How to Manage Your Passwords
I recently attended a Cyber Security seminar and the presenter mentioned that most of us are now the proud owners of between 100 and 200 log ins to online sites. From Facebook, to email to your favourite online game, shopping or subscription site. Many logins are from sites not visited for 5 or more years.
At the same seminar I learned it can take a hacker less than 5seconds to discover a weak password and only a few hours for a slightly stronger one.
Apparently length beats complexity, hence the new term “passphrase” where cyber security professionals are recommending longer, multiple word, passwords. Stringing 3 words together interspersed with numbers and special characters is recommended, for example
Flower58elephants#africa
And all of the experts are telling us not to repeat a password.
With 100 – 200 online accounts it is impossible to create, remember and manage all these unique passwords. Even the best and brightest brains would not be able to do this.
Most of our clients struggle to retrieve their passwords when needed. Whether it be accessing their WordPress website, their domain or hosting account, their Google email or various other online accounts that we need to undertake work on their behalf. Yet it is the client’s responsibility. Despite wishful thinking, it is not our responsibility, nor our desire, to manage passwords on behalf of our clients.
Browser - Remember Passwords
Most of our clients use the “remember this login” feature that browsers offer. This is a poor system, as it invariably means the browser remembers the password, but you don’t. So while initally storing passwords in a web browser (eg. Chrome) may appear convenient, it can be problematic because as soon as you clear your cache, buy a new computer, or device, or log in at a different location, the browser’s system may not work.
Not only is it a poor system for retrieving your password in the less usual circumstances, it’s generally insecure. If someone else with ill intent obtains access to your system (either physically or remotely) they can gain access to your entire library of passwords across different websites. Your exposure footprint is very high. Anyone who has access to your web browser or uses malicious software to hack it will be able to access the passwords saved in your browser.
Writing Passwords in a Book
Some of our clients write their passwords in a little black book, or similar. This old-fashioned system probably feels reasonabley secure as it’s unlikely an online hacker will be in possession of your online accounts at the same time as your physical book. The problem with this, and it is fair to say with any system, is using it 100% of the time. Almost all of the clients that let us know this is the system they are using will also own up to the fact that the book is somewhat disorderly and there is an on again off again relationship with using it. If the system is not used 100% of the time, it becomes an unreliable method. Once it starts becoming unreliable, most people stop using it altogether.
The other issue with writing passwords in a book is there is a high likelihood of the passwords being easy to remember and type. They are likely to be weak passwords. Compare these two passwords
- 4Uim>5{+yhJTqw
- elephant45^
A randomly computer generated password, like the 1st password, is likely to be hard to read and type - but it will be a strong one. A password you choose, like the 2nd one, and keep in a little black book, is likely to be quite guessable to a hacker and the algorithms and password generators they use.
At one of the cyber security workshops I attended it was revealed that most of us use either 2 or 4 numbers together (not 1 or 3 or 5). As I mentally went through the passwords I've created I realised that infact, for me at least, that was true. And apparently it is true for a large number of us. Knowing this, the hackers can set their automated hacking devices to look for patterns of 2 or 4 numbers, usually at the beginning or end of the word. So try to find a way not to use 2 or 4 numbers together!
If you are using a book, here's a few suggestions.
- Use a book with A-Z tabs so that each online platform can then be saved by it's name. For example F for Facebook, G for Google and Z for zoom.
- Add the password in pencil, so that if it gets changed, you can easily rub it out and write in the new password in it's place
Here's a few examples of password books you can purchase.
Password Managers
Very few of our clients use a password manager. But this is what the cyber security experts recommend. Password managers are not without their problems and risks, but they are less problematic and less risky than other methods.
There are also some real bonuses with using a password manager that many people may not consider, such as
- It will generate the passwords for you, so you don’t even have to think about it
- It will highlight any weak or duplicated passwords
- If you end up using "forgot password" it will update with the new password that is created
- You can take it with you, whether you are travelling, in a different work location or attending a seminar.
- It frees up your brain space for more important issues, like what to have for dinner tonight 😁
There are lots of password managers out there to choose from. Most of them come at a low subscription cost. This subscription cost, in our view, is worth every penny.
Two password managers we’ve seen recommended by a cyber security expert are
- Password Safe
- KeePass
Ctrl C and Ctrl V
I'm not in the habit of using many keyboard shortcuts, but Ctrl C and Ctrl V really come into their own when used with passwords.
Ctrl C = Copy
Ctrl V = Paste
If you are using a Mac it will be the Command key (rather than the Ctrl key).
Sometimes it can be difficult to tell the difference between the number zero (0) and an uppercase letter o (O). Sometimes it can be difficult to tell the difference between the number one (1) and the lowercase letter l (l). When typing a password into a field these differences often lead to errors.
Using Ctrl C to copy the password and Ctrl V to paste it into the field is usually the most reliable method for entering a correct password.
A password manager will usually automatically fill in the password field, so you don't need to use they keyboard shortcuts. However even with password managers it can sometimes be useful to know this little keyboard gem.
Recommended Next Steps
- Decide upon and install a password manager
- Choose a unique, memorable to you, passphrase (string of words) as your master password for the password manager
- Over the next 2 weeks, start adding your online accounts as you use them
- Get use to the way it works with these first online accounts. Change weak passwords to stronger ones. Change passwords that have been used more than once to unique ones
- After a month, start an audit of all your online sites, gradually but surely moving all of them over to your new system
- Continue using the password manager for everything – you’ll love the convenience
Remembering your passwords is your responsibility – it ain’t nobody else’s – take the frustration out of this modern day problem by using a modern day solution.
Further Reading
Here’s a good article by Choice on password managers
https://www.choice.com.au/consumers-and-data/protecting-your-data/data-privacy-and-safety/buying-guides/password-managers
Here's an article explaining how password managers work
https://cybernews.com/best-password-managers/how-do-password-managers-work/