Sunday, July 29, 2018

Passwords

Changing a password is a big step to help keep control of your accounts and information. It also can be frustrating, so people often resist making good password choices.
 Here are the latest tips about passwords, which include lessons learned from years of password frustration and failure – this is not the same ol’ blah blah blah…
  1. Long passwords are good passwords
The very word we use to describe the thing, a “pass word”, has led us in the wrong direction, especially combined with the other old rules. It’s much easier to remember, and much harder to break, if we use pass PHRASES – multi-word combinations – as passwords. Every added character doubles the time it takes to brute-force a password.
Old: “Password-2018”
New: “My super-secret phrase would take 10 years to guess.”
My favorite pass-phrases are lines (or parts of lines) from Shakespeare sonnets. I don’t have many of them memorized, but if I keep at it for a while maybe I will eventually, which would be a nice added benefit.
  1. Write your passwords down
Ideally we’d all remember our passwords easily, and that was fair when they were short and most people only had one or two. These days, when people might need to log in to half a dozen different services in a day and scores of them in a year it’s simply no longer possible. A shortcut people often take is to come up with a “good”, "complicated" password that meets all the tests for strength (like “Pa$$word-1992”) and then commit it to permanent memory. That weakens passwords in a couple of ways.
In keeping with the first tip, using long passwords and writing them down if necessary is much more secure than using short passwords easily remembered.
Also, “write” doesn’t necessarily have to be a sticky note on your monitor. There are several excellent password manager apps and desktop programs, such as LastPass and KeePass, that are great for organizing logins and passwords while keeping them safe from accidental disclosure – which also helps with the next tip…
  1. NEVER use passwords over, NEVER use one password for multiple services
When that one good "Pa$$word-1992" was locked into memory, it was common to use it for the few things that required a password. As the demand for password use grew, and attacks on passwords became more common, one leaked password gave bad people the keys not just to the service that leaked but also to every other service where that password was also in use. This is like using your school locker key for every apartment, home, office, and car you ever used – a bad idea!
Time is also a big factor here. If a copy of the one good password lives on at a service I don’t use anymore, it might be exposed and I might never know. Using unique passwords helps increase the security of each account.
  1. Reset, reset, reset
If you’re familiar with “phishing”, where an attacker pretends to ask you to log in but really is just collecting your password, imagine what a jackpot they get from people who try a list of different passwords! And sometimes the first sign of trouble is a password that really should work but doesn’t.
If your login or password doesn’t seem to work when it should, don’t just keep trying. Most web sites and services have an easy means to request a new password, which involves emailing or texting a temporary code to you using an address or number you’ve previously given them, or by other means. Resetting the password can stop an attacker from doing harm or profiting from your losses, and there’s no prize for delaying that, so try it once or twice and then start the process of resetting.
  1. Go beyond passwords
Sometimes it’s not enough to know a secret word or phrase. For greater security many services are requiring a second and third layer of proof before allowing access. This may be a temporary code generated by a smartphone app or a fob device (Google and Microsoft do this), a single-use code texted to a number you’ve set up (Yahoo and Twitter), confirming a secret (Verizon and many “password reset questions”), or other keys (fingerprint readers on smartphones and laptops).
If the service offers these options, use them! If they don’t,  pester them to take your security seriously and add these extra layers as soon as possible.
  1. Take the good old advice too
While some of the thinking around passwords has changed, there’s a lot of old wisdom that still applies:
Avoid guessable information like the names of loved ones or milestone dates in your life
Don’t use a password you’ve seen as an example elsewhere
Don’t tell anyone your passwords
Keep your account and contact information up to date
My apologies for the length of this post – and I think I’ve barely scratched the surface of account security. Oh, I could go on and on…