to login data cached by Google and other search engines, it is possible that some iOS applications have been affected as well. With the scale of this leak, the best course of action is to update every password for every site you have an account for. If there was ever a good time to modernize your password practices, this is it.
As consumers and denizens of the Internet, we have a responsibility to be aware of the risks we face and make an attempt to mitigate that risk by taking best-effort precautions. Poor password and authentication hygiene leaves a user open to risks such as credit card fraud and identity theft, just like forgetting to brush your teeth regularly can lead to cavities and gum disease. This leaves us with the question of what good password and authentication hygiene looks like. If we stick with the (admittedly poorly chosen) dentistry analogy, then there are five easily identifiable aspects of good hygiene.
5 tips for good password hygiene
How is a password manager like a toothbrush? It sounds like a crummy joke but bear with me. Password managers provide the foundation of good password and authentication hygiene. They have several functions, and when you're doing the process properly, you interact with them several times a day. For those who aren't familiar, a password manager is software that acts as a storage area for all your login credentials and passwords. They're great because they free you from having to remember your username, password, and other information. They often also provide additional functionality like password generation, secure form fills, and the facility to have a shared folder for passwords you may want to share with trusted friends—like your Wi-Fi password or shared business accounts. Many great open source password managers are available, such as KeePassX, Padlock, and Passbolt.
Choosing a password
Now, like a toothbrush, simply using a password manager isn't enough. You need toothpaste. Something that cleans, fluorides, and gives you nice breath. In this case, that means a password that has length, complexity, and individuality. Wherever possible, your passwords should be 16 digits or more to give you some protection from brute-force password cracking. Your password should also be a mix of uppercase and lowercase letters, numbers, and nonalphanumeric symbols. Lastly, each distinct login should have its own unique password. Because you're using a password manager, no memorization is required and this becomes a lot easier.
Now, while you could throw some scrabble pieces and dice into a tumble dryer, there's a better way. KeePassX and Passbolt both have inbuilt password generators for your convenience. (It looks like Padlock is on the way to implementing that feature.) If you would rather your password generator not be part of your manager, PWGen and APG are standalone open source password generators.
Changing your password
Unlike flossing your teeth, it is better to not change your passwords too often. I have a reminder in my calendar to cycle all my passwords every nine months. This prevents the inclination to use weak and memorable passwords or following predictable patterns—just like how some people may or may not only floss the week before they visit their dentist.
Speaking of going to the dentist, enabling 2FA, or Two-Factor Authentication, on your account is a great way to ensure you will know if you start to develop any account plaque. What is 2FA? When we talk about authentication, a password is something you know. When you setup your account to require a secondary method of authentication, rather than ask for a second password, it will ask for something you are or have, such as a fingerprint, a code sent via SMS, or a code from an authenticator app or dongle. This means if someone steals your password, they only have one piece of the authentication puzzle. Unless they also obtain your finger, phone, or 2FA method, they will be unable to access your account.
Often, account providers will also send you a notification via email when someone has attempted to access your account unsuccessfully, which gives you the opportunity to cycle that password and reinforce the security of the compromised, but still secure, account. Where possible, I would recommend setting up MFA (Multi-Factor Authentication), which will require three pieces to confirm your identity—something you know, something you have, and something you are. When implementing 2FA/MFA on an account, as a user you are largely dependent on which options the site supports. However, Google Authenticator is pretty widely used and there is an open source hardware token, U2F Zero, which you can buy or make yourself.
Choosing a username
The point of mouthwash is to wash out any bacteria or guff that might build up and cause damage and infection. Alternating your username regularly has the same effect. It makes it harder for others to track your activities across websites, or for someone to find a weak link in your password management system by trying accounts with the same username across different sites. For these reasons, I would advocate changing the username of your account on different websites unless you intend for the content across certain websites to be found easily. You may want to have the same username for your GitHub, Stack Overflow, and Twitter accounts, for example, but then you may want to use unrelated names for your personal social media and dating profiles.
Password managers also store usernames, making diversifying your identity across the different websites you use easier. There are many great open source generators. One of my favorites is the Random User Generator, which actually creates an entire identity. I use it for use cases as well as website profiles. Then there's the Markov Namegen by @Sam_Twidale, which uses Markov chains and has a large number of settings to customize the output. Finally, Chance is fun because it can randomly produce just about anything, including words, bools, names, integers, and more. It makes an interesting change from usernames like "cooldud66."
Worth the effort
I know that having good password hygiene seems like a ton of work, just like brushing your teeth did when you were a kid, but once you start, it will be a good habit that sticks with you and protects you for the rest of your life. The sigh of relief that comes with knowing you're insulated from the effects of the next great password leak is as good as getting the thumbs up at the dental clinic.