Password Puzzles – how safe is your online password?

 In Comment

Disclaimer: LawSkills provides training for the legal industry and does not provide legal advice to members of the public. For help or guidance please seek the services of a qualified practitioner.

internet security passwordsHow safe is your password? The answer seems to depend on what site you go to.  Many sites try to protect you by enforcing password rules. These might be the length of password, the inclusion of uppercase letters, the inclusion of digits and the inclusion of punctuation characters. Unfortunately these may not offer the best protection and their very complexity may lead to security breaches in that users are forced to write them down. Even more unfortunately these checks are inconsistent. For example one of my insurance accounts will not allow me to use punctuation only numbers. This obviously means having to remember more than one password. Doing some highly unscientific analysis around friends and family showed a need to remember an average of 20 passwords and pass codes.

Long Phrases

Intel’s password checking site (which I cannot recommend using as it is itself uses an insecure connection) offers the advice that it is better to use a long password phrase (something like “The cat sat on the dog cuddling the mouse!”) rather than the usual 8 characters with Upper case, at least 1 number and a punctuation mark. This is because it will give something easier to remember and will take longer to crack.  Hackers know about the common substitutions like ‘@’ for ‘a’ etc.  and if your password is just a normal word with substitutions then their dictionary checkers can usually decode them in a couple of hours.  Unfortunately as mentioned above many sites implement password rules that prevent these long but easy to remember passwords.

2 factor authentication

Some sites try to get round password insecurity by using 2 factor authentications without a password. 2 factor authentications is where you are asked to enter some form of pass code and then the site prompts you for more information which only you can provide. The classic example of this is the chip and pin authentication most banks now use where you enter a relatively easy piece of information to identify you (perhaps your card number) and it then asks you to provide a code generated from a device which has to be authenticated by your pin. The good thing here is that the pin is never entered on the site and therefore is a lot less vulnerable to hackers.

Free LawSkills Newsletter

If you like our articles, why not subscribe to our free monthly newsletter with regular Private Client news, views and advice from leading legal minds. It's quick, easy and you can unsubscribe at any time if you no longer want to receive it.

Sign Up Now

Another good example of 2 factor authentication is where you take some action on a website and they text you a code to your phone that you have to key in to confirm. Obviously this is vulnerable to phone theft but the chances that the same person steals your phone as hacks your password is a lot lower than hacking alone.

Even with 2 factor authentication there is the problem that it is not available on all sites and even banks don’t use it when authenticating payments on other sites – you still have to remember yet another code.

Multiple passwords

The big problem here is that people are not good at remembering 20+ passwords and codes so the temptation is to use the same password on every site but this introduces vulnerability. The problem is that any site can be hacked with enough time and patience. We have all heard on high profile sites getting hacked and passwords being leaked. They usually proudly announce that no credit card information was exposed but that really doesn’t matter for if you use the same password on all sites then the hacker has just gained access to all of them.

Now it might be fine to use the same password for low vulnerability sites but anything involving money or your identity (Facebook for example) should always have a separate password.

This leaves the question of remembering them – writing them down is not exactly secure. One answer is to store them in a secure wallet on say your phone. This is basically an app that allows you to store data in an encrypted form with a secure pin code. You just remember that pin code to look up your passwords and other confidential information. This again has the advantage that the secure pin code is never transmitted anywhere. There are still risks with this approach in that you might lose or break your phone and lose the data – most of the apps allow secure back-ups. Some examples are eWallet, Stash, Safe, and Whiskers. eWallet in particular has been around a long time and has a very good reputation.

Password consolidator

If you don’t want to spend your time looking up passwords then a password consolidator may be the answer. These are basically tools that remember all your passwords for you and then log in to the sites automatically. The simplest example of this is that most browsers have an option to remember a sites password – this is not particularly secure and I can’t recommend it for anything really sensitive. The other issue with using the browser that it is only remembered on that device so if you are away from home you have to try and remember the password you have never keyed in.  The best known of the password consolidators is LastPass this secures all of your site passwords under one top level password and can be synchronised between all your devices including phones and tablets.

There are other options. For example if you use a mac Apples Secure keychain system they introduced with the Mavericks version of their operating system will eventually allow you to securely remember and share passwords across all Apple devices – it also integrates very cleanly into the Safari browser. This is obviously not so useful if you are a PC or Android user.

Other alternatives to LastPass are Keeper and 1Password.

It should be mentioned that any system that synchs your passwords has to store them somewhere with the obvious risk of being hacked. LastPass did suffer a hack a couple of years back but their response satisfied most security pundits. They treat passwords in the same way most sites treat credit card data which in reality is something we all should do.

Free LawSkills Newsletter

If you like our articles, why not subscribe to our free monthly newsletter with regular Private Client news, views and advice from leading legal minds. It's quick, easy and you can unsubscribe at any time if you no longer want to receive it.

Sign Up Now
Recommended Posts
Tax planning for farmers wife