Russ Harvey Consulting - Computer and Internet Services

Passwords: Your Electronic Signature

Long & Strong | Unique | Changing | Password Manager | MFA

Use unique passwords for every site you are required to log into

Passwords Secure Your Online Accounts

Increasingly, our lives are lived online: banking, shopping, donating, e-filing taxes, corresponding, posting on Facebook, etc.

According to Mozilla, the average person has 130 online accounts. That's a lot of unique accounts — each requiring a unique password since most online accounts use your email address to identify you.

Passwords Protect Authority

Think of passwords as an electronic “Power of Attorney.”.

Anyone in possession of your passwords can make purchases, access your bank accounts, access or delete files backed up or stored online, change settings, or post libelous comments about others on your social media accounts.

Your passwords need to be protected diligently.

Strategies for Generating Effective Passwords

Several factors are involved in securing our online accounts with effective passwords.

These things make it easier for you to keep your online accounts safe and quickly respond if a data breach reveals your account details.

Poor Password Choices Common

Unfortunately, most people view passwords as something imposed upon them rather than something that improves their security.

  • 44% of respondents use the same or similar passwords despite knowing this could increase their personal security risks.
  • 53% of respondents haven't changed their password in the last 12 months even after hearing about a breach in the news.
  • 41% of respondents think their accounts aren't valuable enough to be worth a hacker's time.
  • LastPass

The fact that social media and advertisers expend so much effort to track your browsing history should tell you that information is extremely valuable to them.

NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered “unique.” — ZDNet

Poor security hygiene is a strong contributor to why so many people continue to have their accounts hacked or suffer from ransomware and other malware infections.

To protect ourselves from cybercriminals, it is essential to use a combination of characters when creating a password, use different ones for each account, use a long password, change it regularly and use two-factor authentication.
Checkpoint

Return to top

Make Passwords Long and Strong

Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases.
— Ipswitch

Generate passwords that are both long and strong to make them more difficult to guess and not easily discoverable.

Technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure and the password-cracking ability of hackers improves each year.

These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.
Jeff Atwood (2017)

Longer Passwords More Secure

Passwords should be at least 12–15 characters long (I'd recommend longer where the site will allow it).

Given the considerable number of leaked passwords now available on the dark web, anything less than a generated 11 character password is asking for trouble.

 

Of course, most of us don't know whether or not our data is on the dark web. The odds are that at least some of your passwords (and usernames and email addresses) are in a database of hacked accounts.

 

That's why reusing passwords is so risky; hackers can easily use the same login combination on other websites.
LastPass blog

Strong Passwords Harder to Hack

Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.

You should preferably use complex random characters if the site supports that. Use a random combination of letters and numbers interspersed with other characters where possible.

  • Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
  • Including multiple numbers and other legal characters (such as the pound key, hyphen and the underscore) significantly increase the security of your passwords.
  • Avoid starting with a capital and placing numbers and characters at the end.

Password Strength Meters

Many sites will indicate an approximation of the strength of your password.

However, third-party sites offering to check the strength of your password may be attempting to hack your accounts.

Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g., “admin”) and passwords that are more vulnerable to a “dictionary” attack.

Password Restrictions

Many sites have restrictions placed on both the size of allowed passwords and their complexity (including the use of anything but alpha-numeric characters).

The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like a slash, backslash or chevron brackets) may not be allowed.

  • Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
  • Some sites will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.

I find it annoying that many of these sites only tell you their restrictions AFTER you've attempted to enter a new password, particularly the special characters that are not allowed.

Server Choices Affect Security

Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable.

  • Sites limiting passwords to eight alpha-numeric characters aren't bothering to encrypt stored passwords.
  • If your password is stored in plain text then anyone, employee or hacker, has immediate access to your password and the other information the server has stored about you.

Most data breaches have occurred because of an employee either using a weak password that allowed access to the system or were themselves the perpetrator.

Brute Force Attacks

Brute force attacks refer to the process of testing one potential password after another until the password is discovered.

When a hacker breaks into a company, they usually look for and download the entire password database.

 

In short, not all encryption algorithms are built equally, and even worse, many companies don't protect their passwords correctly.

 

Some hashing methods are old and weak, and as a result can be broken by hackers. More commonly though, hackers take the stolen hashes, and begin to extract the passwords with a few methods.
Hive Systems

How Hackers Steal and Use Your Passwords discusses how hackers extract passwords from stolen password hashes.

This chart is a visualization of password vulnerability to brute force attacks:

Time it takes a hacker to brute force your password.
Credit: Hive Systems

Longer passwords are less vulnerable to brute force attacks.

That assumes the use of random characters and lots of other factors can considerably shorten the indicated timelines:

  • Hacker “dictionaries” are faster than brute force attacks.
  • If your password has been hacked elsewhere (even if yours wasn't the account hacked) it will be more vulnerable.
  • Restrictions on passwords to only letters and numbers or to 8 characters can considerably weaken them.
  • Patterns like starting with a capital letter and ending with numbers or symbols increase predictability.

“Dictionary” Attacks

Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.

Data breaches have revealed personal information but also common passwords which are added to hacker dictionaries.

Return to top

Make Passwords Unique

Would you feel safe if every apartment in your building used the same key?

Reusing passwords or repeating phrases within your passwords is just as risky.

Users tend to use a single password at many different web sites.

 

By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay.

 

As expected, this attack is remarkably effective.
Stanford Security Lab
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.

 

Does this sound like something you do? If so, cut that bad habit now!
LastPass blog

Once hackers catch on, all your accounts are vulnerable.

Generate Unique Passwords for Every Site

A unique password for every site limits the fallout if one account is hacked.

By generating a unique password for every site, each site obtains only your name, email and whatever other information you provided directly to that particular site.

Make Them Random

Unfortunately, people are creatures of habit and tend to follow the same sort of process in creating passwords such as familiar names (girlfriends, sports teams, etc.) and predictable patterns.

Respondents also retain a fondness for “keepsake passwords” including personally significant details as a family or pet name, a birthday or other important date, or a current or previous address, with 48% reporting that practice the last time they created or updated a password.
PCMag

Patterns Make Passwords More Vulnerable

Passwords with simple phrases or common combinations are easily guessed.

If you can say your password (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.

We tend to start with a capital and leave the numbers and special characters at the end. This makes their discovery easier.

Avoid simple substitutions like @ for a, 3 for e and (zero) for o (e.g., N3wP@ssw0rd1922!).

In one 2010 case study, the top three compromised passwords were 123456, password and 12345678.
— Duo Security

Keyboard Sequences NOT Secure

Keyboard sequences like qwerty, or zxcvbnm or patterns like “Z” on the number pad appear to be complex passwords. 123456 is used by 17% of users.

This practice is known to hackers, yet is still common according to the information culled from recent exploits.

Single Sign-on Flawed

Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.

Single sign-on uses your Google, Facebook or Apple ID to log into third-party sites.

SSO may be convenient, but creates a single point of failure.

But for all its convenience, consumer SSO has some real drawbacks, too.

 

It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed.

 

And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.
Wired

While sites using SSO may not be provided with your Facebook or Google password, they can access information that allows them to improve their profile of you.

Logging in to a website using a service such as Facebook or Google allows the website to make a request for data about you.

 

Linking two or more sites allows companies to collect more data, building an increasingly rounded profile about you.

 

Allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
Natasha Stokes

Facebook and Google both collect vast amounts of data on users then resell it to others, threatening your privacy and control nearly all Internet advertising revenue.

Allows for BITB Attacks

A new “fake browser” phishing attack called “browser in the browser” can take advantage of JavaScript, SSO and a fake login window to obtain the user's password. The fake window can fool all but the most astute observer with some understanding of how JavaScript and the login should look.

Return to top

Change Compromised Passwords

It is a good idea to change your passwords regularly but is critical after you become aware that one has been compromised in a security breach.

Frequent password change policies sound good, but they only work if you employ a password manager. Otherwise people tend to use weak passwords because they are easy to remember.

Don't Reuse Passwords

Without the aid of password management software, people tend to reuse passwords or generate similar passwords with an extra number or other modifier. This is not security-smart.

Hundreds of online accounts can be compromised in a data breach on any given day. Reusing passwords could put your more sensitive accounts at risk.

Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are.

 

They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network.
Check Point blog

Compromised accounts are vulnerable from anywhere in the world.

Sharing Passwords Risky

A surprising number of people share passwords without changing them afterwards.

The results of the LastPass Sharing Survey. Click to see the full infographic.
Credit: LastPass.

When you share a password, especially if it is done insecurely, you create a vulnerability that could cost you your privacy or empty your bank account.

Sharing Streaming Passwords

Many people share their streaming passwords with friends, family and others.

You may justify this with cost savings, but sharing your streaming passwords is putting your privacy and personal data at risk.

Sharing Passwords Between Work and Home

What about using the same passwords at home and at work?

This reduces the protection of both your personal and your business accounts.

What's frightening is that 47% of survey respondents admit there is no difference in passwords created for work and personal accounts.

 

Which means that one re-used password has the power to compromise an entire organization's network. A company's network security is only as strong as their weakest link — the employees.

 

Poor security habits can leave that door wide open for hackers.
LastPass blog

Return to top

You Need a Password Manager

We simply have far too many passwords to manage them without a password manager. No one can remember all their passwords

Humans simply have too much difficulty creating and remembering strong and unique passwords.

Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can't put in anything for you automatically if they're faced with a website they've never seen before.
Naked Security

Browser Password Managers Vulnerable

While all browsers have built-in password managers, all have flaws and are vulnerable to being hacked.

Unscrupulous websites are using malicious scripts and hidden login fields to track and gather information from your browser's password manager.

In a perfect world, no one would allow their browser to save passwords. Why? Because it's insecure.

 

But if you happen to be someone who doesn't want to enter a password every time you visit a site (no matter how insecure it might be) there is an option to keep those logins safe if you use the Firefox web browser.
Tech Republic

If you insist on using your browser's password manager follow these precautions:

  • Ideally, this should be used on a single-user computer with a secure password.
  • If there are multiple users on your computer, each person should have their own log-in identity, protected with a unique and secure password.
  • Disable your browser's autofill feature.
  • You should NEVER “remember” passwords for on-line banking and other critical sites.

LastPass Recommended

LastPass is a free online password generator and manager. You can use LastPass on all your devices, for free!

I strongly recommend LastPass for secure access to all your passwords.

LastPass allows you to use complex and unique passwords without the need to remember them.

LastPass encrypts your sensitive data on your device before being stored online for access from anywhere.

We've implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.
LastPass

Save a password once and it's instantly available across all your devices, yet even LastPass staff cannot access your encrypted data.

Protect your LastPass vault by using the LastPass Authenticator app.

The LastPass Authenticator app is a multifactor authentication app for iOS and Android that can be used for authentication when accessing your LastPass vault, assigned SSO apps, third-party apps or websites, and/or your LastPass workstation.
LastPass

PC or Mobile?

LastPass works on Windows, Mac, Linux and mobile devices. Browser extensions are available for Firefox, Chrome, Microsoft Edge, Opera and Safari.

The devices you can access with your LastPass account depends upon the subscription you choose:

LastPass Free users much choose between PCs and mobile devices.
Credit: LastPass

Depending upon the plan you choose, LastPass allows you to

  • generate secure passwords;
  • keep passwords safe;
  • accessible from anywhere;
  • available on any device (with LastPass Premium and Family); and
  • provide for family sharing in a secure manner (with LastPass Family).

LastPass secures all your passwords in a vault protected by one password.

  • Only one password is required.
  • LastPass will generate complex passwords so you don't have to.
  • It remembers logins for new sites.
  • It then logs you in automatically.

In rare occasions LastPass may have difficulty with a site that uses unusual login methods, but you can still copy the username and password from your LastPass vault.

Configure It Carefully

Ensure the master password is long and strong as well as easy to remember. It is the only password you need to remember.

You'll create a password manager account with an email address and a strong master password to locally-generate a unique encryption key.
LastPass

Memorize the email and master password used to log in.

Without your email address and password combination, not even LastPass employees have access.

Free Edition

The Free edition includes all of the standard password manager capabilities, plus a few features that other services restrict to paid accounts.
PCMag

LastPass free provides:

  • Unlimited passwords.
  • One-to-one sharing.
  • Save & autofill passwords.
  • Password generator.
  • Secure notes.
  • Multifactor authentication.

but only on ONE of these platforms:

  • Computers (including all browsers running on desktops and laptops).
  • Mobile devices (including mobile phones, smart watches, and tablets).

The device you use first (or next) determines which type is supported.

LastPass Premium

Need both? Upgrade to LastPass Premium for US$36 per year.

You get everything provided in LastPass Free plus and a lot of extras including:

  • LastPass access on all your devices: computer and mobile.
  • One-to-many sharing of passwords, WiFi logins, memberships, etc.
  • Create your digital contingency plan with emergency access for loved ones.
  • Advanced multifactor options including YubiKey, Sesame MFA & fingerprint identification options.
  • the LastPass Authenticator app.
  • the LastPass for Applications app.
  • Dark web monitoring.
  • 1GB of encrypted file storage.
  • Priority tech support.

LastPass Family

Benefits of LastPass Family

You might also want to consider LastPass Family at US$48 per year if there are more than 2 users in your household that want the Premium features:

  • You get six licenses.
  • It allows for full unlimited family sharing of common accounts like medical, entertainment and credit cards.
  • Simple family member management allows you to organize passwords into folders for individual family members or by type of account.

LastPass Browser Addons Convenient

LastPass can be downloaded for most browsers (Chrome, Firefox, Safari, Internet Explorer, Opera Microsoft Edge).

It is available for various operating systems (Mac, Windows & Linux), but a browser extension makes increased security more convenient.

The LastPass Firefox Addon is reported to have the most user-friendly options. Check your browser's website for suitable extensions.

Return to top

Multifactor Authentication

Multifactor authentication (MFA) has replaced the term two-factor authentication (2FA). Multi-factor means you might have even more than two.

The authentication device is preferably something that is always with you and is inaccessible to potential hackers.

[T]here are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint).

 

Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric string, a few digits sent to your phone, as a code that can only be used once.
PCMag

In most cases, once you're set up MFA, you cannot return to password-only authentication. Recovery methods vary by vendor.

Remember this as you panic over how hard this all sounds: Being secure isn't easy. The bad guys count on you being lax. Implementing MFA will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid serious theft, be it of your identity, data, or money.
PCMag

Issues with MFA

Unfortunately, MFA has begun to suffer from weaknesses and is being exploited by cybercriminals.

Business Email Compromise

Larger businesses are being subjected to an advanced phishing attack called business email compromise where emails are spoofed that request unauthorized payments.

SIM Card Fraud

SIM card fraud is where someone other than yourself convinces the cell carrier to transfer your cell number to a new SIM card. Your phone will no longer work and the new owner will have access to all your MFA requiring access to your phone.

There are several multifactor options for devices to protect your password.

Cell Phones

A cell phone is something that most people have and it is usually with them at all times.

Most commonly, SMS is used for verification, but the mobile number may also be a backup security method.

Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card (you may only require the last 4 digits of the credit card that pays for your account), after which they have access to the very multifactor authentication that is supposed to protect you.

Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
NY Times

Authenticator Apps

Given the vulnerability of cell phones to SIM card fraud, a better solution might be authenticator apps.

Google provides the Google Authenticator for both Android and iOS. Microsoft Authenticator app can also be used on non-Microsoft accounts.

Security Keys

There are other security key alternatives. Your choice should be made based upon what works best for you yet is secure enough for your circumstances.

YubiKey Verification

Yubico was founded to set new global authentication standards, enabling one single security key to access computers, phones, networks and online services—all in a simple touch. We named our invention the YubiKey — your ubiquitous key.
YubiKey

The YubiKey is a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional user name and password.

The YubiKey is a small USB and NFC device supporting multiple authentication and cryptographic protocols.

Password Invalid Without Device

Like the cellphone, a USB device like this can be used as another level of security. Unless the person attempting to use the password has the device, the password will not be accepted.

LastPass Premium may be necessary when combined with a YubiKey.

How YubiKey Connects

YubiKey is dependent upon a USB-A or USB-C port or a NFC connection plus the software to make it work.

YubiKey can be used with USB-C adapters but not all adapters worked well, including the Apple USB-C Multi-adapter.

The YubiKey is not a biometric device. The fingertip is used to activate the device, not for authentication.

Mobile Devices

Since most mobile devices lack USB ports, YubiKey provide a NFC option.

YubiKey supports strong authentication for iOS and Android smartphones and tablets.

YubiKey mobile support for iOS and Android devices.

NFC usage on iPhones is only supported on the iPhone 7 and newer, running iOS 11.3.1 and newer.

Many environments restrict mobile device use altogether making most MFA methods unusable. See how you can ensure strong security with ease, all without a cellular connection.
YubiKey

See YubiKey solutions for the latest updates.

Biometric Verification

Biometric verification is an attractive alternative because it is difficult to duplicate and the technology is attainable.

Ensure Biometric Data Verified Securely

Apple introduced fingerprint scanning with their iPhone 5S. As Apple quickly learned, the issue is privacy and personal security: you don't want to be sending your biometric data to every site you log onto.

Microsoft provided biometric verification in Windows 10 with Windows Hello, provided you have the supporting hardware.

Intel True Key allows you to sign in with your face or fingerprint (on supporting hardware) and provides optional multifactor authentication.

Vendors, through the Fido Alliance, are working on a standardized authentication protocol to verify your identity using a private key so that your biometric scan never leaves the device.

It is anticipated that this technology could eventually replace the tricky and risky use of passwords altogether.

It Can Be Used Against You

While convenient, you might find that biometric authentication such as your finger to open your device or personal accounts without your express permission. Choose carefully what items are verified by biometric data under certain circumstances such as when crossing borders.

Replacing Permanent Passwords

Another variation that isn't really a two-factor solution but which uses a similar process is discussed in how to kill the password: don't ask for one.

Instead of entering a password, you enter an email address or phone number and the temporary password lands in your Inbox or on your cellphone. You'll do this each time, so no permanent password exists.

Of course, if your email account's password is insecure (or obtained using weak password-recovery options) this provides no security at all.

 

Return to top

Hints for Remembering Passwords

Memory Helpers

Remembering complex passwords can be made easier by using “memory helpers.”

Having a sentence that makes sense to you, but is not easily discovered could be one solution.

  • You can use the first letter in each word of a phrase that makes sense to you.
  • For better security, you want something that combines upper & lower case letters, numbers and, where possible, symbols.

For example, the phrase "Jason plays the Grand Piano on the 2nd & 4th Fridays in December" can help you remember an otherwise difficult-to-remember 13-character password: JptGPot2&4FiD.

Avoid phrases that are easily guessed, like frequently-quoted Bible verses or company slogans.

Of course, there is a limit to how many of these clever long phrases you can create and remember. This is why I strongly recommend LastPass and using this technique to generate a long and strong password to protect your LastPass account.

Be Careful With Lists

Be conscious of how you keep records of your passwords and don't use vulnerable locations which can easily be compromised.

  • Don't keep passwords on Post-it notes stuck onto your monitor where visitors and other employees can see them.
  • However, you might disguise a single password within a list of waybills or invoices if such a list would logically be found in a similar setting (such as an office).
  • If you keep a list of passwords in a file on your computer, be sure it isn't obvious. For example, a document called “Passwords” is vulnerable (or any similar name that can be searched for).

Return to top

Generating Passwords

Most humans tend to use recognizable patterns when creating passwords.

You want to create passwords that are long and strong that are unique for every site or application.

I strongly recommend using LastPass to generate your passwords since they are then stored in a secure manner and available for use on multiple computers and devices.

Password Generators

Password generators are the electronic versions of the one-time coding pads you may have read about in the history books.

Random-generated passwords provide better security because users are unable to select passwords that are easily compromised.

Be sure of the integrity of the site or app before depending upon the passwords it generates.

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/passwords.html
Updated: December 3, 2022