What To Know about passwords

Massive data breaches reveal that over half of all people use the same password for multiple accounts.  Who cares if someone got your password to “Words with Friends”?  No one, unless you use that same password for your email or work account.

Using a password manager makes it easy to have a different secure password for every account.  You get warned when a password has been hacked and can change it. Don’t allow your browser to generate and save passwords.  In 2020, most browsers do a poor job of generating a strong password and storing them securely.

To access your password manager, I recommend a passphrase that’s at least 16 characters long.  For example “2@StrongPassphraseIsLong!”

Test your security practices in 5 minutes with my PAWS™ index

Transcript

Have you ever wondered how many words you type in a typical day? All those texts and emails add up.

You may be typing 3,000, 6,000 or even 10,000 words a day.

Imagine if you could be more secure by typing a couple of more words.

My name is Peter Whelan and I work as an Information Technology management consultant.  I love solving tough problems.

Did you know that passwords are IT’s dirty little secret? They’re cheap and easy to put in place, and they are often badly implemented.

I’m looking at you LinkedIn!

I’ve researched this topic.  Some websites have cryptic password rules.

To frustrate you more, they only tell you what the rules are after you get them wrong.

Don’t you find that annoying?

It’s easy to reject any password that’s in the top million hacked passwords, but most websites don’t do that.

The first thing to know is that your password should never, ever, be a single word or name.

I recommend that you use multiple words.  I call that a fast phrase, it also known as a pass phrase.

A couple of extra words may be a little inconvenient, but it makes you more secure.

To be fair most systems are not secure.  Hackers have gotten into Yahoo, banks, Equifax, and even secret nuclear weapons programs.

Your fast phrase is your first line of defence.  Sometimes, it’s your only defence.

So, let’s find out if hackers already know your password

Go to https://haveibeenpwned.com

In video games, getting pwned means that you’ve been defeated.  It’s spelled with a p due to a typo in a game that stuck around.

I’ll include a link in the show notes.  I enter my email address.

I see that my account was hacked at 4 different websites, that we know of.

That means that hackers stole account data from those companies.  They then figured out what password I was using on each of these sites, along with the passwords of millions of other people.

Try it out with your own email address.

You can also type in your password to see if it’s known.

Then change it to a fast phrase.

To be fair, you may not care if you get hacked.  Its unlikely anyone is going to target you personally, unless you’re in an abusive relationship or running for president.

But, can I tell you a story?

I grew up in a ghost town.  In winter, the temperature gets as low as -40

At minus 40 it can be hard to get the car started,  so my dad would leave the car idling, unlocked, with the keys in the ignition, while we went shopping.

My dad never had a password in his entire life.  If he had, it would have been 1234.

One day we heard of a kid who stole a car for a joy ride and ending up getting his friends and himself killed.  Because of tragedies like that, dad started locking the car.  Some law agencies will fine the owner for leaving a car unlocked.

Cars still get stolen.

Kids still die in joy rides.

As good citizens, we lock our cars to help reduce tragedies.

Now, to be fair no one is going to die if you get hacked.  Probably.

It’s a nuisance though.  Hackers can use your account to do damage to other people and to your reputation.  Fast phrases make the internet more secure for you and your friends.  When hackers get into your Yahoo email, they may spam all your friends next.

Now, I know what you’re thinking.

If fast phrases are so great, how come your bank doesn’t allow them? Why do they make the password box so wide and then limit you to 6 characters?  Why are you forced to use numbers, lower case, upper case and a symbol?

That answer is that the National Institute of Standards and Technology came up with that.  They’ve apologized for offering poor advice, but it persists.

However, your password is not the only security measure the bank has in place.

Your connection is secure.  The green padlock is a sign that HTTPS is working.  Your bank also watches for unusual activity. If they get hacked, they’ll be held responsible for your losses.

Plus it’s a crime that law enforcement will investigate and prosecute.

Would you like to see how long it would take to hack your password?  Let’s go to https://howsecureismypassword.net

I’ve seen IT administrators use weak passwords for the most important accounts in the business.  It’s one of the first things I check for when I take on a client.

Some people use leet speak, substituting numbers and symbols for letters.

For example, I’m typing in pa$$w0rd.

That’s hard for a human to guess, but easy for a computer to break, 19 minutes is all it takes.

That’s why I recommend fast phrases.

The difficulty in hacking a fast phrase increases exponentially with length.

Let’s look at some examples, I’m entering maryhadalittle 51 years to hack, not bad, easy for me to remember and to type, but we can do better.

I’m adding lamb.  23 MILLION years, that’s what I like to see.

Maryhadalittlelamb is easier to say and to type than pa$$w0rd.

You see it’s more secure and convenient to use a fast phrase than a short cryptic password.

You can use your fast phrase to remind you to do things.

For example, Walkaroundtheoffice, then go do that. Windows takes a while to boot up anyway.

It feels like a trillion years if you sit there and watch it.

Let’s try, iloveeatingbroccoli FANTASTIC!  919 trillion years.

Not to be impolite but, that’s how long it would take me to love eating broccoli.

How about, Iexerciseeverymorning UNBELIEVABLE!  861 quadrillion years.

Or you could use song lyrics.  I was lightning before the thunder

https://youtu.be/fKopy74weus?t=41s

Now we’re getting silly, 27 undecillion years?

Those numbers are just rough estimates, but you get the idea.

Three or four words, a fast phrase, is a more secure choice.

You could make your fast phrase something embarrassing, so that you won’t be tempted to share it.

With a simple fast phrase your accounts become far more difficult to hack.

Use fast phrases where you have to type them in yourself, like your Windows password.

The second thing to know is that it’s best to use a different password for every website.

Do you use the same password for Yahoo as you do for your bank?  That would be bad.

I know what you’re thinking.

How could I possibly remember a different password for every website?

Don’t even try.

That’s what I say.  Don’t even try.

I recommend you use a password manager.

It’s software that creates and enters a unique password for each website.

You can use an open source program such as KeePass, which is excellent.

There are commercial programs such as Dashlane and Lastpass.  They offer free versions that are easy to use.

I’ll include a link in the show notes.

Lets recap,

1. Where you have to type them in yourself, enter fast phrases instead of passwords

2. Use a different password for each website

3. Use a password manager to enter your website passwords for you

Fast phrases are the first step in securing your accounts.

You can also switch to the tor browser.

If you are targeted by a well funded, advanced persistent threat, they’re going to get you.

But, you can make it more costly for them and they might move on to a softer target.

Oh, that reminds me, put a post it note over your webcam.  You never know who might be watching.

My thanks to all my clients over the years who have asked lots of great security questions.