Password Puzzles – how safe is your online password?
How safe is your password? The answer seems to depend on what site you go to. Many sites try to protect you by enforcing password rules. These might be the length of password, the inclusion of uppercase letters, the inclusion of digits and the inclusion of punctuation characters. Unfortunately these may not offer the best protection and their very complexity may lead to security breaches in that users are forced to write them down. Even more unfortunately these checks are inconsistent. For example one of my insurance accounts will not allow me to use punctuation only numbers. This obviously means having to remember more than one password. Doing some highly unscientific analysis around friends and family showed a need to remember an average of 20 passwords and pass codes.
Intel’s password checking site (which I cannot recommend using as it is itself uses an insecure connection) offers the advice that it is better to use a long password phrase (something like “The cat sat on the dog cuddling the mouse!”) rather than the usual 8 characters with Upper case, at least 1 number and a punctuation mark. This is because it will give something easier to remember and will take longer to crack. Hackers know about the common substitutions like ‘@’ for ‘a’ etc. and if your password is just a normal word with substitutions then their dictionary checkers can usually decode them in a couple of hours. Unfortunately as mentioned above many sites implement password rules that prevent these long but easy to remember passwords.
2 factor authentication
Some sites try to get round password insecurity by using 2 factor authentications without a password. 2 factor authentications is where you are asked to enter some form of pass code and then the site prompts you for more information which only you can provide. The classic example of this is the chip and pin authentication most banks now use where you enter a relatively easy piece of information to identify you (perhaps your card number) and it then asks you to provide a code generated from a device which has to be authenticated by your pin. The good thing here is that the pin is never entered on the site and therefore is a lot less vulnerable to hackers.
The LawSkills Monthly Digest
Subscribe to our comprehensive Monthly Digest for insightful feedback on Wills, Probate, Trusts, Tax and Elderly & Vulnerable client matters
Not complicated to read | Requires no internet searching | Simply an informative pdf emailed to your inbox including practice points & tips
Subscribe now for monthly insightful feedback on key issues.
All for only £120 + VAT per year
(£97.50 for 10+)
Another good example of 2 factor authentication is where you take some action on a website and they text you a code to your phone that you have to key in to confirm. Obviously this is vulnerable to phone theft but the chances that the same person steals your phone as hacks your password is a lot lower than hacking alone.
Even with 2 factor authentication there is the problem that it is not available on all sites and even banks don’t use it when authenticating payments on other sites – you still have to remember yet another code.
The big problem here is that people are not good at remembering 20+ passwords and codes so the temptation is to use the same password on every site but this introduces vulnerability. The problem is that any site can be hacked with enough time and patience. We have all heard on high profile sites getting hacked and passwords being leaked. They usually proudly announce that no credit card information was exposed but that really doesn’t matter for if you use the same password on all sites then the hacker has just gained access to all of them.
Now it might be fine to use the same password for low vulnerability sites but anything involving money or your identity (Facebook for example) should always have a separate password.
This leaves the question of remembering them – writing them down is not exactly secure. One answer is to store them in a secure wallet on say your phone. This is basically an app that allows you to store data in an encrypted form with a secure pin code. You just remember that pin code to look up your passwords and other confidential information. This again has the advantage that the secure pin code is never transmitted anywhere. There are still risks with this approach in that you might lose or break your phone and lose the data – most of the apps allow secure back-ups. Some examples are eWallet, Stash, Safe, and Whiskers. eWallet in particular has been around a long time and has a very good reputation.
If you don’t want to spend your time looking up passwords then a password consolidator may be the answer. These are basically tools that remember all your passwords for you and then log in to the sites automatically. The simplest example of this is that most browsers have an option to remember a sites password – this is not particularly secure and I can’t recommend it for anything really sensitive. The other issue with using the browser that it is only remembered on that device so if you are away from home you have to try and remember the password you have never keyed in. The best known of the password consolidators is LastPass this secures all of your site passwords under one top level password and can be synchronised between all your devices including phones and tablets.
There are other options. For example if you use a mac Apples Secure keychain system they introduced with the Mavericks version of their operating system will eventually allow you to securely remember and share passwords across all Apple devices – it also integrates very cleanly into the Safari browser. This is obviously not so useful if you are a PC or Android user.
Other alternatives to LastPass are Keeper and 1Password.
It should be mentioned that any system that synchs your passwords has to store them somewhere with the obvious risk of being hacked. LastPass did suffer a hack a couple of years back but their response satisfied most security pundits. They treat passwords in the same way most sites treat credit card data which in reality is something we all should do.
FREE monthly newsletter
Wills | Probate | Trusts | Tax | Elderly & Vulnerable Client
- Relevant learning and development opportunities
- News, articles and LawSkills’ services
- Communications which help you find appropriate training in your area