When was the last time you had to create a new password and faced criteria such as, “Your password must be eight characters or longer and must contain characters from three of these four categories: a) uppercase (A-Z); b) lowercase (a-z); c) numeric (0-9); and d) nonalphabetic (e.g., !, $, #, %)? After you have digested the rule and created your brilliant password, how many times do you still get an error that your password does not meet the criteria and you have to start all over? It conjures up scenes from Office Space.
I think that we have all come to understand how passwords play a role in our lives. We need a password to login to our computers. We need a password for our email. We need a password for our social media. We need a password for our banking. And so on.
Lives are busy, and it is tempting to use the same password for your bank login as for your Facebook login. It is also tempting to make your password simple and easy to remember. I think the word is out that “password123” is probably not the best password to use, but is your password comprised of a short common word and simple number combination?
What Makes a Good Password?
First, have a unique password for every account. I know, security is a pain! But remember, you have likely been part of a data breach in the past where your password was compromised. Your password for that breached account may be available to someone willing to get it. That is why it is important to maintain unique passwords for every login you have.
Change your passwords. A lot of employers have rules regarding how often you must change your password. How many of us change just one letter or number? It would be more secure to change the entire password, but again, more of a pain.
Just recently, a new phishing campaign was launched where a user’s former password was sent in an email to the user threatening to encrypt the user’s computer if the user did not pay a ransom in Bitcoin. If you are reusing passwords, it may be hard to remember if that password is a password you still use.
Use a long password. A strong password is a long password. Although this article is not a technical article, even an eight-character password of numbers and letters can be brute-force decoded in seconds.
Fast forward. All of your passwords are 25-characters or more; you have a unique password for every computer and website; your passwords are comprised of upper and lower-case letters, numbers, and special characters; and you are changing your passwords every 45 days. How are you expected to remember them all? If you are like me, you have hundreds of different logins. It is unrealistic that anyone would remember all of them. Write them down. I do not mean write the password to your work computer on a Post-It note and stick it to your monitor. Please do not do that.
There are a number of great password managers available that you can use. These applications store your login information and passwords. It is a convenient way to write all of your passwords down in one place. You should consider, however, how secure is the password manager? You will need to create a strong “master” password to access the rest of your passwords. The master password will need to be safeguarded to prevent someone from gaining access to all of the rest of your passwords. You should also consider a “zero-knowledge” password manager, which means the application does not have your master password. The risk is that if you lose or forget your master password, you lose all of your other passwords. The benefit is that in the event the application’s network is breached, no one will be able to obtain your master password.
Keep in mind, however, that in the end, it may not even matter how strong your password is. You may have just created the world’s strongest and most complex password, but if someone has it, it does you no good. Therefore, be very cautious of phishing campaigns. If your network has been compromised, it does not matter how strong your password is if someone can just copy it. This concern is especially true if you are using a public computer or a computer you do not know. Be very wary of typing your passwords in such a computer as someone may have installed a keylogger that captures every stroke you type. You just may be giving that person your login credentials. The same can be true for using open Wi-Fi networks. You may be susceptible to a man-in-the-middle attack where everything you type may be visible.
Keep your passwords secret. You should never have to give your password to anyone, even your IT department (but follow your company’s policies). My point is that if your IT department needs to modify your computer, it can change your password for you and then prompt you to create a new password. If a company with whom you do business cares about security, it will never ask you for your password. If it does, consider another business.
There is a lot of emphasis on how to safeguard passwords when online. Remember, however, that old fashioned threats still exist. You know that guy next to you on the airplane? Yeah, that guy. He is watching you type and reading your screen. Be aware of those who can see what you type to access your data.
Passwords May No Longer Work
You gotta be kidding me! All of this information on passwords and they don’t work?!
They can work, but maybe there is a better way to remember them.
When faced with criteria for password construction like above, one may try to devise a password only to meet the rule. If the firm says a minimum of eight characters, the user comes up with an eight-character password. For example, I may create a password “BlueBel1”. This password meets the criteria above, but is my password as strong as it could be? Now consider using a passphrase such as, “I miss Blue Bell 2018”. My password went from 8 characters to 21 and still satisfies the criteria on password construction. Because I love my dog and want to think about her a lot, the passphrase does not take a lot of additional time or effort to type. Per https://howsecureismypassword.net[1], “BlueBel1” would take two hours to crack. The same website claims the passphrase above would take nine sextillion[2] years to crack.
Multi-factor Authentication (MFA) or Two-Factor Authentication (2FA)
Although I do not care what happens nine sextillion years from now, I do recognize that there may be applications or accounts that are of high value to me. I also recognize that there are times when passwords alone may not provide me with enough security for peace-of-mind. Enter multi-factor authentication or two-factor authentication.
Many applications now offer or require MFA or 2FA. Multi-factor authentication adds another layer of security to confirm the user’s identity. The concept takes something the user knows, such as a password, and something the user has, such as an authentication code – or token – to authenticate his or her identity.
There are many types of multi-factor authentication. One of the most common examples of multi-factor authentication is a text message generated with a token that must be entered after the user has entered his or her password in order to access the computer or application. There are other forms of multi-factor authentication. Google[3], for example, allows a user to use multi-factor authentication for Gmail accounts. A user must obtain a token generated in the Google Authenticator app. In order to make utilizing multi-factor authentication more convenient for users across multiple applications and platforms, there are even applications, such as Authy, that will store your tokens for many of the most popular applications such as Gmail, Facebook, Dropbox, etc.
Multi-factor authentication adds another layer of security, but you will need to be aware of how the authentication token is received. You may find some methods have limitations. Take SMS for example. If your application requires the authentication token to be sent via SMS text message, but you are flying where an SMS text is not an option, it does you no good accessing your data.
You may even want to consider a more exotic form of authentication, such as a physical key like YubiKey. For those who want to argue with me that my Lite Beer by Miller is so 1976 and want something more exotic (and secure), consider a physical key and think of it as a Lambic fermented by the wild yeasts and bacteria native to the Zenne Valley of Belgium.
YubiKey satisfies multi-factor authentication with a physical key that you plug into a USB slot. This physical device allows a user to satisfy multi-factor authentication for a number of operating systems, popular applications, and internet browsers with a push of a button on the device. If multi-factor authentication is available, users should strongly consider utilizing it.
We are all responsible for strong and secure passwords, but threats still exist. Hopefully, some of the suggestions will assist you in creating and safely storing the keys to your digital life. But for now, it’s Miller Time.
[1] I have no relationship to this website. I have not researched this website’s methodology. This information is for representative purposes only.
[2] A really big number! In the United States, 1 x 1021. https://en.wikipedia.org/wiki/Names_of_large_numbers.
[3] Reference to any specific hardware or software is not an endorsement.