## <center>Introduction/Summary</center><br>

Most of us are struggling with keeping up with the many passwords we have to use when doing our things online. Although many recommendations are given to make unique and complex passwords for each service we use, we tend to create very simple and weak passwords and use the same one for many of the services we us. We also read and hear username and password databases being hacked more often then we like; Something that will increase even more in the future since digital crime just started.

- Standards & Recommendations
- Recommendation: Check Strength of Your Password
- Recommendation: Check Password Breach
- Recommendation: Use a Password Manager
- Recommendation: Setup 2-Factor Authentication

In the remainder of the post I give you most recent changes to recommendations by standardisation institutes and IT experts, suggestions for websites to assist you to check if your passwords are ever found on the internet or in databases of criminals, to check how strong your password really is, what password managers are good to use, and how best to setup 2-Factor Authentication.

<center>![](https://s12.postimg.org/xr36zd4vx/170815_advise_passwords.png)</center>

## <center>Standards & Recommendations</center><br>

Maybe the recommendation and standards that were defined in 2003 by the National Institute of Standards and Technology (NIST) of the US Department of Commerce and copied as recommendations in many other countries in the world an implemented by many internet services, where to complex. Those recommendation included the replacement of characters with equivalent symbols, change of passwords every 90 days and more intensive tasks. The result: almost nobody created strong passwords.

One of the founding fathers of these recommendation, IT-expert William Burr, recently told the Wall Street Journal in an interview:

> "Much of what I did I now regret. It just drives people bananas and they don't pick good passwords no matter what you do."

Those interested in all the details of the recommendation as adopted by NIST in 2003, page 46 to 52 of [this](http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-63ver1.0.2.pdf) document list them all.

Recently NIST adopted a re-write of the recommendation, which can be found [here](https://pages.nist.gov/800-63-3/sp800-63b.html). A lengthy and not easy to read document, therefor you may not like to look at it. Paul Grassi, senior standards and technology adviser at NIST, who led the new revision says:

> "Keep passwords simple, long and memorable. Phrases, lowercase letters and typical English words work well."

Experts suggests:

> Special characters and a mixture of lower and uppercase letters are not required anymore. And passwords never need to expire, but the main recommendation of NIST shall be followed as mentioned before "Keep passwords simple, long and memorable".

Many websites came out with their summary of recommendation but they are not all that consistent. And since the recommendations by NIST are quite vague, I can imagine you may be puzzled and doubt how a password should be crafted to be save, especially when not changing it for a long time to come.

## <center>Recommendation: Check Strength of Your Password</center><br>

My recommendation is for any important website - banks, webshops where you leave your bankcard and creditcard information, social networks holding many of your private information, contact books, crypto exchanges - check the strength of the password with a service like "howsecureismypassword.net" (click [here](https://howsecureismypassword.net/)). This service is a trusted service, sponsored by one of the leading companies offering commercial password managers.

## <center>Recommendation: Check Password Breach</center><br>

Another recommendation I have for you is to check if the passwords your are already using was part of a leak or hack. Many service exists on the internet that can assist you by giving them your email addresses. Although many of these services are legit, there are also services out there that are in the game of harvesting email addresses for whatever purpose.

One of the most trusted service works differently. With this service, you give them your password (without username or any other information) and the service returns to you if that password was part of any of the hacked username/password databases. Navigate to this service "haveibeenpwned.com" by clicking [here](https://haveibeenpwned.com/Passwords). You can also check with them based on your email address and usernames [here](https://haveibeenpwned.com/).

References for haveibeenpwned service include:
- CNet ([here](https://www.cnet.com/how-to/find-out-if-your-passwords-been-hacked/))
- Toms Guide ([here](https://www.tomsguide.com/us/data-breach-pwned,news-17950.html))
- Techlicious ([here](https://www.techlicious.com/tip/how-to-check-if-your-password-has-been-stolen/))

In the Netherlands the police launched a service to provide information if your email address is found in the databases of criminals that they got into their possession. The service is in Dutch and can be found [here](https://www.politie.nl/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html).

## <center>Recommendation: Use a Password Manager</center><br>

In addition I recommend to use a password manager. I personally use the open source KeePass ([here](http://keepass.info/)). Although this one is super good, it is a little more difficult to synchronise the password database with multiple devices. I use a small trusted cloud company to story the password database online and a super long, but easy to remember password (28 characters, digits and symbols in a sentence form). howsecureismypassword tells me that it takes "1 UNDECILLION YEARS
to crack your password". I'm not sure how big UNDECILLION is, but I'm pretty sure this is longer than my lifetime. Therefore I'm not afraid when my online cloud storage provider gets hacked and criminals will get my password database in their hands.

Another good password manager is LastPass ([here](https://www.lastpass.com/)) which gives you an easy way of synchronising across your devices. The reason I'm not using LastPass is that I cannot use my trusted cloud storage provider.

## <center>Recommendation: Setup 2-Factor Authentication</center><br>

Especially in CryptoSpace, I recommend to setup 2-Factor Authentication (2FA). After your username/password process at a web service, you will receive a code through email, text message, or Apps like Google Authenticator which you subsequently type in your web browser during the login process. When your username and password get into the hands of criminals, they also need your phone to login into your account (when using text messaging or smartphone App). This makes it extremely difficult for criminals to hack your accounts online. Most service make use of Google Authenticator App, and I prefer that over text message. Email I find not save enough and do not like to use it for 2FA.

### Success with bringing more safety in your digital online presence.

### Let me know in case you have question, I may be able to give you some guidance.

<br>

<center>
# NJOY

###### follow me [@edje](https://steemit.com/@edje)
</center>