We make passwords harder then they need to be
We live in a day and age where the security of our data is a hot topic, and rightly so. We get outraged when we hear that Facebook hasn't looked after our data like we thought it should (ignoring the fact that it's a free service, that makes money by ads, and we are happy to give them all our data!) but after our outrage we carry on logging in with our "really secure password"
Passw0rd!23 and then maybe we open a new tab and sign-in to Twitter, with, yep you guessed it
Passw0rd!23 (it's secure right? So, I can use it everywhere?).
The examples of Facebook and Twitter are lightweight in comparison to our increasingly online banking and shopping experience (which I love by the way - compared to a physical banking and shopping experience!). We use that same "secure" password for our Amazon account, and that dodgy online shop that has the product we want for the cheapest price, and maybe even our bank account (but even then, we get annoyed that our bank seems to want memorable words to make our account secure - what an inconvenience). This time though, our data is much more important than your comments about the latest political event, or a snapchat photo of you with a stupid (but I agree, funny) filter.
We're taught to shield our PIN when we're withdrawing cash from a cashpoint, we're taught to keep our eyes on our debit card if handing it over to be swiped, and yet we think using the same "secure" password on every single website we have a login on is a great idea. It makes our life convenient... It's almost as bad as picking memorable words for password reset questions that anyone who knows you could guess. You do know, you don't have to put your mother’s maiden name, or your first school down for those right?
There has been a shocking lack of education in the years gone by on the importance of securing our passwords and not reusing them. I suppose that back when we were less connected by the "network of networks" it wasn't such a pressing issue, but in 2018 it's a massive issue.
The simple fact is using the same password on more than one site is a dangerous decision, akin to making multiple copies of your house keys and leaving them in a jar outside your front door labelled "keys to the kingdom"!
Why do we re-use passwords?
Well, we know why we re-use passwords don't we? It's easy to remember them that way, and we need to remember them. We have loads of online accounts, ranging from banking, social media, online shopping and much more. Imagine having to remember a different password for each account we have?!
The average UK consumer who is online has no less than 118 online accounts, according to the study, which further estimates that this number will almost double up to 207 accounts by the end of the decade.
- IT Pro Portal https://jkpr.me/aahtc (emphasis mine)
What I don't understand though is why people don't think about sorting this situation out. The solution is so simple and easy to fix.
If we're happy to use calendars and diaries to organise our lives, why don't we have a secure list to organise our passwords?
Introducing the "alien to some" concept of a Password Manager
I've spoken to people about the concept of password managers before on many occasions, and I'm usually met with apathy and a glazed look on their faces, and this includes people in IT who should know better. Those same people probably make sure they lock up their homes tight, and maybe even install an alarm system, but online passwords don't seem to be something to worry about until your account is compromised. Once your password is cracked though, that’s it, it's useless, you can never use that password again.
Pwned Passwords are half a billion real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.
- Troy Hunt https://haveibeenpwned.com/Passwords (emphasis mine)
The reason is, passwords taken from data breaches usually find themselves onto hacker’s password lists, which is basically just a list of known passwords to try when hacking an account. If your password is on a list like that, change it. You can use Have I Been Pwned to check. If it is, it's probably only a matter of time before you regret not changing it.
So why do we continue to use the same password on every account we have (or variations of the same password) when there is a much better solution?
I'm sure it's because most people don't realise there is a better solution. That solution is to use a Password Manager.
A password manager allows you to automatically generate as complex a password as you like, save it, and never have to remember it ever individually ever again. When it's time to sign-in, you find the password you are after and either copy-and-paste it, or use your password manager's autofill function to automatically fill in the username and password fields.
They come as programs for Windows, Linux and MacOS. Most have browser extensions for the popular browsers, and of course, mobile apps for Android and iOS.
No more delving deep into your memory to remember the variation of your standard password you were forced to pick for a site, no more clicking "I've forgotten my password" and waiting ages for the password reset email to come when you need to get into an account asap.
The only thing you do need to do is to pick a really secure master password and never let anybody know it. However, passwords do not have to be hard to remember to be secure. This is another problem we have today. People are told that to have a secure password, it must look something like this:
S3cu4e!P4s3w0Rd!. That is no doubt a secure password, but is it easy to remember? Which letter is lower-case, which is uppercase, which letter have I replaced with a number and so on.
I'd recommend a randomly generated word password such as:
abate codeine unduly minus outflank sheep not only is that quite funny, it's secure and extremely easy to remember, especially after typing it out a few times.
Let’s use this site to compare how secure those two passwords are. Bear in mind this is certainly not an exact science, but it should give you an idea of how a secure password does not have to be hard to remember at all, and can make you laugh!
|Password||How long to crack|
||1 Trillion Years|
||48 Quindecillion Years|
A password manager and a master password is the key to an easier life. If you make the master password secure, and remember it, you still only have to remember one password, but this time all your other passwords will be very secure, and all individually unique. Some password managers even allow you to use a fingerprint to access your list, which can be very convenient. It also means that if a service does get hacked, the hacker will only have access to that account, and not all other accounts you use, as all your passwords will be unique. It would obviously also mean you only need to change one password, for one account, instead of the changing your password for every account you own.
How do you get started?
It's really not hard, pick a password manager and sign up or download. It's as simple as that, and then you should either right away, or over time (perhaps when you visit one of your accounts) start changing the passwords on your account to unique, individually generated passwords, using your password manager to remember them all.
I'll list my preferred password managers:
- 1Password - Online and local computer, offers family accounts, Windows & Mac programs, browser extensions, apps for iOS and Android.
- LastPass - Online only, browser extensions, apps for iOS and Android.
- KeePass - Not for the technophobe, local only, but can sync with cloud services like Dropbox, open source, Windows, Linux, MacOS, and non-official iOS and Android apps.
There's plenty more out there, but I would personally recommend 1Password. I've used them all, and up until recently was using KeePass, with a complicated setup that involved an external syncing location, and a physical USB key that was needed to unlock my password database.
The problem with that was if I was to die suddenly, my wife would never be able to access the passwords for some really important services. I remember reading an article about a sysadmin that died suddenly and his poor wife was locked out of everything, because he'd never told her how to get in. In light of this I've recently put us on a 1Password Family plan, with the benefit that we can access each other’s passwords if need be, without the other person needing to authorise it. So, if one of us is incapacitated (grim subject) we're covered. 1Password also tells you how secure your passwords are, so I can make sure all her accounts have secure passwords, and sleep at night again!
What about trusting the cloud with all my passwords?
So, after all this am I really suggesting you store your passwords on the internet? Yes. Your password database will have multiple protections in place, including encryption, to ensure that even if the company did get hacked, the databases would still be safe.
If your master password is secure (and not something insane like
Secur3Pas3word!23 then you should be fine. If you use a reputable company (and 1Password are) and you research their product, you can be comfortable that your passwords are safe and sound.
Let's not forget, we're all happy to store our bank account details on services like Amazon, because we trust them, so if we're wise in our choice of password manager (i.e do your research and look up reviews if you are concerned) you will be fine.
Of course, there is nothing stopping you from using something like KeePass either, which is not an online service. I do this at work, and keep the file solely on my company’s network. So even if somebody was to grab the file and send it all over the internet, it would be useless to them unless they have a few trillion years to crack my master password, and can find the USB stick I use as two factor authentication.
It's ultimately up to you though, to be a wise and discerning internet user!
It's 2018, using the same password for all your accounts is an outdated practice that needs to hurry up and go away, data breaches are happening almost daily. It really is only a matter of time before you are caught out, and every single account you have is compromised. All because you couldn't be bothered to take 10 extra seconds to generate a password and save it in your password manager.
Do it now! Pull your finger out, and sign-up! You have no excuse. You lock your door at night, so make sure you secure your accounts. Otherwise, it probably is only a matter of time before you get caught out. You may be lucky and get off with it, but you might lose hundreds or thousands from your bank account.
If you have any concerns or questions feel free to ask away in the comments below. Thanks for reading.