Part of a series of articles with cybersecurity advice meant to help you stay secure online. This article deals with passwords and authentication.
Notes on strong passwords
I think we all understand the need for secure passwords to keep malicious people out of our accounts. What can be confusing is how to create and remember passwords and what makes a password strong. The good news is that there are now tools and strategies that can assist with this important task.
The two most important factors in a strong password are length and randomness.
Length is important to prevent brute force guessing. With a short password, a computer program can simply guess every combination until it finds the correct one. (This is more easily done when a password database of hashed passwords are stolen, from which you might see charts of password cracking times based on length.) Passwords should be 13 characters long, or longer.
Randomness prevents guessing. If an attacker sees your Facebook page where you root for your favorite baseball team, they are likely to have their systems try passwords with words Houston, Astros, Baseball, and a whole dictionary of words and numbers associated with that team. If your password is Astros2ndBase! your account may not stay secure for long.
We will cover some methods of making (and remembering!) long, random passwords soon.
Don’t reuse passwords
So, you know someone who used long, random passwords, but their account was still broken into – how does that happen? Most of the time it is because we have the habit of reusing the same passwords in multiple locations. Your bank most likely has much better security than the account protecting your access to the local newspaper, but if you use the same password for both accounts, if the newspaper is cracked, that password will be attempted to login at your bank as well.
Don’t enter a password from an email, text message, or social media post
What is the most common method of password theft? Usually, we give our passwords to the thief. The malicious people who steal passwords know they can often get people to give up their passwords, if they just ask in the right way. We will look more closely at these and other phishing attacks in another article, but some brief examples.
Email: Here is your Amazon receipt for $3,452.76
Attackers know that if you send out a million emails like this, you are going to get at least a few people who just completed an order from Amazon. If they get a receipt at a time they are expecting, but with the wrong total, the immediate reaction is to click on the link to the receipt and see what went wrong with the purchase. If Amazon asks for a password first, many will type it in without pausing to look if they are really on Amazon’s website, or something similar setup by an attacker.
Text message: This is your bank, transfer for $875.23 complete. If you did not initiate this transaction, please click here.
Like the previous example, this is not your bank. Unfortunately, caller id can be falsified, so no links in text messages are safe to open.
Email: Hey, here is the company salary spreadsheet
Again, anything to bring out curiosity, and turn off caution.
How can you avoid these? Make a rule never to click on links in email or text messages. If you get something legitimate from, for example, Amazon, close the message, open your web browser, go to Amazon from your own (safe) bookmark, and then look for the message or receipt from there. If you ever slip and follow a link or open an attachment and see yourself with a prompt asking for a password, it is time to stop and close what you are doing – don’t ever proceed by entering a password.
Don’t give your passwords to “tech support” (or anyone else)
Nobody from your bank, Amazon, or any tech company should ever ask you for a password. If they are legitimate, they have their own access to company systems, so the best policy if ever asked is to simply hang up the phone. No goodbyes, sorry, or anything else, you are on the phone with a professional, and it is best to stop engagement. Especially for older people who were taught a certain phone etiquette, it might be good to practice phone calls where you ask for their password or other important information, and then they practice hanging up without any further words or comments.
Federated login (or Sign in with X) is an easy win
Federated login is a way to authenticate yourself to 3rd parties without having to create a password with each system. Sometimes you might see this on a website with a button that says something like “Login with Google” or “Login with Facebook”. This is a great resource, especially with smaller web services that do not have the security resources of Google or Facebook. If your local newspaper’s server is broken into, the thieves cannot steal your password if you are using Federated login with Google, since the newspaper never had your password to start with – they just relied on Google to authenticate you for them.
If you have a gmail account, you can read more about this feature here:
Use a Password Safe
I have hundreds of passwords, but I only know two of them. (One to login to my computer, the other to login to my password safe.) The rest are stored in a program called a Password Safe. Besides my passwords, it keeps my login name, bookmarks to sites, notes, and even contains a program to generate safe, random passwords for me. There are many good examples, but the two I generally recommend are KeePassXC and SplashID safe. Like any other security program, make sure the software is Open-Source or from a company you trust.
KeePassXC is free, and runs on Mac, Linux, and Windows. It is Open-Source, and any programmer is welcome to audit the code for security. I consider it the most secure option available. Backup of the database must be setup manually. Most users store their data file in Dropbox or OneDrive and get backup and versioning that way, but any cloud backup service would work. The one feature it lacks that some people feel necessary is mobile device support – it will not run on your iPhone or Android. Not to be confused with an earlier project called KeePass without the XC.
SplashID Pro comes with a free trial, but for all services, it costs $30/year. In addition to the normal Password manager services, you get cloud backup, cloud sync between devices, and support for running on Mac, Windows, iPhone, and Android.
Alternative Password Managers from Apple & Google
If you do all your work on Apple devices, and do not wish to use a separate Password safe, iCloud Keychain from Apple might be an alternative to investigate. Similarly, if you use Google’s Chrome web browser on all of your devices, along with gmail, you might investigate the Google Password Manager. They are both capable alternatives, from companies with a solid reputation for security.
Apple iCloud Keychain:
Google Password Manager:
I don’t want to use a software Password Safe, what now?
Get a physical journal, and use it to record your usernames and passwords. Amazon has a number of “Password Books” for sale at reasonable prices. Yes, there is old advice to never write your passwords down, but most of us have very little possibility of someone breaking into our home to steal our passwords, but we all face a very large threat online if we reuse passwords. Get a password book, write your passwords down, and keep the book secure.
The downside to using a physical book is that they do not have a random password generator. Ask a tech savvy friend to use their password safe to generate a number of random passwords, and also some password phrases that are created with random words, numbers, and special characters, and print those out for you. Tape it in the back of your book, and when you use one, record it in the pages, and then line it out from the print out so you know not to use it again.
Don’t store your passwords in a Word document, Spreadsheet, Notes, or Contacts app. These are not encrypted, and so are not safe places to store passwords.
Readers of a certain age might remember Gilligan’s Island, and how one day Gilligan was struck in the head by a coconut, and ended up with amnesia. We can all forget things, even without errant coconuts, and passwords are no exception. This poses a problem for Password Safes however, since if you forget your password, you can never get back in, and no experts can provide help either.
The solution is to:
- Write down the two important passwords that are not stored in your safe – your computer password and the password to your password safe.
- Store those two passwords somewhere safe, I recommend storing them with your Will
- Telling your loved ones that your Password Escrow is with your Will, so they can assist you in case of a stray coconut
Jokes about coconut’s aside, it is good to have both a Will and a Password Escrow so your loved ones can access your important digital accounts should you die or become incapacitated. Don’t leave it to your deathbed to attempt to share your passwords, take care of this in advance.
Creating your two remembered passwords
Here are two methods for creating long passwords for your computer and password safe.
- First (and or last letters) of a phrase or quote that is important to you. Don’t use John 3:16, or anything you publish on Facebook, but making an example of John 3:16 and first letter, you could have a password e.g.: John3:16FGsltw,tHgHobs
- Google search “random number generator” – use it to find two pages and then two specific random words from a dictionary, then add a random number and a random character to make capital. Throw out words that have special meaning to you. e.g. horsE3511%battery
Even with good password practices, it is possible that someone might successfully steal or guess your password. By far the best practice is to protect all of your important accounts with 2FA. (2 Factor Authentication or sometimes called 2-Step Verification.) Your password is something that hopefully only you know, the second factor in 2FA is something you possess, often your cell phone, or for even higher security, a special USB key. You should enable this for all of your important accounts, especially your email and financial accounts.
Protect your mobile phone from SIM swapping
Unfortunately, cyber crime has become a huge business. Some estimates are of over $10 billion in losses in 2022. These criminal organizations have big budgets, and will not give up because we improved our personal security. One method that they use to bypass 2FA is SIM swapping, where they steal your cell phone account so they can gain access to your 2FA SMS codes. Below is a good guide from Experian for locking down your cell phone account, based on your cell phone network provider. The other item to remember is to again have good passwords. If you have both good passwords, and 2FA, criminals will have to have both to gain access to your accounts. If you start getting 2FA requests when you did not attempt a login, that means your password has been compromised, and you need to change it immediately.
Experian: Protect yourself from SIM swapping
For better cell phone account security against SIM swapping, you might consider getting cell phone service from Google Fi, where your cell phone account will be locked with 2FA in the same method as your gmail account.
Google Fi cell phone service:
Disclaimer: This article’s technical tips are meant to provide helpful alerts and general awareness of the issues raised in this article. We cannot be held liable for any issues that may arise from following our recommendations. We recommend that each group find a skilled technical team to advise and help in a manner tailored to individual needs and circumstances.