Stay safe online: Passwords

Don't sign in!

.. until you have checked that its really the site you intend to log in to. And look for https: and the padlock sign.

If you enter your user credentials on the wrong site they are at risk.

password entry

password site

Perhaps the most important factor in protecting your online presence is
having good passwords and using them with care.

What makes a good password?

A good password should, where possible (some sites restrict these options) be:

  • 12 or more characters; with upper and lower case, numbers and symbols.
  • Unusual
  • Memorable.
  • Different to all your other passwords.

Are your passwords secure?

The most commonly used passwords (2020) in order of frequency are:
123456:  password:  12345678:  qwerty:  12345:  123456789:  football:  1234:  1234567:  baseball:  welcome:  1234567890: 
If you use passwords like this they are easy to crack.  Password cracking mostly uses a “dictionary” based on passwords used around the world (and selected for your language).  “Text-speak” or substituting numbers is s0 c0mm0n now that it’s no benefit.  Hackers may also use information collected about you from the public domain e.g. your facebook page - so don't use a family members (or pets) name, address, age or date!

Use a common strategy

One strategy often recommended is to use the first letter of words from a favourite poem or text.
ItbwtW, Iwlaac – can you guess them – would they be secure?   (0.5 second to crack)
The more complex a password is – the more “entropy” it has – the more secure it will be. So avoid the predictable. 
Here is a good password:   L8n-G3c?R4m,S3h (34 billion years)
It’s not very memorable – would you write it down – or store it in a text file on your PC?

Levels of security

When you have a LOT of logins to remember passwords for it becomes unmanageable.  We need to reduce the level of complexity, and my first step is to divide logins into three different security levels.

LEVEL 1: Logins to financials – bank, PayPal, eBay, etc. need highest security; a unique secure password for each.

LEVEL 2: Logins to personal stuff – email, facebook, cloud storage such as Google drive etc. need good security.

LEVEL 3: Unimportant logins can share a small range of simple passwords – depending on the requirements of the site.  
But please don’t just use your name, date of birth, etc. – Thats ALL in the public domain.

How to create passwords that meet these criteria: Work out your own simple strategy for level 2 & 3 passwords

You could use a name that is memorable to you (our first car was called "Betsy") and add a memorable number or date to make a "seed", with a couple of symbols - bEtsy%41# - then add letters from the sites name (eg fac for facebook) to make a complex password that is easy to remember but still different for each site. so bEtsy%41#fac, bEtsy%41#goo, bEtsy%41#bbc etc.

Don’t ever use your “memorable information” that important sites use to confirm your identity in passwords.

bEtsy%41#fac - 34 thousand years

 

For "level three" - unimportant or "one time" logins can have passwords that are simpler, shorter and easier to type.
So use a shorter "seed" eg j1MMy$ (or j1MMyS) with two characters from the site name e.g. bb for bbc news.

j1MMy$bb (8 hours) or j1MMySbb (1 hour) . (some sites dont allow symbols in passwords, but most require at least 8 characters)

 

Password cracking time estimates from https://www.security.org/how-secure-is-my-password/

 

It’s still too much to remember

Well, you should be able to remember the level 2 & 3 passwords – in their simple variations. However you need some way of storing them all – especially more complex passwords -  securely. Write them down and stick them on the side of your monitor?  Perhaps not.  However it is reasonably safe to store them in a file on your computer, provided that the way they are stored is secure.  Here are three ways to achieve this.

 

browser password

1:  Let your browser store passwords:  Unfortunately anyone who can log in to your computer can access all of them.   Simple and very convenient. 
Be aware that the login password to your pc can be breached  reasonably easily and quickly by anyone with sufficient skill.

 

Some browsers (Firefox) allow you to enter a master password before they will allow use of the stored passwords.  Dont leave firefox open because your passwords arent secure while its on.  For most domestic purposes (level 2 or 3 security logins) its fine.  However as your browser is your point of contact with the web, it’s also a common target for hackers, so perhaps not the best place to save more important passwords.

 

password document

2:  Create your passwords in a document and copy/paste to use them.  The document needs to be secured by a complex master password and encrypted securely.  This is the system I use myself. For example Libre Office Writer allows password protection of a document and very secure AES256 encryption as used by governments etc. You can store multiple copies of the file to prevent its loss, only someone who has access to the master password would be able to use it. It goes without saying (I hope) that if you lose THAT password you will have REAL problems. And if you keep it written down you need to be VERY careful.

 

keepass

3: Use a password manager. KeePass is FREE, open source, available for many different platforms (PC, Apple, Android etc.  and very secure.  It will generate secure passwords for you, remember them, and apply them to a site login. It’s not as convenient as the browser password manager, but by far the most secure way to store your passwords.   Just don’t forget the master password.

What happens if the device you have this program (and the password database) installed on breaks? Or if you are using a different device - a tablet or phone?

Important Logins (such as financials)

These should not rely on a single authentication, and ideally should not rely solely on characters typed in on your keyboard
Why not? because a keylogger virus would capture all your login information!
Here are some examples of strategies commonly used.
Lloyds Bank – user code (8ch), password (10ch), memorable (3 ch from 10 via drop down)
Santander – Personal Id (confirmed with chosen image and text)  if the website does not respond with the correct image do not proceed!
THEN passcode (8 ch) and registration number (5 digits)
Binance (cryptocurrency exchange) – previously confirmed email address, long password (upper and lower case, numbers and symbols)
2fa via one-time passcode sent to phone.


Often if the site does not recognise the device you are using, a further authentication (2fa) will be required.

Two factor authentication (2fa)

For high levels of security an online log-on via a pc, tablet etc is not sufficient.  A common strategy is for the login to require a one-time passcode sent as a text to your phone, which you then enter on the PC. Another example of 2fa is the chip & pin system used on credit cards.

 

Further authentication (only if you REALLY need high security)

USB keys

Makers such as Yubi sell keys that plug in to a usb port to provide a second level of security for your data.

Biometric security

Many phones and laptops offer fingerprint, face or voice recognition for security. You can buy a USB fingerprint reader for a pc or laptop for around £20.

What if it breaks?

I would not be happy relying on a single device to allow access to my online activities. I have several copies of my password file on different devices, and including my google drive, so I can access my online services from any of them – and if one breaks, or I can’t access it, I’ll use another with no issues.
This has proved invaluable when I have needed to perform transactions or access personal data while on holiday.