Three old password rules that turned out to be dumb today

Be smarter about using this crummy system.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
5 min read

You'll still have to use passwords, for all their flaws. 

Brett Pearce/CNET

Editor's note: In recognition of World Password Day, CNET is republishing a selection of our stories on improving and replacing passwords.

Even though the tech industry is working on better alternatives to passwords, you're going to be using them for an awfully long time. Some of the advice you've heard over the last couple of decades is outdated. Here's a fresh look.

The core rules about password hygiene still stand. Use a different password for every account, and make your passwords hard to guess. But cybersecurity experts say you can toss out three old rules: Never write your passwords down, don't tell anyone your passwords and change your passwords frequently.

That advice came from a different time, when the biggest threat was from a person with physical access to our computers. Now our lives are completely enmeshed with internet services and apps. Hackers can be anywhere in the world. As a result, we have to think differently about how to keep our accounts locked down.

You'll still have to use passwords, for all their flaws, so here's the best way to pick them. You can still either use a random string of gibberish as your password or a long combination of unrelated words, often called a passphrase. Avoid using a single word from the dictionary or making well-known substitutions, like the @ sign for the letter a. Consider using a password manager to handle the hassles of generating and storing your passwords.

Read more: The best password managers of 2020

For a broader look, check CNET's coverage this week about password problems, some fixes like hardware security keys and password managers that you can start using today, reasons why two factor authentication isn't as secure as you might hope, and a cautionary tale about what can go wrong with a password manager.

Here's what cybersecurity and privacy experts advise:

Don't be afraid to write down your passwords

As soon as the first computer users started logging in to computer terminals, they were told to memorize passwords and avoid writing them down.

It all began with MIT's Compatible Time Sharing System, which is believed to be the first computer system to require a username and password. Starting in 1963, MIT users accessed personalized accounts by logging in at shared computer terminals. For decades, the worst thing you could do was write your password down and leave it near your workstation where anyone else could find it.

No more.

"That advice is totally counterproductive now," said Mark Risher, head of Google account security. "It's much better to write it down."

Watch this: In a world of bad passwords, a security key could be your new best friend

Writing down your login credentials down is the simplest way to remember a different password for all of the dozens of accounts you have. Sure, there's a risk somebody will get hold of your records, but a much greater risk is an attacker from far away exploiting a password you've reused on several sites.

How to do it safely: Password books are sold online and at office supply stores. Lock one away safely in your house, and you'll be on your way, experts say.

Of course, if you have reason to believe someone in your house might actually hack you, like an abusive partner or a cousin convicted of identity theft, this might not be the right option for you.

And it isn't convenient to keep your password notebook locked away if you use it often or need it outside the house. But at least for ensuring some primary accounts have unique, strong passwords, it's a start.

Do share your accounts

Telling people not to share their passwords isn't so much wrong as completely unrealistic.

People share passwords with their friends, partners and family members for many reasons. You only need one Amazon Prime account in your household, for example, and many partners combine their finances. And realize that one day, you or your family members might die or be incapacitated.

Lots of people feel comfortable sharing social media and email passwords with their partners, according to SurveyMonkey data from February.

There are risks. Sharing passwords can be dangerous if the relationship turns sour or one partner is controlling, domestic violence experts say. More broadly, sharing passwords with one other person doubles the number of people who can expose your information to hackers.

Do it safely: First, check whether your service allows for multiple users to access the same account. For example, Amazon lets you share your Prime account with your household, and everyone keeps their own password. Many banks have similar features.

Second, don't recycle passwords from another account. That way, if your partner falls for a phishing scam and hands over one of your passwords, it won't affect your other accounts.

Don't constantly change your passwords

Regularly changing your password seems a sensible way to cut off any hackers who might have gained access to your account.

But researchers showed nearly 10 years ago that this advice does more harm than good. In short, forcing people to reset their password makes them choose weaker passwords.

At the University of North Carolina at Chapel Hill, researchers examined the password habits of students, faculty and staff who were required to change their passwords every three months. They found that the users had made minor, predictable changes to their passwords that would be easy for an attacker to figure out.

Do it safely: You should still change your password whenever you learn it's been compromised in a data breach. You can sign up with Have I Been Pwned to get alerts about hacks that affect you. You can also use the Firefox or Chrome browsers or a browser extension from Okta that will warn you if one of your passwords has been found in a set of leaked data.

Finally, use whatever two-factor authentication is available on your accounts, so that even if hackers have your password, they won't be able to access your accounts without a lot of extra work. SMS-based authentication, though vulnerable to some hacking attacks, is better than nothing. Authenticator apps like Google Authenticator or Authy are stronger, and for really important accounts like Google or Facebook, you can use hardware security keys.

But for a start, just stop reusing the same password, OK?