Nine ways journalists can improve their password security

A password could be a journalist’s last line of protection from falling victim to a hacker. Tech expert Ben Finn details ways in which journalists should upgrade their passwords to bolster their digital security protocols rather than let it be a security pitfall. 

Passwords are often the only line of defence protecting a journalist’s sensitive and valuable information, but hackers can easily perform brute force attacks through using lists of common passwords which can check 10,000 to one billion passwords per second. Therefore, journalists should always use strong passwords that are unique to every website or account to ensure their personal security and the security of their sources.

1. Use a passphrase rather than a single word. A phrase of three to four words provides significant security over most single-word passwords, even when you add in special characters and numbers to the passwords.
2. Use a password manager. Services like 1password, bitwarden and KeePass allow you to store multiple complex passwords without having to memorise them or write them down. 
3. Turn on multi-factor authentication. When possible, use multi-factor authentication, a function that requires two or more security checks — like a unique code sent to your cell phone — to keep your accounts secure. 
4. Never ever use systematic passwords. Passwords that explain their purpose or use common words and phrases are easy to crack. For example, the top 10 most common passwords like “123456” or “password” often appear on publicly available lists and would be the first to be cracked.
5. Do not repeat usernames and passwords. Using a variety of usernames and passwords makes it harder for hackers to identify connected accounts. If you have a password manager, there is no need to repeat passwords.
6. Don’t use identifying information. Your password should have nothing to do with any part of your personal life that may be publicly available. Hackers are known to attempt to use personal information when guessing the password of a specific person and can plug this information directly into their password dictionaries and run thousands of combinations. For example, a website may tell you a password like “Mark&Jane1982” is secure, but it could be cracked in seconds.
7. Obfuscated passwords. Replacing letters with numbers or symbols (like changing “officepassword” to “0ff!c3_p4$$w0rd”) are often rated as “strong” by automated password checkers but can be easily found in basic password dictionaries. While obfuscation is not a solution by itself, it is valuable when combined with a random passphrase that won’t show up in a common password dictionary.
8. Check if you have been hacked. Websites like Have I Been Pwned (sic) allow you to see if your email or phone have been hacked or if your data has been stolen and dumped. If it has, change your password immediately.
9. Find out how secure your password is. Use this tool to test new passwords and find out how long it would take for an average hacker to crack it. Best not to put in your exact password for extra security; but use it to test similar examples of passwords.

Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been researching on how to maintain proper security in the context of an oppressive nation-state, specifically in the context of Myanmar. He has also been working with multiple groups in Taiwan to train them on proper security and safety measures.