Skip to Main Content

Digital Security and Privacy

Creating a Strong Password

A strong password is...

  • unique: using a password on more than one platform risks exposing all your accesses if just one of them gets hacked. Create a unique password for each platform you register on.
  • long: length is the most efficient way to limit brute-force password cracking. Think of passphrases rather than passwords.
  • random or original: do not pick lyrics from a song or text from a poem. Do not include personal information in your password either!
  • complex: replacing letters with symbols not systematically makes dictionary-based tests less efficient.
  • secret: really, do not tell anyone, ever.
  • practical to remember: that is easier said than done, but you can build sentences you will remember.
  • fresh: passwords should be renewed every now and then.

You should never:

  • Write down passwords especially if you keep them next to your computer
  • Store passwords in unencrypted files
  • Use a bad password (too short, too easy, etc.)
  • Use personal data (birthday, license plate number) as a password (see social engineering)
  • Use the same password on multiple sites/applications
  • Give your password to someone (anyone) else

Obviously, creating and remembering such a password is easier when using a password manager.

2-Factor Authentification

Many applications and websites allow you to enable 2-factor authentification (2FA, or multi-factor authentication, MFA). This means that whenever you log in (or only when using a new device), you will require an additional validation through various means before your password is accepted:

  • SMS validation through your phone is good, but SIM-swapping is still a possibility given a determined attacker.
  • Application validation on your smartphone is safer, but a smartphone can still be stolen and should be secured.
  • E-mail validation is only as strong as your e-mail security, and might be slow in some cases.
  • Printed backup codes can be used when you cannot rely on your phone, but these can also be stolen.

As you can see, none of these is perfect, but 2FA is still a basic security measure you should always apply when offered the possibility.

Do Not Lose Your Passwords!

If you do not use a password manager, and you use a strongly encrypted system described elsewhere in this guide (such as ProtonMail, Signal and Wire), you might permanently lose access to your archives. While there are password recovery options for all of these systems, it would defeat their purpose if they were vulnerable to any fake password recovery attempt, so they protect you by rendering archives unavailable.