Stay safe online: Passwords
Perhaps the most important factor in protecting your online presence is good passwords.
What makes a good password?
A good password should, where possible (some sites restrict these options) be:
- 12 or more characters; with upper and lower case, numbers and symbols.
- Different to all your other passwords.
Are your passwords secure?
The most commonly used passwords (2020) in order of frequency are:
123456: password: 12345678: qwerty: 12345: 123456789: football: 1234: 1234567: baseball: welcome: 1234567890:
If you use passwords like this they are easy to crack. Password cracking mostly uses a “dictionary” based on passwords used around the world (and selected for your language). “Text-speak” or substituting numbers is s0 c0mm0n now that it’s no benefit. Hackers may also use information collected about you from the public domain e.g. your facebook page - so don't use a family members (or pets) name, address, age or date!
Use a common strategy
One strategy often recommended is to use the first letter of words from a favourite poem or text.
ItbwtW, Iwlaac – can you guess them – would they be secure? (0.5 second to crack)
The more complex a password is – the more “entropy” it has – the more secure it will be. So avoid the predictable.
Here is a good password: L8n-G3c?R4m,S3h (34 billion years)
It’s not very memorable – would you write it down – or store it in a text file on your PC?
Levels of security
When you have a LOT of logins to remember passwords for it becomes unmanageable. We need to reduce the level of complexity, and my first step is to divide logins into three different security levels.
- Logins to financials – bank, PayPal, eBay, etc. need highest security; a unique secure password for each.
- Logins to personal stuff – email, facebook, cloud storage such as Google drive etc. need good security.
- Unimportant logins can share a small range of simple passwords – depending on the requirements of the site. But please don’t just use your name, date of birth, etc. – Thats ALL in the public domain.
How to create passwords that meet these criteria: Work out your own simple strategy for level 2 & 3 passwords
You could use a name that is memorable to you (our first car was called "Betsy")and add a memorable number or date to make a "seed", with a couple of symbols - bEtsy%41# - then add letters from the sites name (eg fac for facebook) to make a complex password that is easy to remember but still different for each site. so bEtsy%41#fac, bEtsy%41#goo, bEtsy%41#bbc etc.
Don’t ever use your “memorable information” that important sites use to confirm your identity in passwords.
bEtsy%41#fac - 34 thousand years
For "level three" - unimportant or "one time" logins can havepasswords that are simpler, shorter and easier to type.
So use a shorter "seed" eg j1MMy$ (or j1MMyS) with two characters from the site name eg
j1MMy$am (8 hours) or j1MMySam (1 hour) . (some sites dont allow symbols in passwords, but most require at leasst 8 characters)
Password cracking time estimates from https://www.security.org/how-secure-is-my-password/
It’s still too much to remember
Well, you should be able to remember the level 2 & 3 passwords – in their simple variations. However you need some way of storing them all – especially more complex passwords - securely. Write them down and stick them on the side of your monitor? Perhaps not. However it is reasonably safe to store them in a file on your computer, provided that the way they are stored is secure. Here are three ways to achieve this.
1: Let your browser store passwords: Unfortunately anyone who can log in to your computer can access all of them. Simple and very convenient. Be aware that the login password to your pc can be breached reasonably easily and quickly by anyone with sufficient skill.
Some browsers (Firefox) allow you to enter a master password before they will allow use of the stored passwords. The encryption used is known to be not very secure. For most domestic purposes (level 2 or 3 security logins) its fine. However as your browser is your point of contact with the web, it’s also a common target for hackers, so perhaps not the best place to save more important passwords.
2: Create your passwords in a document and copy/paste to use them. The document needs to be secured by a complex master password and encrypted securely. This is the system I use myself. For example Libre Office Writer allows password protection of a document and very secure AES256 encryption as used by governments etc. You can store multiple copies of the file to prevent its loss, only someone who has access to the master password would be able to use it. It goes without saying (I hope) that if you lose THAT password you will have REAL problems. And if you keep it written down you need to be VERY careful.
3: Use a password manager. KeePass is FREE, open source, available for many different platforms (PC, Apple, Android etc. and very secure. It will generate secure passwords for you, remember them, and apply them to a site login. It’s not as convenient as the browser password manager, but by far the most secure way to store your passwords. Just don’t forget the master password.What happens if the device you have this program (and the password database) installed on breaks? Or if you are using a different device - a tablet or phone?
Important Logins (such as financials)
These should not rely on a single authentication, and ideally should not rely solely on characters typed in on your keyboard.
Why not? because a keylogger virus would capture all your login information!
Here are some examples of strategies commonly used.
Lloyds Bank – user code (8ch), password (10ch), memorable (3 ch from 10 via drop down)
Santander – Personal Id (confirmed with chosen image and text) if the website does not respond with the correct image do not proceed!
THEN passcode (8 ch) and registration number (5 digits)
Binance (cryptocurrency exchange) – previously confirmed email address, long password (upper and lower case, numbers and symbols)
2fa via one-time passcode sent to phone.
Often if the site does not recognise the device you are using, a further authentication (2fa) will be required.
Two factor authentication (2fa)
For high levels of security an online log-on via a pc, tablet etc is not sufficient. A common strategy is for the login to require a one-time passcode sent as a text to your phone, which you then enter on the PC. Another example of 2fa is the chip & pin system used on credit cards.
Further authentication (only if you REALLY need high security)
Makers such as Yubi sell keys that plug in to a usb port to provide a second level of security for your data.
Many phones and laptops offer fingerprint, face or voice recognition for security. You can buy a USB fingerprint reader for a pc or laptop for around £20.