I Hate Passwords

We’ve all had that dreaded message appear, “Your password has expired, please create a new password.” The IT folks that manage our systems tell us that we can’t use the same password we’ve used before, it must contain special characters, it must x characters in length…ARGH!!! This is extremely frustrating. Don’t they know that we have better things to spend our time on than remembering passwords and their archaic requirements? Being one of the aforementioned IT folks, I’d like to give you a few tips to make your life easier and hopefully even more secure.

In our day to day lives, we can no longer escape having to secure our online presence. Today we use passwords to access our smartphones, computers, cloud services, banking, etc. We’ve all been told we shouldn’t use the same password for multiple services. By doing this we can prevent someone who gets your login information to your computer or smartphone from being able to access your online banking. But how can you be expected to remember all the different passwords you’re supposed to use? The answer is simple. Get yourself a password manager application: a password protected software application that stores multiple passwords for different services on your smartphone or computer. This software is extremely handy in a number of ways.

  • You only need to remember the password for the application and you can look up the other passwords you may need.

  • There are free and low-cost options available for PCs, Mac, Apple and Android devices.

  • They are encrypted so even if someone gets access to your computer and/or smartphone, they won’t be able to see all your passwords (provided you didn’t use the same password to login that you are using for the password manager—and who would do that?!)

Next, we need to start thinking about all the things you are using a password for. This usually falls into one of five categories – work, banking/finance, personal email, social media and smartphone. Ideally, we (the IT folks) want you to use a different password for each and every application. Believe it or not, we are also realists and understand that our password utopia is not your reality. That being said, I would personally urge you to at a minimum keep separate a password for each of those five applications.

A good security practice that you can start implementing right away is to stop using passwords and start using passphrases. What is the difference between the two? A password is usually just a single word or combination of letters, numbers and/ or symbols and usually less than 15 characters in length. They can be cryptic and difficult to remember and change. A passphrase in comparison can also have the same composition, however, it is usually much longer in length and may also contain spaces. Additionally, a passphrase can also contain symbols and it does not have to be grammatically correct. This flexibility makes it much easier to remember.

A good comparison of the two is “p@$$W0rd” and “My password is Actually p@$$w0rd”. When you see “p@$$W0rd”, you may think it’s secure. It’s 8 characters, has a combination of uppercase, lowercase and symbols. But the problem is it is a very widely used word and the substitutions are all very commonplace @ for A, $ for S and zero for O. On the flipside, the passphrase “My password is Actually p@$$w0rd” would be significantly stronger. It is 32 characters in length, and although easy to remember, would be extremely difficult to crack based on its length and variety of characters.

“p@$$W0rd” would be guessed via a brute-force attack in about 1 minute with a botnet, while the passphrase would take approximately 5 tredecillion years to crack. (Source: http://password-checker.online-domain-tools.com/) How’s that for security?!

More and more applications are starting to use Single Sign On (SSO). This is a technology that allows you to link multiple services to use a single set of credentials. There are many sites today that allow you to login with your Facebook®, LinkedIn® or Office365® credentials. Although this makes life much easier for the user, from a security perspective it widens the threat landscape. By that, I mean that having all those accounts linked will make it much easier for someone to access many of your online accounts if your credentials are ever compromised.

SSO is a very good technology and much less risky when used with Two-Factor Authentication (2FA) or as Google® calls it, 2-Step Verification. 2FA works on the premise of providing access based on something you know (your password) and something you have (a token/SMS message). When you sign up to a website or service that supports 2FA, you will first login with your username and password and then the application will send you a “token” (typically a random code) to your smartphone. You will need to enter the token on the website before being able to login successfully.

Now, like most IT messages you probably skipped half of what I wrote. So here’s a quick summary:

TL; DR: TIPS FOR BETTER ONLINE SECURITY

  • Use a password manager

  • Use passphrases where possible

  • The longer the better

  • Change them regularly

  • NEVER use the same password for your password manager that you use for anything else

  • Use Two Factor Authentication (2FA) whenever possible

  • At a minimum keep 6 different passwords – work, banking/finance, personal email, social media, smartphone and password manager

PS. If you have suggestions for upcoming articles, send your requests to cybersecuritycorner@lwolf.com. There are no dumb suggestions, so let the ideas fly!