Most users when creating an account with a mobile app or online website will either choose a password they regularly use (so they always remember it) or they create a new one, unique to that website.
The only technique that is correct here… is the last one. However, even doing this there is another thing you should consider if you really want to stay safe.
Many readers will have heard not so long ago of the Adobe data breach (approximately 150,000,000 records hacked). This attack specifically exposed passwords and allowed attackers to log into the users Adobe accounts. This was possible because of a very simple mistake that Adobe made on their back-end database where the user credentials were stored. When you last created an online account for something do you remember seeing a “password hint” box? That helpful password reminder that you can click on if you can’t remember your password, some text will pop up with the password reminder text. Well, this is where Adobe fell short as that little bit of text, created during Adobe account creation, was not encrypted and stored in the same password table within the Database and so when the data was stolen, so were all these hints. Even though the passwords themselves were encrypted, it didn’t matter because in a lot of cases users with a password of “12345” for example…wrote in the password hint “the password is 12345”. There were many different variations on this theme but in short anyone who entered an unsecured or obvious password hint when creating or resetting their password left their account open to exploitation.
You can quite legitimately argue that Adobe should have encrypted this data however my point is…how can we be sure? we all take for granted that anything that claims to be a “password” field will be encrypted and stored securely…and in Adobe’s case….it was…but it was linked by way of association to a field that wasn’t. Password encryption should extend to anything that is password related.
My advice would be to NEVER use password hint boxes. You just don’t need them and you can’t be sure they are as secure as the password field itself. Even if you don’t specifically type your password into the hint box here are some typical examples of some common password hint mistakes
- typing what the actual password is into the hint box! – Never type what the password is into the hint box
- Making the hint less ambiguous – If your password was “Monday” don’t make the hint say, “The day before Tuesday”, even making it say, “the day we got Reggie the dog” is a terrible idea… can you think why?
- Making the hint a roadmap to decipher the password – so if your password was “Hero1234” – don’t make the hint “Hero with four digits starting with 1”.
The last example should be enough to remind someone of the password but it can still be figured out from this. The second example is really bad because as soon as the hint suggests that the password is a day of the week, then any hacker now knows it’s one of seven possibilities.
The best advice is to never use a hint and if the website insist on you entering one, put in anything just to get the registration to complete. You should also consider using password reminder software such as LastPass or Dashlane.
Remember, If you can’t remember the password then you really need to reset it rather than be reminded of it.