Password Management Ideas

Will they or won’t they – recently there has been some speculation about doing away with passwords completely, wouldn’t that be nice! Here’s a list of websites that have articles on this:

• https://www.techradar.com/uk/news/the-worlds-biggest-tech-companies-want-to-kill-passwords-on-password-day
• https://www.youtube.com/watch?v=faU_d7DqoiY
• https://www.tweaktown.com/news/86033/apple-google-and-microsoft-are-seeking-to-ditch-passwords/index.html

Killing off passwords will eventually come, as things like Biometrics become better. In fact, right now we could say we’re at the worst possible stage of security, we use Passwords and have all these other ways to make our accounts secure.

But let’s not beat around the bush, secure passwords that you know and others do not remain very very strong. It fulfils the first of the three factors required for solid security. What your Know.

What you Have is your computer or device, USB stick or credit card and finally What you Are is your fingerprint or facial ID. These three factors generally make up your security when it comes to the digital world and the rough rule is that you need at least two out of three.

Most websites use just a password for their security – so get good at choosing your password

That said – plenty of websites still only use a simple password and will not enforce better security, so here is our recommendation for choosing a password:

• Length – make it long – at least 8 characters. But it’s been proven time and time again that you don’t actually need fancy characters or numerals to make a password – what you need is length, 26 characters is good, 36 is better. So a phrase like ‘peterpipedpickedapickledpickle’ is going to be good. But you try writing it.
• Memorable – don’t use the same password obviously – but do use the same formula or ‘memorable anchor points’ the first three letters of your favourite colour, followed by your age in the year 2015 and then finishing up with the website domain name you’re on all divided by an exclamation mark. Gre43!twitter
• Like the three factors described above pick something about the website or service, you are creating the password for. i.e. something about Twitter if on Twitter, or gov.uk on the HMRC website. That way – you’re combining ‘what you know’ with ‘what you’re doing’.

It’s more or less that simple… a password like TWIT43!green is going to be fairly tough for anyone to guess… unless they really know your methodology.

Social Media Logins

There was a time when signing into Netflix with a Facebook Account was frowned on… but still, the idea has persisted – should you sign up using another service, in which case you already don’t need a password. there are a lot of pros and cons to this:

• what if you get logged out of Facebook
• will facebook track your use (yes, but they do potentially anyway)
• can you really not have a password -many of these sites will require a password as well as a social media log in

I suspect overall, while convenient, using Social Media logins or authentication is not really to be advised there are just too many ifs and buts at the moment when relying on a money-making organisation to handle your security.

Let me try and phrase that a little better, Facebook, Google, Twitter and other services that provide OpenAuth or oAuth access need to have a reason for doing so… Also what if you’re trying to avoid social media. It’s not a foolproof system by any length of means.

Our advice here is don’t do it – don’t encourage this sort of authentication… plus banks and financial organisations will never allow it – so it’s not really a one-stop-shop for password management.

Password Managers

These have come a long way these days… FastPass, Dashlane and others, our favourite is KeyPass, these are clunky but reasonably reliable if a little disorganised.

I should also include your Browser Password Manager – the very basic tool that just says ‘do you want to save this password’ whenever the Browser thinks you might not have saved it already.

The Browser Password manager is actually one of the better-kept secrets on your computer, few people understand it or know where to look up passwords when you have forgotten them, instead just opting to reset their passwords. In short, we recommend you always save your passwords via the browser to make your life a bit easier. Pick a tough password, but then save it.

One thing it’s not worth doing is paying for a Password Manager, the simple reason is that if it comes to forking out money to save your passwords security is necessary for you – then you’re probably not choosing your passwords properly in the first place. Nothing is a substitute for a good quality password. and no password manager will take responsibility if you have a problem.

USB Stick and hardware

Again, I am really not a fan – what if you lose it, we lose car keys and leave house keys around, but replacing all your passwords because you have lost your USB stick is awkward to say the very least. Lose your house keys and a locksmith will come and replace the lock, lose your USB stick and you might spend days trying to regain access to your banks.

I can fully see the benefits though, it fulfils the separate factor perfectly, something you have. just like a credit card. The time it gets a bit fiddly is when you have to have multiple things to make it happen. For example, you might need a password, a USB stick and an App on your phone as well – it’s complicated and I doubt it will catch on for most people.

The idea is pretty dead already – IMO.

2 Factor Authentication

Yes – I have to bring this up despite most people not having a clue what it means, but it is the 6 digit number you’re texted after you sign into a website or the phone call you get with a code. It’s an utter pain, but it fulfils the criteria. And it does do the job.

We’re fans of Authenticator, currently, these can be downloaded in a Microsoft or Android flavour and either will do, it can also be added to your browser if you’re at the desktop a lot. With Authenticator the 6 digit code is refreshed every 60 seconds or so and so long as you input the number at the right time it will work.

BUT – and there is a big but here – you still need a password. To pass the first factor and get to the second factor you need a password and for that, I refer you to my password guidance at the top.

2 Factor Authentication actually does provide a fairly secure way to protect your digital life, but it is still awkward.

What of the future?

Well, we want to see a world that actually does away with passwords and instantly gives us full security at the same time. Fingerprint ID has about a 1 in 50,000 chance of being broken, while Facial Recognition has a 1 in a million chance of being broken.

Also these days we are starting to wear wearable techs such as Apple Watches and even earphones and the like. These devices know who we are and they can tell the computer we’re sitting next to that information. Sure that means no passwords.

I’ve struggled with modern cars, particularly electric ones with all signing and dancing gismos… it’s all very well hooking up my phone automatically so I can play Spotify… but what about my children. Our environments need to know who we are. Am I logging in from my apartment or some concrete warehouse in Russia?

Let’s be clear before I finish off… I am not proposing an invasion of privacy where Google can log into my back if it recognises the jumper I am wearing. But I am proposing that if I am logged into a particular service through another device then perhaps Google or Facebook can put two and two together.

The extraordinary thing is that on my phone I am never logged out of many apps… from iPlayer to Netflix, from Facebook to Adwords I am constantly logged in on an App… why can’t I do that on my Browser?

My final word – Password will go in the future, but in the meantime picking a really good one for every website is by far the best strategy of all.

Comments

comments