Passwords. Can’t live with them, can’t live without them. Well…in the not-to-distant future, you may be able to live without them, but in the meantime, we can offer some advice on how to live with them.
Almost every computer-based account you have requires a password. Some of us have 100 or more accounts and remembering unique, complex, hard-to-hack passwords is virtually impossible. In addition, some computers have passwords and secure Wi-Fi networks always have passwords. So what happens?
- The same password is used on multiple accounts.
- Simple generic passwords are used.
- Passwords are never changed.
- Passwords are forgotten, so it’s hard to get into your account.
- As passwords are case sensitive, you forget whether it’s a capital “A” or a small “a.”
- Connecting a printer to a secure Wi-fi network is almost impossible as the printer doesn’t have a keyboard and it’s quite a feat to figure out how to enter the “@” character.
- You have passwords recorded on small scraps of paper taped to the computer or scattered all over your desk.
- In the event you’re not available, your representative can’t access your accounts because you haven’t left a record of your passwords.
In addition, hackers are getting better at cracking your password, and suddenly your account has been infiltrated. Data has been stolen not just from the hacked account, but from others, as you used the same account name and password on multiple accounts.
Even if you have sophisticated passwords, many accounts — including Social Security, Medicare and most financial institutions — require you to change your password periodically. It’s almost as though you need a private secretary to keep track of it all.
Most of the time, all is not lost if you forget a password because there are usually methods to reclaim or change a lost password. In many cases, these methods include providing responses to “security questions” like the name of your first pet or your high school mascot. Of course, if it’s hard enough to remember the password, how are you supposed to remember the responses you gave months or years ago to these idiotic questions?
Solutions — some good, some not so good
The most important thing you can do is create unique, strong passwords for each account. Your passwords should:
- Be unique, that is, not used on any other account.
- Have anywhere from 8 to 16 characters – or longer if it’s allowed.
- Use a combination of upper- and lower-case letters, numbers and special characters, such as #, $, %, etc.
- Not be one of the passwords on the list of the worst passwords of 2018.
Two-factor authentication, or 2FA
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they’ll be required to provide another piece of information. This second factor could come from one of the following categories:
- Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern.
- Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone or a small hardware token.
- Something you are: This category is a little more advanced and might include the biometric pattern of a fingerprint, an iris scan or a voice print.
With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity and unlock the account. (For more information on 2FA, see authy.com/what-is-2fa/.)
This approach is pretty good, if somewhat cumbersome, as you need to have access to your smartphone to get a one-time code. In some cases, particularly if you are using a new computer or a new location or if you’re trying to recover a lost password, you have no choice but to use 2FA to proceed.
Keep a written record or use a Password Manager
A written record of your passwords is essential! The worst place to store this list is on your computer; hackers always look there for such a list. Store the list in a safe place that you can easily access when the time comes to remember a password. Make a copy for your significant other or key contact if you are not available when access to your accounts is necessary.
The best way to keep a record of your passwords is to use a password manager. I recommend Dashlane (dashlane.com.) Dashlane will store your account names, website information and your passwords.
Dashlane is free when used on one device (typically a computer). The paid version will be available on all of your devices and is constantly synchronized so that one a password is used it’s available on all of your devices. Some features of password managers:
- You only need to remember one very strong password, which you should write down.
- You can use randomly generated passwords for each website, reducing the likelihood of them being cracked.
- They can work across multiple platforms: computer, phone, tablet.
- You can change a password at any time.
- It can automatically change a password when required by the website.
- You can print a copy of your passwords to put them in a secure location.
There is one cautionary downside. If you change password managers or stop using them all together, you’ll need to download all your passwords and re-enter them manually. Also, it’s not impossible for someone to crack the password manager’s system, but the system has a lot more security resources than you do.
Living without passwords
The day is coming when passwords may become obsolete. I recently returned from an international trip and the Immigration and Customs folks used retina scans to identify me. I didn’t even have to present my passport!
Most computers are equipped with cameras and some even have fingerprint readers installed. Most smartphones have these features as well. It should be possible for websites to automatically identify you through retinal scans or fingerprints.
Other possibilities are:
- Exchange tokens and certificates without you needing to remember anything. They could even bypass password managers.
- Contextual security policies that rely more on trusted devices and connections, with the ability to add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.
- Key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, you’ll see a number code to enter into an app, where you’ll have to enter a PIN or provide a biometric.
At some point, passwords will have to go away, and we’ll all be better for it.
The worst passwords of 2018