Passwords: Your Electronic Signature
Passwords Secure Your Online Accounts
Increasingly, our lives are lived online: banking, shopping, donating, e-filing taxes, corresponding, posting on Facebook, etc.
According to Mozilla, the average person has 130 online accounts. That's a lot of unique accounts — each requiring a unique password since most online accounts use your email address to identify you.
Passwords Protect Authority
Think of passwords as an electronic “Power of Attorney” because, anyone in possession of your login credentials IS you to the site's security.
Anyone in possession of your passwords can make purchases, access your bank accounts, access or delete files backed up or stored online, change settings, or post libelous comments about others on your social media accounts.
Your passwords need to be protected diligently.
Strategies for Generating Effective Passwords
Several factors are involved in securing our online accounts with effective passwords.
- Generate long and strong passwords.
- Ensure that every account has a unique password.
- Change compromised passwords.
- Use a password manager.
- Use multifactor authentication to improve security.
These things make it easier for you to keep your online accounts safe and quickly respond if a data breach reveals your account details.
Poor Password Choices Common
Unfortunately, most people view passwords as something imposed upon them rather than something that improves their security.
- 44% of respondents use the same or similar passwords despite knowing this could increase their personal security risks.
- 53% of respondents haven't changed their password in the last 12 months even after hearing about a breach in the news.
- 41% of respondents think their accounts aren't valuable enough to be worth a hacker's time.
- — LastPass
The fact that social media and advertisers expend so much effort to track your browsing history should tell you that information is extremely valuable to them.
NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered “unique.” — ZDNet
Poor security hygiene is a strong contributor to why so many people continue to have their accounts hacked or suffer from ransomware and other malware infections.
To protect ourselves from cybercriminals, it is essential to use a combination of characters when creating a password, use different ones for each account, use a long password, change it regularly and use two-factor authentication.
Make Passwords Long and Strong
Over two-thirds of users create simple passwords that can be hacked quickly — in less than one second, in many cases.
Generate passwords that are both long and strong to make them more difficult to guess and not easily discoverable.
Technology has now made 8-character passwords (including complex passwords with letters, numbers and symbols) insecure and the password-cracking ability of hackers improves each year.
These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.
— Jeff Atwood (2017)
Longer Passwords More Secure
Passwords should be at least 12–15 characters long (I'd recommend longer where the site will allow it).
Given the considerable number of leaked passwords now available on the dark web, anything less than a generated 11 character password is asking for trouble.
Of course, most of us don't know whether or not our data is on the dark web. The odds are that at least some of your passwords (and usernames and email addresses) are in a database of hacked accounts.
That's why reusing passwords is so risky; hackers can easily use the same login combination on other websites.
— LastPass blog
Strong Passwords Harder to Hack
Password strength refers to an assessment of how difficult it would be to break a password using current (or sometimes anticipated) technologies.
You should preferably use complex random characters if the site supports that. Use a random combination of letters and numbers interspersed with other characters where possible.
- Using mixed upper and lower case gives you effectively 52 letters to work from instead of 26.
- Including multiple numbers and other legal characters (such as the pound key, hyphen and the underscore) significantly increase the security of your passwords.
- Avoid starting with a capital and placing numbers and characters at the end.
Password Strength Meters
Many sites will indicate an approximation of the strength of your password.
However, third-party sites offering to check the strength of your password may be attempting to hack your accounts.
Wikipedia's password strength entry includes examples of weak passwords such as the default passwords supplied by vendors (e.g., “admin”) and passwords that are more vulnerable to a “dictionary” attack.
Many sites have restrictions placed on both the size of allowed passwords and their complexity (including the use of anything but alpha-numeric characters).
The allowed legal characters can vary by site. Most will allow all letters and numbers, but some symbols (like a slash, backslash or chevron brackets) may not be allowed.
- Using a longer selection and correcting for the disallowed symbols will still provide for a stronger password of sufficient length.
- Some sites will only let you create an all-lower-case password, but will let you change that later. Make that extra effort to ensure your account remains secure.
I find it annoying that many of these sites only tell you their restrictions AFTER you've attempted to enter a new password, particularly the special characters that are not allowed.
CRA and Password Managers
While password managers work for most sites, one of the most glaring exceptions is the Canada Revenue Agency site. Their people will tell you NOT to use a password manager (i.e., manually enter your username and password).
Investigating this issue, I discovered that the data in the location bar (or address bar) on my browser was 2005 characters. Unbelievable.
Not only is the CRA one of the most sensitive sites you can visit (it contains access to all your tax files and much personal information) but should have the expertise to manage decent security.
Server Choices Affect Security
Even if you're using a decent password, the level of security used by the sites storing our information and how the password information is transmitted can make you vulnerable.
- Sites limiting passwords to eight alpha-numeric characters aren't bothering to encrypt stored passwords.
- If your password is stored in plain text then anyone, employee or hacker, has immediate access to your password and the other information the server has stored about you.
Most data breaches have occurred because of an employee either using a weak password that allowed access to the system or were themselves the perpetrator.
Brute Force Attacks
Brute force attacks refer to the process of testing one potential password after another until the password is discovered.
When a hacker breaks into a company, they usually look for and download the entire password database.
In short, not all encryption algorithms are built equally, and even worse, many companies don't protect their passwords correctly.
Some hashing methods are old and weak, and as a result can be broken by hackers. More commonly though, hackers take the stolen hashes, and begin to extract the passwords with a few methods.
— Hive Systems
How Hackers Steal and Use Your Passwords discusses how hackers extract passwords from stolen password hashes.
This chart is a visualization of password vulnerability to brute force attacks:
Credit: Hive Systems
Longer passwords are less vulnerable to brute force attacks.
That assumes the use of random characters and lots of other factors can considerably shorten the indicated timelines:
- Hacker “dictionaries” are faster than brute force attacks.
- If your password has been hacked elsewhere (even if yours wasn't the account hacked) it will be more vulnerable.
- Restrictions on passwords to only letters and numbers or to 8 characters can considerably weaken them.
- Patterns like starting with a capital letter and ending with numbers or symbols increase predictability.
Since some combinations are more likely, the hacker will build a “dictionary” of potential passwords. This dictionary contains foreign words, places and patterns of characters that form commonly-used world-wide passwords.
Data breaches have revealed personal information but also common passwords which are added to hacker dictionaries.
Make Passwords Unique
Would you feel safe if every apartment in your building used the same key?
Reusing passwords or repeating phrases within your passwords is just as risky.
Users tend to use a single password at many different web sites.
By now there are several reported cases where attackers breaks into a low security site to retrieve thousands of user name/password pairs and directly try them one by one at a high security e-commerce site such as eBay.
As expected, this attack is remarkably effective.
— Stanford Security Lab
The reality is that the majority, 91%, recognize that using the same or similar passwords for multiple logins is a security risk, yet 58% do it anyway. These people mostly or always use the same password or variation of the same password.
Does this sound like something you do? If so, cut that bad habit now!
— LastPass blog
Once hackers catch on, all your accounts are vulnerable.
Generate Unique Passwords for Every Site
A unique password for every site limits the fallout if one account is hacked.
By generating a unique password for every site, each site obtains only your name, email and whatever other information you provided directly to that particular site.
Make Them Random
Unfortunately, people are creatures of habit and tend to follow the same sort of process in creating passwords such as familiar names (girlfriends, sports teams, etc.) and predictable patterns.
Respondents also retain a fondness for “keepsake passwords” including personally significant details as a family or pet name, a birthday or other important date, or a current or previous address, with 48% reporting that practice the last time they created or updated a password.
Patterns Make Passwords More Vulnerable
Passwords with simple phrases or common combinations are easily guessed.
If you can say your password (even with variations like “password with a zero”) it can be compromised in as little as one second using a dictionary attack.
We tend to start with a capital and leave the numbers and special characters at the end. This makes their discovery easier.
Avoid simple substitutions like @ for a, 3 for e and (zero) for o (e.g., [email protected]!).
In one 2010 case study, the top three compromised passwords were 123456, password and 12345678.
— Duo Security
Keyboard Sequences NOT Secure
Keyboard sequences like qwerty, or zxcvbnm or patterns like “Z” on the number pad appear to be complex passwords. 123456 is used by 17% of users.
This practice is known to hackers, yet is still common according to the information culled from recent exploits.
Single Sign-on Flawed
Single sign-on (SSO) uses your Google, Facebook or Apple ID to log into third-party sites.
SSO may be convenient, but creates a single point of failure.
But for all its convenience, consumer SSO has some real drawbacks, too.
It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed.
And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.
While sites using SSO may not be provided with your Facebook or Google password, they can access information that allows them to improve their profile of you.
Logging in to a website using a service such as Facebook or Google allows the website to make a request for data about you.
Linking two or more sites allows companies to collect more data, building an increasingly rounded profile about you.
Allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.
— Natasha Stokes
Facebook and Google both collect vast amounts of data on users then resell it to others, threatening your privacy and control nearly all Internet advertising revenue.
Allows for BITB Attacks
Change Compromised Passwords
It is a good idea to change your passwords regularly but is critical after you become aware that one has been compromised in a security breach.
Frequent password change policies sound good, but they only work if you employ a password manager. Otherwise people tend to use weak passwords because they are easy to remember.
Don't Reuse Passwords
Without the aid of password management software, people tend to reuse passwords or generate similar passwords with an extra number or other modifier. This is not security-smart.
Hundreds of online accounts can be compromised in a data breach on any given day. Reusing passwords could put your more sensitive accounts at risk.
Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren't after your Spotify passwords because they want to see who your favorite artists are.
They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network.
— Check Point blog
Compromised accounts are vulnerable from anywhere in the world.
Sharing Passwords Risky
A surprising number of people share passwords without changing them afterwards.
When you share a password, especially if it is done insecurely, you create a vulnerability that could cost you your privacy or empty your bank account.
Sharing Streaming Passwords
Many people share their streaming passwords with friends, family and others.
You may justify this with cost savings, but sharing your streaming passwords is putting your privacy and personal data at risk.
Sharing Passwords Between Work and Home
What about using the same passwords at home and at work?
This reduces the protection of both your personal and your business accounts.
What's frightening is that 47% of survey respondents admit there is no difference in passwords created for work and personal accounts.
Which means that one re-used password has the power to compromise an entire organization's network. A company's network security is only as strong as their weakest link — the employees.
Poor security habits can leave that door wide open for hackers.
— LastPass blog
You Need a Password Manager
We simply have far too many passwords to manage them without a password manager. No one can remember all their passwords
Humans simply have too much difficulty creating and remembering strong and unique passwords.
Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can't put in anything for you automatically if they're faced with a website they've never seen before.
— Naked Security
Browser Password Managers Vulnerable
While all browsers have built-in password managers, all have flaws and are vulnerable to being hacked.
Unscrupulous websites are using malicious scripts and hidden login fields to track and gather information from your browser's password manager.
- Why you shouldn't store passwords in a browser
- Why you shouldn't use your web browser's password manager.
- Mozilla advisory. How to use the Firefox master password.
In a perfect world, no one would allow their browser to save passwords. Why? Because it's insecure.
But if you happen to be someone who doesn't want to enter a password every time you visit a site (no matter how insecure it might be) there is an option to keep those logins safe if you use the Firefox web browser.
— Tech Republic
If you insist on using your browser's password manager follow these precautions:
- Ideally, this should be used on a single-user computer with a secure password.
- If there are multiple users on your computer, each person should have their own log-in identity, protected with a unique and secure password.
- Disable your browser's autofill feature.
- You should NEVER “remember” passwords for on-line banking and other critical sites.
I strongly recommend LastPass for secure access to all your passwords.
LastPass allows you to use complex and unique passwords without the need to remember them.
LastPass encrypts your sensitive data on your device before being stored online for access from anywhere.
We've implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.
Save a password once and it's instantly available across all your devices, yet even LastPass staff cannot access your encrypted data.
Protect your LastPass vault by using the LastPass Authenticator app.
The LastPass Authenticator app is a multifactor authentication app for iOS and Android that can be used for authentication when accessing your LastPass vault, assigned SSO apps, third-party apps or websites, and/or your LastPass workstation.
PC or Mobile?
LastPass works on Windows, Mac, Linux and mobile devices. Browser extensions are available for Firefox, Chrome, Microsoft Edge, Opera and Safari.
The devices you can access with your LastPass account depends upon the subscription you choose:
- LastPass Free: only one device type.
- LastPass Premium: adds advanced options on both computer & mobile.
- LastPass Family: adds access to multiple users.
Depending upon the plan you choose, LastPass allows you to
- generate secure passwords;
- keep passwords safe;
- accessible from anywhere;
- available on any device (with LastPass Premium and Family); and
- provide for family sharing in a secure manner (with LastPass Family).
LastPass secures all your passwords in a vault protected by one password.
- Only one password is required.
- LastPass will generate complex passwords so you don't have to.
- It remembers logins for new sites.
- It then logs you in automatically.
In rare occasions LastPass may have difficulty with a site that uses unusual login methods, but you can still copy the username and password from your LastPass vault.
Configure It Carefully
You'll create a password manager account with an email address and a strong master password to locally-generate a unique encryption key.
- What is the LastPass master password? Includes recommendations for choosing a secure password.
- Use the LastPass Authenticator app.
- LastPass user training.
Memorize the email and master password used to log in.
- Only one account per email.
- Recovery is difficult to protect your data.
Without your email address and password combination, not even LastPass employees have access.
The Free edition includes all of the standard password manager capabilities, plus a few features that other services restrict to paid accounts.
LastPass free provides:
- Unlimited passwords.
- One-to-one sharing.
- Save & autofill passwords.
- Password generator.
- Secure notes.
- Multifactor authentication.
but only on ONE of these platforms:
- Computers (including all browsers running on desktops and laptops).
- Mobile devices (including mobile phones, smart watches, and tablets).
The device you use first (or next) determines which type is supported.
Need both? Upgrade to LastPass Premium for US$36 per year.
You get everything provided in LastPass Free plus and a lot of extras including:
- LastPass access on all your devices: computer and mobile.
- One-to-many sharing of passwords, WiFi logins, memberships, etc.
- Create your digital contingency plan with emergency access for loved ones.
- Advanced multifactor options including YubiKey, Sesame MFA & fingerprint identification options.
- the LastPass Authenticator app.
- the LastPass for Applications app.
- Dark web monitoring.
- 1GB of encrypted file storage.
- Priority tech support.
Benefits of LastPass Family
You might also want to consider LastPass Family at US$48 per year if there are more than 2 users in your household that want the Premium features:
- You get six licenses.
- It allows for full unlimited family sharing of common accounts like medical, entertainment and credit cards.
- Simple family member management allows you to organize passwords into folders for individual family members or by type of account.
LastPass Browser Addons Convenient
LastPass can be downloaded for most browsers (Chrome, Firefox, Safari, Internet Explorer, Opera Microsoft Edge).
It is available for various operating systems (Mac, Windows & Linux), but a browser extension makes increased security more convenient.
Multifactor authentication (MFA) has replaced the term two-factor authentication (2FA). Multi-factor means you might have even more than two.
The authentication device is preferably something that is always with you and is inaccessible to potential hackers.
[T]here are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint).
Biometric scanners for fingerprints and retinas or faces are on the upswing thanks to innovations such as Apple's Face ID and Windows Hello. But in most cases, the extra authentication is simply a numeric string, a few digits sent to your phone, as a code that can only be used once.
In most cases, once you're set up MFA, you cannot return to password-only authentication. Recovery methods vary by vendor.
Remember this as you panic over how hard this all sounds: Being secure isn't easy. The bad guys count on you being lax. Implementing MFA will mean it takes a little longer to log in each time on a new device, but it's worth it in the long run to avoid serious theft, be it of your identity, data, or money.
Issues with MFA
Unfortunately, MFA has begun to suffer from weaknesses and is being exploited by cybercriminals.
Business Email Compromise
Larger businesses are being subjected to an advanced phishing attack called business email compromise where emails are spoofed that request unauthorized payments.
SIM Card Fraud
SIM card fraud is where someone other than yourself convinces the cell carrier to transfer your cell number to a new SIM card. Your phone will no longer work and the new owner will have access to all your MFA requiring access to your phone.
- Multi-factor authentication: Who has it and how to set it up.
- How to set up two-factor authentication on your online accounts.
- The safer way to sign in to all of your online accounts.
- How do I manage my multifactor options in LastPass account settings?
- Two-factor authentication for Apple ID has replaced two-step verification.
- How to help keep your Microsoft Account safe and secure.
There are several multifactor options for devices to protect your password.
A cell phone is something that most people have and it is usually with them at all times.
Most commonly, SMS is used for verification, but the mobile number may also be a backup security method.
Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card (you may only require the last 4 digits of the credit card that pays for your account), after which they have access to the very multifactor authentication that is supposed to protect you.
Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
— NY Times
Given the vulnerability of cell phones to SIM card fraud, a better solution might be authenticator apps.
Google provides the Google Authenticator for both Android and iOS. Microsoft Authenticator app can also be used on non-Microsoft accounts.
- Download and install the Microsoft Authenticator app.
- How to use the Microsoft Authenticator app.
- Add non-Microsoft accounts to the Microsoft Authenticator app.
- Google Authenticator.
- The best authenticator apps — PCMag.
There are other security key alternatives. Your choice should be made based upon what works best for you yet is secure enough for your circumstances.
Yubico was founded to set new global authentication standards, enabling one single security key to access computers, phones, networks and online services—all in a simple touch. We named our invention the YubiKey — your ubiquitous key.
The YubiKey is a hardware authentication device, designed to provide an easy to use and secure compliment to the traditional user name and password.
Password Invalid Without Device
Like the cellphone, a USB device like this can be used as another level of security. Unless the person attempting to use the password has the device, the password will not be accepted.
LastPass Premium may be necessary when combined with a YubiKey.
How YubiKey Connects
YubiKey is dependent upon a USB-A or USB-C port or a NFC connection plus the software to make it work.
YubiKey can be used with USB-C adapters but not all adapters worked well, including the Apple USB-C Multi-adapter.
The YubiKey is not a biometric device. The fingertip is used to activate the device, not for authentication.
Since most mobile devices lack USB ports, YubiKey provide a NFC option.
YubiKey supports strong authentication for iOS and Android smartphones and tablets.
NFC usage on iPhones is only supported on the iPhone 7 and newer, running iOS 11.3.1 and newer.
Many environments restrict mobile device use altogether making most MFA methods unusable. See how you can ensure strong security with ease, all without a cellular connection.
See YubiKey solutions for the latest updates.
Biometric verification is an attractive alternative because it is difficult to duplicate and the technology is attainable.
Ensure Biometric Data Verified Securely
Apple introduced fingerprint scanning with their iPhone 5S. As Apple quickly learned, the issue is privacy and personal security: you don't want to be sending your biometric data to every site you log onto.
Intel True Key allows you to sign in with your face or fingerprint (on supporting hardware) and provides optional multifactor authentication.
Vendors, through the Fido Alliance, are working on a standardized authentication protocol to verify your identity using a private key so that your biometric scan never leaves the device.
It is anticipated that this technology could eventually replace the tricky and risky use of passwords altogether.
It Can Be Used Against You
While convenient, you might find that biometric authentication such as your finger to open your device or personal accounts without your express permission. Choose carefully what items are verified by biometric data under certain circumstances such as when crossing borders.
Replacing Permanent Passwords
Another variation that isn't really a two-factor solution but which uses a similar process is discussed in how to kill the password: don't ask for one.
Instead of entering a password, you enter an email address or phone number and the temporary password lands in your Inbox or on your cellphone. You'll do this each time, so no permanent password exists.
Of course, if your email account's password is insecure (or obtained using weak password-recovery options) this provides no security at all.