Password Security: Three Things to Do Today

It’s too late for me to be up writing this but a few posts and tweets tonight coupled with a recent realization left me feeling obligated.

(Every company ever breached) takes the privacy of customer data extremely seriously

Whilst reading this post by Rohan Pearce, “Kathmandu hacker may have captured customer credit card data” and this all-too-often used line, “Kathmandu takes the privacy of customer data extremely seriously,” I thought that our team literally reports on new data breaches every single day. It doesn’t matter who you are, it literally happens to everyone, as observed in my current favorite tweet, this one from Troy Hunt.

I have the privilege to consider all-hazards threats, risks and preparedness everyday. It makes me a bit crazy, especially at this hour, but it is truly a privilege and I love it. I’m at an event this week that has little to do with cybersecurity. And it occurred to me that most folks don’t sit around thinking about password hygiene and best practices every day. They’ve got better things to do to be honest. So, what can I suggest to someone that will only care so much, only do so much, and only think about this for a little while? And that’s not meant in the least bit disparagingly, its just reality, we all only do so much at most things. Yes, some of you go all-out all the time… 🙄 no one really likes you though.

So, listen, take ten minutes, do three things, and be on your way. Floss, brush, rinse, go to bed.

Step One: Three Random Words. The UK offers good, simple guidance on making good passwords. “A good way to create a strong and memorable password is to use three random words.” Some people disagree, some prefer other methods, but honestly, this gets it done. Some like passphrases, but I think they’re limited in use.

“A good way to create a strong and memorable password is to use three random words.”

“The Deposition,” from, “The Office,” though not the scene referenced at left.

Some say make phrases and then make them into acronyms or initialisms, but quite honestly, you quickly end up sounding like Michael Scott in the opening scene of “The Deposition” episode of The Office. Three random words, never the same ones twice, and plug in numbers and symbols for letters and just for fun to mix it up.

Step Two: Password Manager. There have been some recent reports questioning the value of password managers. Look, if you log in to more than three sites a day, and absent a tremendous memory, use a password manager. I like LastPass. Maybe you prefer 1Password. Don’t care, doesn’t matter. Pick one, get one, use one. There are free options (but if you use it for a few months, do the right thing and get the paid version).

Step Three: Have I Been Pwned? Back to Troy Hunt… either check this website regularly (I used to do it weekly) or sign up for direct email notifications (which is a lot easier) for every email address you use, and can remember ever using. You’ll be told when you’ve been compromised. That’s a will, not an if. Then you can make sure to go to the site, make a new random, three-word password, have your password manager automatically update it for you, and go back about your business.

Put in every email address you use, and can remember ever using

Three things. Now, there is more we can all do – credit freezes, ordering a free annual copy of our credit report from annualcreditreport.com (hat tip here to Brian Krebs and this article), use two-factor or multi-factor authentication if possible, and other steps – but we can pretty easily all at least do these three simple things. And tell your mom to do it too.


This blog was written by Andy Jabbour, Gate 15’s Co-Founder and Managing Director.