Passwords
Passwords are so often a frustration.
We all know they are completely necessary, just like your front door key, but we seem to have ever-growing key-fobs full of them.
At work there's websites and databases, and similarly at home, with websites and streamed services…it never lets up.
Change your job, or the job changes IT stuff, and look, yet more passwords to remember !
Part of my job has always included password resets for Users that forget their passwords at work, particularly in the week following an enforced "Change Password Today", when at the last minute they chucked something in there "to shut it up" so they could get on with x, y or z.
It happens. We're all very busy. I'm entirely empathetic.
And, I know, it's all something of a PITA, but, it is now effectively a legal requirement in many countries to enforce strong passwords within companies, and to change them regularly, not merely for the security of a company's Fileserver, for example, but in particular to prevent Bad Actors accessing that data and potentially exposing, or using, any part of the data externally ... a Data Breach, as you've doubtless read of in the media.
Companies have a duty of care to protect any personal/sensitive information, and Fines can be substantial, so companies are naturally keen to avoid them … it's an effective motivation.
https://www.gov.uk/government/news/almost-half-of-uk-firms-hit-by-cyber-breach-or-attack-in-the-past-year (of those that admitted it)
Thankfully, we don't have to worry about that at home, though, there is a case that we perhaps should, particularly as WFH entrenches, because we tend to be somewhat complacent about security on our own PCs and Laptops.
Whilst you may think no-one would be interested in access to your boring work's desktop, clunky old fileserver, or CCTV ... for criminals, it's just one step closer to a prize,
What we should definitely do at home is make use of 2FA (Two Factor Authentication) wherever it is offered … and fewer and fewer sites and services don't offer it … email, banking, even many gaming facilities do.
For clarity, 2FA is when you enter correct username and password, and then have a random code sent to your (eg) mobile device which you also have to enter to confirm it is you making the login request.
Arguments against invariably revolve around petty inconvenience a couple of times a month, with occasional forays into converting that inconvenience to man-hours "= loss in revenue".
Unfortunately, biometrics still have a long way to go, as most of them are still found open to circumvention (eg: cloning of fingerprints), so for the foreseeable future, 2FA is our best bet, with SmartCards, Apps and digital Banking Authentication devices useful allies.
Similarly, we're aware of these :
• Don't use the same password anywhere else, not even in part.
Because if your "123Netflix" is hacked, your "123Bank" one is too.
• 8-Characters or ideally more.
Because this : https://i.imgur.com/Ar9yQNM.jpg
• Never use proper names and personal associations, such as family or pet names, postcodes/zipcodes, car licence indexes, house numbers, birthdays, phone numbers.
• Don't use sequences at change time, such as sticking number(s) on the end of your last password.
• Don't write them down in notebooks … for obvious reasons, really.
I once consulted for a major rock band's merchandising arm; on the very first day I walked in to find the Domain Administrator's password written on a whiteboard … worse still, it was visible from the street !
• Don't use your Browser to remember passwords.
Because they are stored unencrypted in plain text and can be easily accessed.
In other words every password should be random and totally independent, which, as I say, becomes tricky when comes to remembering them all.
This site https://passwordsgenerator.net/ (where you will also find the above recommendations, and many more) can certainly help with generating them, and even offers a way of remember them, the problem is, remembering so many random complicated strings is just not something we can generally do.
It worked fairly well, the spreadsheet itself was password protected, and I even renamed the file "passwords.xlsx" to "image_0330.jpg" and stored (hid) it amongst a large number of actual images, already similarly named.
It had its drawbacks though, as you might imagine, and not least when I needed access from another machine, or a tablet, or my mobile phone.
Plus, realistically, it was a liability.
Then I "discovered" Password Managers.
I've used several since, I'm currently using Bitwarden, but I really liked Lastpass, it's an excellent starter.
With Password Managers, there's one single password to remember, used via an App and/or Browser Extension.
The app/extension recognises the site you're visiting, and with a click, your site-pertinent username and password is populated, and boom, you're in (2FA aside).
Most are free, some can be used online and offline (that is, without Internet connection), and are totally encrypted such that even the creators cannot view your passwords.
Some, like Lastpass, can check for duplicates and change them at the site(s) for you.
If ever you find (or think) a password may have been compromised, you can even have the Password Manager change all of your passwords in one operation, if desired.
They're catching on at companies too, I've encountered several using corporate offerings (complete with customer's company logo), that launches on Startup and are pre-populated so that staff have all the passwords applicable to their role, without, ironically, ever actually being told them.
If your company doesn't have its own, it's worth asking your IT department if you can install one, which I can fairly guarantee you will want to, after even short-term use of one.
Obviously, the Master password for a password manager needs to be very strong, minimum 10 characters, IMO, and should not be forgotten as you will permanently lose access; there is, by design, no reset or recovery facility.
For this reason, I recommend you consider one based on a phrase, for example :
"Far out in the western spiral arm of the galaxy" can be "F0!Tw5@OtG" by "strengthening" the initial letters, or, taking the second letters : @Un4EprF4@".
We all know they are completely necessary, just like your front door key, but we seem to have ever-growing key-fobs full of them.
At work there's websites and databases, and similarly at home, with websites and streamed services…it never lets up.
Change your job, or the job changes IT stuff, and look, yet more passwords to remember !
Part of my job has always included password resets for Users that forget their passwords at work, particularly in the week following an enforced "Change Password Today", when at the last minute they chucked something in there "to shut it up" so they could get on with x, y or z.
It happens. We're all very busy. I'm entirely empathetic.
And, I know, it's all something of a PITA, but, it is now effectively a legal requirement in many countries to enforce strong passwords within companies, and to change them regularly, not merely for the security of a company's Fileserver, for example, but in particular to prevent Bad Actors accessing that data and potentially exposing, or using, any part of the data externally ... a Data Breach, as you've doubtless read of in the media.
Companies have a duty of care to protect any personal/sensitive information, and Fines can be substantial, so companies are naturally keen to avoid them … it's an effective motivation.
https://www.gov.uk/government/news/almost-half-of-uk-firms-hit-by-cyber-breach-or-attack-in-the-past-year (of those that admitted it)
Thankfully, we don't have to worry about that at home, though, there is a case that we perhaps should, particularly as WFH entrenches, because we tend to be somewhat complacent about security on our own PCs and Laptops.
Whilst you may think no-one would be interested in access to your boring work's desktop, clunky old fileserver, or CCTV ... for criminals, it's just one step closer to a prize,
That prize might be access to your employer's bank account, or it may provide a vector to probe a Customer's, or a Supplier's, or some other business partner's contacts, the true prize lying in their network, yours is just a stepping stone.
Like smashing your car window to steal an umbrella, it costs them nothing.
The only stress they encounter is their own impatience, waiting for their data accumulation to pay off.
What we should definitely do at home is make use of 2FA (Two Factor Authentication) wherever it is offered … and fewer and fewer sites and services don't offer it … email, banking, even many gaming facilities do.
For clarity, 2FA is when you enter correct username and password, and then have a random code sent to your (eg) mobile device which you also have to enter to confirm it is you making the login request.
Arguments against invariably revolve around petty inconvenience a couple of times a month, with occasional forays into converting that inconvenience to man-hours "= loss in revenue".
Measured against fiscal and reputation losses in the event of company Data Breach, suffice to say that almost all those "arguments" pale into insignificance.
In personal loss terms, consider how easily one can apply for a loan, even a mortgage, consider what little information they need from you to make an application in your name.
Unfortunately, biometrics still have a long way to go, as most of them are still found open to circumvention (eg: cloning of fingerprints), so for the foreseeable future, 2FA is our best bet, with SmartCards, Apps and digital Banking Authentication devices useful allies.
Uppercase, lowercase, numbers and symbols
We're familiar with the refrain.Similarly, we're aware of these :
• Don't use the same password anywhere else, not even in part.
Because if your "123Netflix" is hacked, your "123Bank" one is too.
• 8-Characters or ideally more.
Because this : https://i.imgur.com/Ar9yQNM.jpg
• Never use proper names and personal associations, such as family or pet names, postcodes/zipcodes, car licence indexes, house numbers, birthdays, phone numbers.
• Don't use sequences at change time, such as sticking number(s) on the end of your last password.
• Don't write them down in notebooks … for obvious reasons, really.
I once consulted for a major rock band's merchandising arm; on the very first day I walked in to find the Domain Administrator's password written on a whiteboard … worse still, it was visible from the street !
• Don't use your Browser to remember passwords.
Because they are stored unencrypted in plain text and can be easily accessed.
In other words every password should be random and totally independent, which, as I say, becomes tricky when comes to remembering them all.
This site https://passwordsgenerator.net/ (where you will also find the above recommendations, and many more) can certainly help with generating them, and even offers a way of remember them, the problem is, remembering so many random complicated strings is just not something we can generally do.
Password Managers
Up until a few years ago, I maintained a spreadsheet with all my passwords.It worked fairly well, the spreadsheet itself was password protected, and I even renamed the file "passwords.xlsx" to "image_0330.jpg" and stored (hid) it amongst a large number of actual images, already similarly named.
It had its drawbacks though, as you might imagine, and not least when I needed access from another machine, or a tablet, or my mobile phone.
Plus, realistically, it was a liability.
Then I "discovered" Password Managers.
I've used several since, I'm currently using Bitwarden, but I really liked Lastpass, it's an excellent starter.
With Password Managers, there's one single password to remember, used via an App and/or Browser Extension.
The app/extension recognises the site you're visiting, and with a click, your site-pertinent username and password is populated, and boom, you're in (2FA aside).
Most are free, some can be used online and offline (that is, without Internet connection), and are totally encrypted such that even the creators cannot view your passwords.
Some, like Lastpass, can check for duplicates and change them at the site(s) for you.
If ever you find (or think) a password may have been compromised, you can even have the Password Manager change all of your passwords in one operation, if desired.
They're catching on at companies too, I've encountered several using corporate offerings (complete with customer's company logo), that launches on Startup and are pre-populated so that staff have all the passwords applicable to their role, without, ironically, ever actually being told them.
If your company doesn't have its own, it's worth asking your IT department if you can install one, which I can fairly guarantee you will want to, after even short-term use of one.
Obviously, the Master password for a password manager needs to be very strong, minimum 10 characters, IMO, and should not be forgotten as you will permanently lose access; there is, by design, no reset or recovery facility.
For this reason, I recommend you consider one based on a phrase, for example :
"Far out in the western spiral arm of the galaxy" can be "F0!Tw5@OtG" by "strengthening" the initial letters, or, taking the second letters : @Un4EprF4@".
Here's a link to an image. It's an image of the results of my primary Gmail address entered at https://haveibeenpwned.com/
It looks alarming, of course, why wouldn't it?
But the alarming thing is how frequently breaches actually occur, because not all, or their extents, are reported.
However, there's always a tell-tale sign when one has occurred - your spam goes up (big mention here for Gmail's consistent success in properly identifying spam, Microsoft should pay closer attention).
I've had this Gmail address since 2005, when it was originally a googlemail.com address (because I am in UK).
But it's never been hacked, I can assure you, I've never even had to use a recovery method.
Until recently, it had a 10-character strengthened passphrase.
That password would take 670 years to crack,
Plus I added 2FA as soon as it was available.
The same is true for my Microsoft account, originally an even older HTML-based email (and hence "HoTMaiL") facility.
Except, this address has never been in a reported data breach.
(older than 2005, that is, not 670 years ☺).
Now, I have a Password Manager, I need remember just three strong passwords (again, actually passphrases), in protection of, and for access to, my entire digital life; there's my work PC/network login, my home PC/network login, and my Password Manager's.
Everything else is in the latter, just a click or two away.
Because they are in there, I have set my Password Manager to make all passwords with characters at maximum ... even were they just numbers, it would take centuries to crack.
Remember that when, for example, factory resetting your Android phone, you can temporarily make your Google password shorter, we all know keying on a mobile is a PITA ... 2FA can take up the security slack for a short time.
But make your Password Manager your first install, and then promptly change the Google password back to full strength.
Do be aware also, when using a password manager, if you lose your phone, and someone finds it and cracks your phone's (4 character?) PIN, they have your whole digital life's credentials.
Don't use a PIN, use a properly complicated pattern, and not something convenient for you, or your child's.
Don't make the backup method a PIN either, it's the first thing the Bad Actor will switch attention to.
And a quick word about 2FA in closing :
It's not infallible.
It can be intercepted if they really want to, particularly if it's an SMS to your phone.
You can be fooled into allowing something you shouldn't have.
Be security conscious. It's your stuff. It's your life. Keep it that way.
Microsoft has announced that Users can go password-less.
Whilst this one-stop-2FA approach can be viewed as a step forward in some areas of corporate IT security, it will, inevitably, oblige increasing use of personal devices for business use, and will likely shift Bad Actors' attack vectors more sharply towards mining access to those.
Also, in some regions, there may be data management concerns (eg: GDPR), with personal contact device information necessarily stored within/alongside business contact data.
Don't get too excited though, for Joe Public, it will take a very long time for similar access across websites and so forth, and, it also brings the guarantee that you'll be in very deep doo-doo if your PC/Laptop and mobile are ever stolen together, both in terms of risk of (further) fiscal loss and also loss of access to any your stuff....how do you change a 2FA phone number if you don't have 2FA access to the account to change it?!
Whilst most mobiles are carried on the person, do be aware that, for example, that tablet you only occasionally use (and you probably don't even have a password on) will be just as useful to them, as a secondary access method, for example ... how long before you even notice it missing?
And, human nature being what it is, it also won't take long before people become complacent about which App prompts they approve.
Comments