Depending on who you talk to, International Change Your Password Day is January 20 or February 1. Either way, in Australia we’ve missed both those dates, and because I’m writing this in Mexico I just saw the tweet from Fastmail reminding me.

Regardless of the “national date” consider this your reminder to change all of the important passwords in your world. In my humble opinion, all of the important passwords in your life should be changed annually. Because

  1. it encourages you to check the security of your most important services every year,
  2. it reminds you that the only good password is a unique password,
  3. if a password has been leaked by either you giving it to someone, or through a hack, it effectively takes that password out of distribution and increases your personal security.

What is a unique password?

A unique (and good) password is really simply a password you’re not using elsewhere.

So if your Facebook password is kiwifruit, then your Instagram password is not kiwifruit, nor is it KiwiFru!t, or even kiwifruit1.

If you had unique passwords for Facebook and Instagram, then your Facebook password might be kiwifruit and your Instagram password might be cairns. Not at all related. Not with changing numbers at the end, or your little “I’ll outsmart the hackers with my own algorithm” like using kiwifruit2023 if you set the password in 2023. A unique password is unlike your other passwords.

And the best password is a unique password.

What makes a good password?

A good password is as long as it can be, and as unique as it can be. Unique doesn’t have to mean something like [email protected], as unique as that is, but it might be something a little more human like treefarmbaggage. Picking out three random things I can see or think of is one of my favourite ways of generating a password because a hacker might know all of our personal and family details, but they don’t know three random words you just thought up, but it also keeps the password memorable or repeatable over the phone when your partner needs to access the thing secured by that password.

Then of course you need to take into account each service’s password policy. A password policy is the bit where they say things like

  • minimum of eight character
  • maximum of 16 characters
  • must contain a number
  • must contain an upper-case letter
  • must contain a unique symbol like $%^&*@.

These password policies are a corporation’s way of trying to implement stronger passwords when the user hasn’t read an article like this. Unfortunately, you need to just go along with these policies and sometimes you’ll need to make your unique password even more unique by changing treefarmbaggage to Tree-f@rm-baggag3.

Generating a unique password using 1Password

What services are important enough to change regularly?

I’ll show you my list, but yours might be different. This list represents all the ways people could steal my identity, pretend to be me, access my client files, or access my finances.

  • Fastmail (where my email is hosted)
  • Squarespace (where my business website is hosted)
  • Porkbun (where half my domain names are hosted)
  • VentraIP (where the other half of my domain names are hosted)
  • Cloudflare (where my domain name service is hosted)
  • Facebook (people can pretend to be me if they access this)
  • Instagram (people can pretend to be me if they access this)
  • LinkedIn (people can pretend to be me if they access this)
  • Micro.Blog (people can pretend to be me if they access this)
  • Twitter (people can pretend to be me if they access this)
  • Apple ID (access to all my Apple devices, access to my “log in with Apple” accounts, and iCloud storage and photos)
  • Microsoft (access to some cloud services)
  • Dropbox (access to work and client files)
  • Stripe (where we receive payments)
  • ANZ (where my business finances are)
  • Up Bank (where my personal finances are)
  • Xero (where our bookkeeping is)
  • Pearler (where my investments are)
  • Paypal (sometimes payments are made here)
  • Mastodon (people can pretend to be me if they access this)
  • The Births Deaths and Marriages online (where my client details are)
  • The AGD marriage celebrants portal (this is important for my registration)
  • Telstra account (very easy to pretend to be me if you have my phone number)
  • Google (this account is the least important of my important accounts, but it’s a thing)

If a hacker gained access to one of these accounts I’d be upset. If a hacker gained access to my Yahoo account, meh they can keep it. If they gained access to my Reddit account, so be it. But these ones I’ve identified as important to me and I make sure of three things:

  1. The password is changed annually to a new an unique password
  2. If the service has two-factor authentication available I turn it on and enable it, and if possible I use the “Time-Based One Time Password” or TOTP or in layman’s terms “authenticator app”. Using the SMS authentication might seem nice but your SIM card can get stolen, hacked, or intercepted.
  3. Finally, if it’s a service that other services connect to, like Facebook, I check which apps and websites are authorised to access my account and I remove or delete any I don’t use or need any more, and especially any I don’t recognise.

Changing the password

To change the password simply open the website for each one and navigate yourself towards a settings or preferences menu where you can edit either account settings, or password settings, or authentication settings, maybe even security settings. You’ll need to know your old password, and then of course enter your old password. Some services might need to confirm via email.

You might also find that some services, like the Celebrant Institute you’re reading right now, don’t actually use passwords. It’s because we don’t want to be responsible for holding that information from you. If we don’t know your password it can’t be stolen from us. This is the same reason we use Stripe for financial transactions here. If we don’t know your credit card, it can’t be stolen from us. Also, when your credit card expires, please stop emailing us your details, just log on and change it in your account settings 😉

How do I remember all these unique passwords?

This is the big problem people come across.

If my Facebook password is kiwifruit and my Instagram password is now cairns, that’s ok, I can remember two passwords. But the human brain has fail points. Even I, Father of the Year three years running now, sometimes call my eldest daughter her little sisters’ name and vice-versa. If only we could devise a system to help manage all these passwords.

1. Writing them down on paper or in a book

This sounds like a great idea, but someone can just break into your house and steal your book. Or far more likely, you lose the book.

2. Sticky notes on your computer monitor screen

This is also a great idea, after all, they’re right there where you need them. Unless you need them when you’re out of the office or house. Also when you take a photo at your desk, make sure you get the sticky notes in the photo so everyone who sees the photo now also knows the password to your internet banking.

3. Keeping them in a spreadsheet or a word document

Now we’re getting somewhere. Keeping them in a document on your computer is great, but it can get messy especially if you have lots of logins.

4. Keep them in a software password manager – the winner!

A password manager application is designed for this exact purpose. The two I recommend are Apple’s Keychain because it’s free and built-in to every Apple device, or if you don’t use Apple hardware, or if you want a little bit more freedom and flexibility as I do, use 1Password. You can choose any password manager you like, do your own research because, in the end, you’re choosing a security guard to guard your security guards and I want you to make that choice on your own. I’m not going to even link out to 1Password who I use because it’s important to me that you know how to secure yourself.

Managing your own digital and computer security isn’t hard, and it isn’t the work of a nerd or a computer technician. This is work you should know how to do, and if you don’t know how to do it, then take it upon yourself to learn. It’s like if you don’t know how to use a deadbolt on a new house you’ve just moved in to, you don’t just leave it open with a sign saying “All intruders welcome!” You learn how to secure your house, and you need to do the same for your own digital house.

Welcome to International Change Your Password Day, I hope it brings you great change!