Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: best practices

Passwords. An Update.

Originally published on CUInsight.com

It’s a topic you’ve seen here before. Time and again. Of course, it’s still pertinent since we keep using them. Passwords are a bane of the tech world. Unless you can invent a simple way to authenticate yourself with any service, they’re going to stick around for a while. That doesn’t mean we need to despise them, though. In the past, we have discussed the problems on both ends, from policies that lead to creating awful passwords, to people insisting on using “love”, “*dogname*”, and “!23456”.

Grab your favorite password and…throw it in the trash (sadly, even “CorrectHorseBatteryStaple“). Because we’re back.

Like the question of eggs being healthy or your worst nightmare, passwords see a wide variety of advice as the years go on. Some of it is due to a long period of terrible advice (which we discussed before, and, I’ll admit, my own suggestions evolved, too). Thankfully, this is changing…slowly. The other part is based upon processing speed increases; it’s easier than ever to parse billions of possibilities (using databases of common passwords from leaks combined with dictionary analysis). So what’s the current solution?

It’s lurking in plain sight, on all your devices. The best password is one you never create. Every modern platform supports strong password suggestions. Then, they save these passwords in a secured database, so you don’t have to put a note in your drawer (it’s ok, you’re not alone). Depending on the system, there might be a master password, or, it can combine with biometrics. Make this be your big, strong password, then never use it. Rely on the fingerprint scanner, FaceID, or other verification system.

On iOS (that’s iPhone and iPad), the next version will have automatic strong (Apple calls them complex) password creation and storing. That means, when a site asks to create a password, your phone already filled in a really good one. Then it saves it so you never even bother thinking of something. To log back in, your phone just asks for verification through TouchID or FaceID (depending on device). This is new; auto-fill now has security, too. Yes, you still have to create a unique username. Sorry, MarioKartKing is taken.

There’s another side of this revisit: Updating your password. I know, I know, I spoke strongly against this practice in the past. My position is unchanged. If you change your password, make it for a good reason. A brilliant website called haveIbeenpwned.com checks your e-mail address or usernames to see if they were included in any breaches. If so, it shows which and to what degree. Then, you know it’s time to update those passwords (and anywhere else you shared those credentials). That password auto-suggest is looking mighty nice right now.

Here’s the bottom line: With password managers so prevalent and easy to use, there’s no excuse to still create your own passwords. It’s putting you (and the data within) at unnecessary risk. It also saves time. When I read of a breach on a service I use, I just go in, update that password, and get back to my life. Since it won’t be shared with any other system, I don’t care what someone does with the information. Granted, if passwords were stored in a way someone could access them, I’d be questioning the utility of said service, given their poor security practices.

Bottom line of the bottom line: Complex, random strings of characters, stored in a quality password manager, is the best way to ensure your personal (or corporate) information remains only in the hands you want.

Resources (A non-exhaustive list of password managers)

OS Based:

  • SmartLock for Passwords (Android/Chrome)
  • iCloud Keychain (Apple devices)

3rd Party:

  • Firefox Sync
  • LastPass
  • 1Password

Get Secure, or Else

It was the best of times. It was the worst of times. Gather ‘round, for we are going to share a story about online security.

How many passwords do you have? If you’re like most people, the answer is “one”. How many accounts do you have? Once again, the common response would be, “lots”.

Too bad those two do not go well together.

You see, we aren’t the only people online. Many are there to cause damage to your content, whether for fame, money, or to accomplish a societal end. I’m not a fan. Doubtlessly, you aren’t either. All they want is to gain access to juicy content saved online. Documents, photos, e-mails, you name it, they’re out to get it. And what’s stopping them?

Just checking, how many passwords did you say you had?

A number of high-profile leaks of photos, celebrity and otherwise, have brought to the public consciousness the fragility of online storage. An expectation of privacy might only be that, an expectation. Is there anything we can do besides just hand our lives over to the do-baddies?

Yes. I’ll go over my Top 3 ways to help preserve your security and privacy online.

1. A strong password (for every account). No, I don’t mean feeding it spinach and sending it off to the gym 5 days a week. Years of “best practices” have convinced you that the best password is one you will never remember. Well, that’s no good! My favorite online comic tells it better than I ever could. Go click that link. Now, I’ll explain with less comedy than him. Longer is better. Period. Unusual combinations of characters that you’ll remember is perfect. Unless required, don’t expect writing like t#!$ (this) will do you any good. Computers are great at guessing. More characters take longer to check, which makes your password harder to crack. I’m also a huge fan of using password managers to create long, random passwords, then saving them for future use automatically. If you use Apple products, turn on iCloud Keychain. For cross-platform, 1Password is a good choice, and there are others, too. But what if they do get your password?

2. Two-factor authentication. Think of when you pay by debit card. You must scan the card in the terminal, and then either enter your PIN or sign a receipt. Two things must align for the transaction to be approved (or not contested later). However, when you sign on through a website, you enter your password and then…well, you’re in. Two-factor authentication adds a level of security which requires you to prove your identity, typically with your cell phone. When you get your login correct, the site will then send your phone (often by text message) a unique code that must be entered to sign on. The presumption is that a hacker might guess your password, but won’t also have your phone. It does add a step into signing on, but you can have systems not ask again based on a few variables, perhaps, whether you have changed location, or used a different device. I’ve activated this security feature on every service I have. You can see how to activate it for systems you use by checking here.

3. Be smart. Ok, so now you’ve created unique, memorable, yet difficult-for-computers-or-other-people-to-guess passwords. Then, you secured those accounts with a second layer of protection. Congratulations! You’re already much more protected from damaging hacks. Now, let’s keep it that way. Remember the old adage, “if it looks too good to be true”? Still applies! The hackers realized they can’t break in to your accounts, so they need you to open the door for them, or let them just peek in from time to time. They’re going to go about that in two ways: Phishing and malware.

  • Without blasting some old Phish tunes, phishing is when you receive a message or visit a site that looks like it’s trustworthy, yet is not. I’ve never found a legitimate company that sends out e-mails asking their users to enter their password “or else”. A bank will never request your password, nor will your social media services. If it seems suspicious, go to the site by typing the address yourself and check for announcements.
  • Malware is the online equivalent of tapping the phone line. If you keep your computer updated with the latest security releases for every program, this is a lesser concern. However, if you are tempted by that free download of The Avengers or Windows 10, be aware those treats might have some creatures hiding inside. The last round of malware that affected Mac users was isolated to a pirated copy of a popular software program. There’s no such thing as a free lunch.

The most common hacks happen when online baddies gain access to a list of usernames and passwords from some compromised site. Then, they just use those same credentials all over the internet. Do you have any e-mail/password combinations that would work in more than one place?

We are past the age when anti-virus software (Windows) was all you needed to be safe on your computer. As we keep more of our personal and professional lives online, it becomes more valuable to try and gain access to it. Stay ahead of those fiends with these strategies. I will post on occasion about other security steps you can take. Oh, and if you’re using an iPhone 5S or later, use Touch ID!

© 2018 Credit Union Geek

Theme by Anders NorenUp ↑