Passwords: Your Electronic Signature
Poor Password Choices Common
Increasingly, our lives are lived online: banking, shopping, donating, e-filing taxes, corresponding, posting on Facebook, etc.
According to Mozilla, the average person has 130 online accounts.
Most use your email address to identify you. Only the password is unique.
Passwords Your Electronic Signature
Passwords serve as your electronic signature.
Since you can't sign online documents like you do with physical documents they have to be “signed” electronically. This has become even more critical with COVID.
People Fail at Password Hygiene
Unfortunately, most people view passwords as something imposed upon them.
- 44% of respondents use the same or similar passwords despite knowing this could increase their personal security risks.
- 53% of respondents haven't changed their password in the last 12 months even after hearing about a breach in the news.
- 41% of respondents think their accounts aren't valuable enough to be worth a hacker's time.
- — LastPass
NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered "unique." — ZDNet
Don't Reuse Passwords
Without the aid of password management software, people tend to reuse passwords or generate passwords using the same route with an extra number or other modifier. This is not security-smart.
Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are. They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network. — ZoneAlarm Security Blog
There are Consequences
The Canada Revenue Agency was forced to suspend online services to protect users that couldn't be bothered to protect themselves:
A total of 5,500 CRA accounts were targeted in what the federal government described as two "credential stuffing" schemes, in which hackers use passwords and usernames from other websites to access Canadians' accounts with the revenue agency. — Times Colonist
Passwords Protect Authority
Think of passwords as an electronic “Power of Attorney.”.
Anyone in possession of your password can make a purchase, change your account (or cancel it) and post damaging information about you (or your business) — even post libelous comments about others using your electronic ID.
Protect Your Passwords
Just like a blank signed cheque, passwords need to be protected diligently.
Compromised accounts are vulnerable from anywhere in the world.
Privacy isn't Just About Secrets
Many seem to think that there is little to protect on their computers.
My computer doesn't contain any secret documents. Why would I need to worry about secure passwords?
How would you feel if someone posted ALL your documents in a public location?
Lock Your Phone
You may think the information on your phone isn't that sensitive, but you'd be surprised.
Even if you don't use, say, banking apps, your phone has your email on it, and if a thief gains access to your email, they have access to pretty much any account you own.
And a device that portable is easy to lose, giving ne'er-do-wells free reign over your information. Lock. Your. Phone.
Passwords Protect Your Privacy
Like the proverbial barn door, lost privacy cannot easily be restored.
- Why You Should Take Your Passwords Seriously.
- The scary truth about your passwords: An analysis of the Gmail leak.
Password Manager Needed
A password manager is required to manage passwords. We simply have far too many passwords.
No One Can Remember All Their Passwords
Humans simply have too much difficulty creating and remembering strong and unique passwords.
Sharing Passwords Risky
A surprising number of people share passwords without changing them afterwards.
When you share a password, especially if it is done insecurely, you create a vulnerability that could cost you your privacy while emptying your wallet.
LastPass allows you to use complex and unique passwords without the need to remember them. It can also
- generate secure passwords;
- keep passwords safe; and
- provide for family sharing in a secure manner.
Identity Theft on the Increase
Identity theft is, unfortunately, a rapidly growing crime.
Criminals aren't after your Spotify passwords because they want to see who your favorite artists are. They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network. — ZoneAlarm Security Blog
Hackers Can Abuse Your Computer & Online Accounts
Hackers and botnets could use your computer and passwords to attack other computers and commit crimes that you could be liable for.
You Need to Take Responsibility
People don't understand the repercussions of the loss of privacy nor do they understand their responsibility in protecting their own identity.
If you become the victim of identity theft, you will be fighting that for many years to come (some say indefinitely, much like the whack-a-mole game). Securing your passwords is a significant key to protecting your online identity.
Learn about identity theft and its consequences.
Make Passwords Long and Strong
Make sure your passwords are difficult to guess and make sure that your passwords are not easily discoverable.
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password. Does this sound like something you do? If so, cut that bad habit now! — LastPass Blog
When generating passwords, make them long and strong — a unique password for every site or application.
Single Sign-on Flawed
Using single sign-on options (e.g. signing in with your Facebook or Google account) may be convenient, but creates a single point of failure.
But for all its convenience, consumer SSO has some real drawbacks, too. It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed. And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly. — Wired
Regular Password Changes Recommended
It is recommended that you change passwords regularly without reusing passwords. The advice is sound, except users tend to repeat patterns or use slightly-altered versions of their previous passwords.
Typically users have dozens (or hundreds) of passwords, making the memorization of passwords virtually impossible unless you use a password manager.
LastPass will not only remember your passwords, but remind you to change them regularly (even generating new ones for you). All you need to remember is a single long and strong password.
Make Them Long
Passwords should be at least 10–12 characters long (I'd recommend 15–20) where the site will allow it. Many of mine are much longer.
8-Character Passwords INSECURE
Technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure. The password-cracking ability of hackers and others improves each year.
These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all. — Jeff Atwood
Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases. — Ipswitch
Make Them Strong
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess. — xkcd.com
Strong passwords — consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers — play a vital role in helping prevent a breach. Even better are passphrases that include eight to 10 words that are not published (such as well-known quotations). — Trustwave 2014 Global Security Report
Brute Force Attacks
Brute force attacks refer to the process of testing one potential password after another until the password is discovered.
When a hacker breaks into a company, they usually look for and download the entire password database. In short, not all encryption algorithms are built equally, and even worse, many companies don't protect their passwords correctly. Some hashing methods are old and weak, and as a result can be broken by hackers. More commonly though, hackers take the stolen hashes, and begin to extract the passwords with a few methods. — Hive Systems
How Hackers Steal and Use Your Passwords discusses how hackers extract passwords from stolen password hashes.
Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.
Data breaches have revealed not only personal information but also enabled future password hacking.
Passwords should NOT contain easily discovered words such as your family members' names, your pets, girlfriends, favourite sports teams, etc. You've probably posted that information on Facebook.
Using a brute force method, [a computer cluster boasting 25 AMD Radeon graphics cards] is capable of guessing every single eight-character password containing letters, numbers, and symbols in 5.5 hours. If companies use LM, an earlier password option for Windows Server, the cluster can figure out a password in six minutes. — CNET (2012)
Longer passwords are less vulnerable to brute force attacks. However, it assumes the use of random characters and there are lots of other factors that can considerably shorten the indicated timelines:
- Hacker “dictionaries” are faster than brute force attacks.
- If your password has been hacked elsewhere (even if yours wasn't the account hacked) it will be more vulnerable.
- Restrictions on passwords to only letters and numbers or to 8 characters can considerably weaken them.
- Patterns like starting with a capital letter and ending with numbers or symbols increase predictability.
Make Them Random
You should preferably use complex random characters if the site supports that. Use a random combination of letters and numbers interspersed with other characters where possible.
- Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
- Including multiple numbers and other legal characters (such as the pound key, hyphen and the underscore) significantly increase the security of your passwords.
- Avoid starting with a capital and placing numbers and characters at the end.
Unfortunately, people are creatures of habit and tend to follow the same sort of process in creating passwords that can lead to them being less secure. For example, we tend to start with a capital and leave the numbers and special characters at the end. This makes their discovery easier.
Keyboard Sequences NOT Secure
Passwords should not be simple phrases or common combinations such as variations of password, qwerty or 123456 as these are easily guessed yet commonly used.
- Avoid simple substitutions like 3 for e (flow3r) or 0 (zero) for o (passw0rd).
- The challenges of creating complex passwords on smart phones and tablets has led to people using patterns like “7” or “Z” on the number pad. There are only so many of these combinations, making them particularly easy for hackers to test.
- If you can say it (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.
In one 2010 case study, the top three compromised passwords were 123456, password and 12345678. — Duo Security
Keyboard sequences like qwerty, or zxcvbnm appear to be complex passwords and 123456 is used by 17% of users.
This practice is known to hackers and is tested for, yet is still common in 2018 according to the information culled from recent exploits.
Patterns Make Passwords More Vulnerable
People struggle to remember passwords so they use familiar names and patterns, often beginning with a capital and placing any numbers and symbols at the end.
- Over 98% of people use one of only 10,000 passwords.
- The remaining 2,342,603 (that's 99.6%) unique passwords are in use by only 0.18% of users
Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.
- Take these 7 steps now to reach password perfection.
- Strength of memorized secrets is Appendix A of NIST's Digital Identity Guidelines.
Use a Unique Password for Each Account
Don't be lazy. Generate a fresh password for every site or account that requires one.
Imagine how you'd feel if your building manager installed locks using the same key throughout your building. Repeated used of the same (or similar) password across multiple sites is just as dangerous.
Avoid reusing passwords or repeated phrases in your passwords that can be used to simplify the task of determining other passwords. Once hackers catch on, ALL of your passwords are vulnerable.
Users tend to use a single password at many different web sites. By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay. As expected, this attack is remarkably effective. — Stanford Security Lab
Many sites have restrictions placed on both the size of allowed passwords and their complexity (including the use of anything but alpha-numeric characters).
The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like a slash, backslash or chevron brackets) may not be allowed.
- Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
- Some sites will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.
Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable.
Size and Character Limitations
Sites that limit passwords to eight alpha-numeric characters probably aren't bothering to encrypt stored passwords, simply storing your password in plain text so that any employee (or hacker) has immediate access to your password plus any other information the server has stored about you.
You can test this yourself by checking the “I forgot my password” option.
- If the site emails you your password, it is stored unencrypted (and they've just sent your password to you via email in plain text!)
- If you have to click a password reset link, then the site has encrypted your password.
These password limits show great ignorance and/or contempt for their users. Encrypting them would remove the size-limits and provide extra security that would protect their users' information.
Some “illegal” characters may be restricted because they have special uses in the programming language used to process the information.
Have you ever tried to enter a password only to be told that the password length exceeds the site restrictions or that you've used illegal characters?
I find it annoying that many of these sites only tell you their restrictions AFTER you've attempted to enter a new password, particularly the special characters that are not allowed.
Password Strength Meters
Many sites will indicate an approximation of the strength of your password.
Third-party sites offering to check the strength of your password may be attempting to hack your accounts, but you can use it as a learning tool to see the differences between potential “test” passwords.
Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g. “admin”) and passwords that are more vulnerable to a “dictionary” attack.
“Forgot My Password” Options Too Vulnerable
Many sites now offer a “forgot my password” option.
It is often easier to guess answers to the security questions posed by the default (and easily determined) “forgot my password” recovery methods than to hack the password itself.
While your favourite sports team and similar responses are easy to remember, they are also easily guessed by what you've posted elsewhere or by people that know you.
Be Careful What You Post
Be careful when posting information about yourself and your family on public websites, especially social media. You may be providing enough information to gain access on password-secured sites via the “forgot my password” recovery mechanisms.
Many of the questions used to regain control of webmail accounts include the sort of information that many users blindly post in Facebook while chatting: where you were born, your teachers, pets, anniversaries, family genealogy, etc.
One man hacked dozens of women's email accounts by using the information the women posted on Facebook to answer the typical questions asked when recovering a lost password.
Once hackers gain control of your email account, they can request password resets on most of your other accounts, locking you out of your accounts plus your email account.
Create Your Own Security Question
Where possible, create your own security question and provide an answer that you'll know but that others are unlikely to know — even those that read your online posts and conversations.
Unfortunately, the option to create your own security question is seldom available.
You can create false answers to the available questions but this will make it more difficult for you to recover a lost password if you forget your clever answers.
No Password is Completely Secure
More complex passwords are better, but not perfect:
an elderly Athlon 64 X2 4400+ with an SSD and the optimised tables…can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per second — The H Security (2010)
Nothing is Guaranteed Safe
In the same manner that no physical locking mechanism is 100% secure, we use the best passwords we can so that somebody else provides a better target.
Steve Gibson likens passwords to needles in a haystack.
If every possible password is tried, sooner or later yours will be found. The question is: will that be too soon…or enough later?
Protecting Your Passwords
In order to maintain the security of your passwords, you should minimize the chances that your passwords are compromised by ensuring they are known only to you.
Many experts recommend changing passwords regularly, but this has been shown to cause users to use less secure passwords or similar patterns in their makeup. People have too many passwords to regularly change them all.
Situations where you'll want to immediately change your passwords include:
- whenever you suspect they've been compromised or are warned by a company or service that your account may have been affected by a data breach;
- when you give your computer to the repair shop (you can change it to a temporary password); and
- whenever someone will no longer need access, such as a terminated or transferred employee.
There have been several useful discussions about protecting passwords on Security Now! (a security podcast available in audio but transcribed into several print formats).
Restrict Computer Access
Be careful who has access to your computer. Folks asking to “just check their mail” may leave you vulnerable.
- Don't provide passwords to friends or family asking to use your computer.
- Monitor your children's computer use and be wary of providing access to your computer for their friends.
- Provide access using a limited access account (no administrator privileges) so they won't be able to install software or otherwise make your computer vulnerable.
- A "guest" account set up correctly can remove access to your personal files but should be disabled on business or mission-critical computers.
Restrict potentially-dangerous activities to people you trust to maintain your computer.
- Never let anyone using your computer install software that you aren't familiar with or are unsure of the source of, particularly if you won't be using it yourself.
- USB thumb drives (and CDs/DVDs) can automatically install software that copies passwords or otherwise compromises your security.
- Vulnerable websites can infect your computer, particularly when visited using a less-secure browser like Internet Explorer.
Encrypting your files provides even more protection, but ensure you have backups in case something goes wrong or you may not be able to recover your own data.
Governments and police forces wants to ban encryption or place a backdoor into it. They blame the need to protect against terrorists or child porn, but the reality is that they just want access into everyone's computer.
You can learn more about encryption including using encryption in your communications.
Two-factor authentication (2FA) requires the use of another device to enhance security so that the password is only one part of the account authentication. The terminology varies by vendor (some use two-step). Apple uses two-factor authentication for current devices but retains two-step for older ones.
In most cases, once you're set up two-factor or two-step verification, you cannot return to password-only authentication. Recovery methods vary by vendor.
Remember this as you panic over how hard this all sounds: being secure isn't easy. The bad guys count on you being lax in protecting yourself. Implementing 2FA will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid some serious theft, be it of your identity, data, or money. — PCMag
- Two-factor authentication: Who has it and how to set it up.
- How to set up two-factor authentication on all your online accounts.
- Google 2-step verification.
- Enable multifactor authentication on LastPass.
- Two-factor authentication for Apple ID has replaced two-step verification.
- How to use two-step verification with your Microsoft account.
There are several two-factor options for devices to protect your password.
A cell phone is something that most people have and it is usually with them at all times (and they are more frequently using it to access social media and other secured sites).
Most commonly, SMS is used for verification, but the mobile number may also be a backup security method.
Unfortunately, it appears that is isn't that hard to hijack your cellphone's SIM card (you may only require the last 4 digits of the credit card that pays for your account), after which they have access to the very two-factor security that is supposed to protect you.
Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal. — NY Times
Many organizations have initially enabled 2FA for users by using the phone to deliver authentication codes and serve as a second factor, but mobile SMS is no longer considered a trusted second factor. The YubiKey offers secure authentication for all leading mobile platforms and operating systems. — Yubico
The YubiKey is a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional user name and password.
Password Invalid Without Device
Like the cellphone, a USB device like this can be used as a second level of security. Unless the person attempting to use the password has the device, the password will not be accepted.
LastPass Premium ($36 per year) may be necessary when combined with a YubiKey.
USB Port Required
YubiKey is USB device, dependent upon a USB port as well as the software to make them work.
Since most mobile devices lack USB ports, this can be a problem.
YubiKey can be used with USB-C adapters but not all adapters worked well, including the Apple USB-C Multi-adapter.
The YubiKey is not a biometric device. The fingertip is used to activate the device, not for authentication.
YubiKey supports strong authentication for iOS and Android smartphones and tablets.
The YubiKey is designed to provide authentication and a portable root of trust for both mobile devices and computers and provides a faster, more secure alternative to authentication using passwords, SMS codes and mobile apps. — YubiKey for Mobile
See YubiKey for Mobile for the latest updates.
Biometric verification is an attractive alternative because it is difficult to duplicate and the technology is attainable.
Ensure Biometric Data Verified Securely
Apple introduced fingerprint scanning with their iPhone 5S. As Apple quickly learned, the issue is privacy and personal security: you don't want to be sending your biometric data to every site you log onto.
Intel True Key allows you to sign in with your face or fingerprint (on supporting hardware) and provides optional two-factor security.
Vendors, through the Fido Alliance, are working on a standardized authentication protocol to verify your identity using a private key so that your biometric scan never leaves the device.
It is anticipated that this technology could eventually replace the tricky and risky use of passwords altogether.
It Can Be Used Against You
While convenient, you might find that biometric authentication such as your finger to open your device or personal accounts without your express permission. Choose carefully what items are verified by biometric data under certain circumstances such as when crossing borders.
Replacing Permanent Passwords
Another variation that isn't really a two-factor solution but which uses a similar process is discussed in how to kill the password: don't ask for one. Instead of entering a password, you enter an email address or phone number and the temporary password lands in your Inbox or on your cellphone. You'll do this each time, so no permanent password exists.
Of course, if your email account's password is insecure (or obtained using weak password-recovery options) this offers no security at all.
Hints for Remembering Passwords
Remembering complex passwords can be made easier by using “memory helpers.”
- You can use the first letter in each word of a phrase that makes sense to you.
- For better security, you want something that combines upper & lower case letters, numbers and, where possible, symbols.
For example, the phrase "Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember an otherwise difficult-to-remember 13-character password: JptGPot2&4FiD.
Avoid phrases that are easily guessed, like frequently-quoted Bible verses or company slogans.
Of course, there is a limit to how many of these clever long phrases you can create and remember. This is why I strongly recommend LastPass and using this technique to generate a long and strong password to protect your LastPass account.
Other Suggestions for Making Memorable Passwords
These resources contain other methods of creating memorable passwords and have suggestions for choosing word bases. Be sure that you're using words that are hard to guess and don't use common alternative characters, patterns, etc.
- How to create a memorable and unbreakable password in 3 minutes.
- How to create a password you can remember.
- Choosing secure passwords.
Where the suggestions conflict with the advice on this page, you might want to modify or not use those methods.
Avoid Patterns in Passwords
If a pattern is evident in your passwords, then your lessen the security of the password.
- If you use the site name or address as part of the “recognition” pattern to help you (such as google23s32), this will weaken your passwords.
- Dates are generally not a good idea as they follow consistent patterns (some variation of MMDDYY or MMDDYYYY, etc.).
- Avoid the common pattern of beginning with a capital and placing any numbers and symbols at the end.
However, by using patterns that are unique to you (e.g. not copied from Shakespeare or easily guessed by the nature of your site) you can have a more secure password that you can remember.
Be Careful With Lists
Be conscious of how you keep records of your passwords and don't use vulnerable locations which can easily be compromised.
- Don't keep passwords on Post-it notes stuck onto your monitor where visitors and other employees can see them.
- However, you can disguise a single password within a list of waybills or invoices if such a list would logically be found in a similar setting (such as an office).
- If you keep a list of passwords in a file on your computer, be sure it isn't obvious. For example, a document called “Passwords” is vulnerable (or any likely name that can be searched for).
Most humans tend to use recognizable patterns when creating passwords.
You want to create passwords that are long and strong that are unique for every site or application.
I strongly recommend using LastPass to generate your passwords since they are then stored in a secure manner and available for use on multiple computers and devices.
Password generators are the electronic versions of the one-time coding pads you may have read about in the history books.
Be sure of the integrity of the site or app before depending upon the passwords it generates.
- Ultra High Security Password Generator generates new passwords every time the browser is refreshed. Choose from the middle line where possible.
- LastPass Password Generator instantly creates a secure, random password. I recommend using LastPass itself instead.
Random Passwords Better
Random-generated passwords provide better security because users are unable to select passwords that are easily compromised.
The use of forced random passwords at MyBART provided an interesting look at the effectiveness of using random passwords when the site was hacked. The discussion following the article provides additional insights.