It’s time to examine your password insecurities

It’s time to examine your password insecurities

It’s time to look at insecure passwords and unhealthy habits. Every year, about this time, I visit lists of commonly used passwords around the world. It’s a tech support horror show of bad practices and lazy behaviour. I drive some customers up the wall with my harping about basic password security. Passwords are your first line of defense, but many don’t take them seriously. Yes, they are inconvenient, but unavoidable.

What makes a bad password?

The short answer is anything easily guessed.

That includes your children’s names, 123456789, simple dictionary words, the word “password”, your name, your street address, qwerty, 1111111, Mozart, and a host of easily guessed combinations. I’m never surprised anymore when I sit down at a customer’s computer and they can’t find their passwords. Too often, I can figure it out in less than 10 min. Invariably their response is “how’d you do that?” Yes, I figured out your password by looking at the name you have on your router Wi-Fi. No that is not a good way to remember your email password. Then comes my lecture about password security.

Lazy thinking

Most of the simple passwords are a result of lazy thinking and inertia. They’re picked because they are easy to remember. Worse still, many people never change their passwords. If a company is hacked, you may not know about it for months and even years. If you are in the habit of changing your passwords every 4 months, you decrease the chances of having someone hijack your account and not knowing until it’s too late.

Let me explain in a little more detail. Years ago (over 10 now), Bell’s Sympatico email was hacked. It was a mass hack and thousands of emails and passwords were stolen. By changing my passwords on a regular basis, I prevented a catastrophe. How? Well, those email passwords are still floating around on the internet. I go into my security settings and look at all the failed attempts to log into my account, by people who have the email address and the old password. Some days there are dozens of attempts to gain access to the account.

As an experiment about 2 years ago, I switched the password back to the stolen one. A couple of us were curious as to how long it would take for someone to gain control. Since I rarely use the email, I wasn’t too worried. I changed it back and was staggered. Within 2 min, the account was breached and within 10 min spam was flooding out of the account. I changed the password, cleaned up the mailbox and went in to check the mail forwarding and reply. Both had been changed. This meant any replies and all my regular mail would have been automatically sent to this new email address. That password was stolen (at that point) over 8 years prior but was still kicking around the internet.

Consider this. If I used the same password on multiple accounts, it wouldn’t have taken long for those accounts to be breached as well. It’s a cascading disaster.

Image showing various password options - decoder ring, give up in despair, randomize passwords

Pick your poison

How to keep passwords secure

Have unique passwords for each account. This means don’t use one password and change the last character for each account. If you use Hotdogs (not a good password!) on your email, don’t use Hotdogs123 for your banking account. If you have difficulties creating passwords, get a password generator. Those are apps that will generate difficult passwords that don’t fall into an easily recognized pattern. I started using one years ago when I realised my passwords all tended to use one side of the keyboard. No idea why I do that, but it’s a nasty habit.

I also use an encrypted password keeper. Face it, it’s impossible to remember even a fraction of the passwords that guard our accounts. I have over 200, all different. There are several excellent ones on the market. Dashlane is a popular and easy to use option. It combines both a random password generator and an easy-to-use interface for storing passwords. It also synchronizes across platforms. I have a customer who syncs between a Windows laptop, an iPad, iPhone, and an Android device.  Once everything was setup, she rarely had issues.

The free version will save 50 passwords. After that, you need to invest in a subscription. Look around and ask for recommendations from people you know and trust.

What you want to look for these features:

  • easy to understand screen
  • encrypted
  • password generator
  • easy to organise passwords into categories
  • easily synched between devices
  • options to upgrade if your needs become more complicated
  • cost. If you don’t have a lot of passwords to maintain, look for a “free for home use” option.

If you are given the choice, use Two Factor Authentication (2FA)

Many accounts will allow you to set up 2FA for your passwords. For some reason, whenever I think of 2FAs, my mind flashes onto those old decoder rings that came in cereal boxes. 2FAs are more secure, but not as fun. Two Factor Authenticators tie your smartphone to your online accounts, making it difficult to access email (for example) without that phone.

Let’s continue to use email as an example. When you sign onto your email, you’ll be greeted with a window prompting you to type in a randomly generated code. This code will be supplied by an app like Authy or Microsoft Authenticator. Fire up your smartphone, open the authenticator, tap on the program you want to access, and a random number will appear on the screen. Type the number into the prompt box, tap enter and bingo, you email opens.

Here’s a tip: if you use 2FA, make sure it’s backed up or you’ll be faced with a nightmare if you lose your phone.

The quick takeaway on passwords

Stop using “monkey” and “password”. Change your passwords regularly. Use 2FA when offered. Use a random generator. Stay safe.

Password insecurity – the usual suspects

The annual list of truly bad passwords is now out and it still brings a tear of despair to any computer techie’s eyes. Despite all the warnings and examples of the chaos caused by hacked accounts, people still use “password”, “12345678” and “abc123” as the gatekeepers to their personal information. Worse still are those that use the same password across all their devices and accounts.

I have a couple of customers like that. No matter how much I beg and plead with them to change from “87654321” (yea, that’s going to be hard to figure out) or “123456”, they still fall back on the same easy to guess passwords. Or my next favourite – the customer who uses their kids name as their wifi network name and then uses the same names as their router and email password. No, using “karenmike2011” really isn’t a good deterrent to any moderately lazy hacker.

Here’s a case study for you: I have a customer, wonderful family, but they never remember their passwords. The husband is always changing them, in the vain belief that will keep them secure. He dutifully writes the passwords all down and stores them … somewhere … somewhere safe … Last time I was there it took him over 30 min to figure out where he hid the list. HOWEVER … and you just knew there was more to this story, didn’t you …. By the time he finds his list, I’ve already figured out what his passwords are.   Now, changing your passwords periodically is an excellent idea, I do that myself. But it’s futile if you rotate the same easy to guess passwords. I usually try their kid’s names and birthdays (written on their computer calendar). If that doesn’t work, I whip through the usual “pAssw0rd”, their street address, “43215678” etc. And yes, I really do figure them out before he has his “EUREKA” moment.

Given the explosion of excellent password keepers that you can install on your phone/tablet and pc and synch between them, there really is no excuse. But I’ve discovered, lectures don’t do anything. I might as well write out what they need to do, roll the instructions up and smoke them for all the good it does. Some people either just don’t get the danger or they think there are bomb proof.   And when I get that call I refrain from “I told you so” but honour the person with a knowing glare over the top of my glasses as we start the recovery process.

Here are some basic rules for password security:

  • Get an encrypted password keeper. I use Password Padlock and synch the list between my devices. It automatically backs up the list to an encrypted file on my cloud account (not stored on anyone’s server) and when I make a change, it notifies me on my other devices to download the updated list.
  • Make sure your password keeper has a feature that will create a password for you and make it completely random. It should also have the ability to include special characters. We’re creatures of habit, which means when we create our passwords, we tend to fall back on familiar names and numbers
  • DON’T USE 123456 or PASSWORD as the access key to your new password keeper. Kind of defeats the purpose, don’t you think?
  • Change your passwords periodically. The most important ones are your email, online banking and anything that holds private information.
  • Don’t use the same password for your primary accounts. Don’t use your email password on your banking website. Pick unique passwords for each one. And don’t forget to change them periodically.
  • If you don’t want to use a password keeper, create a system to track your passwords. The advice “never write them down” may be good from a security point of view, but entirely impractical from the user end. Who’s going to remember 60 or 70 passwords? Especially if they are completely randomized. That advice is arrogantly dismissive of how difficult it is to remember passwords.
  • I have a customer who has the weirdest system I’ve ever seen. He writes his passwords down in a bizarre code that only he knows. Another one uses a password protected spreadsheet so she has one master password to remember.

Take a few basic steps and protect your data. Take some time to plan out your password – don’t rush picking it. Figure out a system that works for you and stick to it.

… oh and “monkeyboy”, “IamaGOD!”, “l0Vemachine” and your pet’s name are not good choices … trust me on this.