This article was published on May 4, 2018

Nutella celebrates World Password Day with the worst security advice ever


Nutella celebrates World Password Day with the worst security advice ever

It’s World Password Day today, which means you should probably think about how you’ve secured your online accounts, and how you can ensure that they’re not easily hacked. Following Nutella’s advice on the matter would probably be the worst thing you can do, though.

I love Nutella as much as the next guy, but this celebratory post from its Twitter account is as misguided as they come:

Yeah, no, that’s not how you create a password in 2018.

What’s wrong with it, you ask? Well, for starters, it’s a pretty common password: The Pwned Passwords database, which includes 500 million passwords that have been exposed in past data breaches, has it listed more than 20,000 times. That means it’ll likely feature in password dictionaries used by hackers in brute-force attacks to get into accounts, so it’s less secure than a more complex one.

In addition, it simply doesn’t follow good practice: your password should be hard to crack, which means you’ll want something that’s not in the dictionary, a bit longer than ‘nutella’s seven characters, and include numerals or special characters.

The other problem with Nutella’s advice is that you should be able to remember your password. That’s rubbish. Your passwords should ideally display a high degree of entropy, i.e., include several characters in as random an order as possible.

They also shouldn’t be created with ease of memorization in mind, simply because reusing passwords makes you vulnerable to being hacked when any one of the online services you use faces a breach. When you’ve got hundreds of accounts all over the web that have the same login (usually your primary email address), it doesn’t make sense to try and remember unique ones for all of them.

Instead, you should use a password manager like Lastpass, Keepass, Dashlane or 1Password: it’ll not only remember your passwords and fill them in for you when you’re logging into sites and apps, but also generate strong passwords when you’re creating new accounts.

It’s true that you do need to remember a single master password for this – but if you’re thinking about locking down access to all your accounts with ‘nutella’, you’re probably going to have a bad time. For this one, consider using a lengthy passphrase with a high degree of entropy, as illustrated in this xkcd comic – just don’t use the one in that strip!

Lastly, you’ll want to enable two-factor authentication on all the accounts that support it: this feature has you confirm your identity after entering a password with a second verification method, which is usually a short string that’s dynamically generated on your phone, or a prompt on your phone that asks if it’s really you logging into your account at that time.

For more on passwords and staying safe online, check out our recent Answers session with renowned security expert Troy Hunt.

The Next Web’s 2018 conference is just a few weeks away, and it’ll be ??. Find out all about our tracks here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.