By Dave Moore, CISSP
07/03/2022
Why do we have passwords? Passwords unlock our online accounts, and just like the locks on the front of your house, you can have easy locks and keys, or you can have complex locks and keys.
Even though Microsoft and other companies have been trying for years to move us to a “passwordless future,” passwords, and all of their hassles, are the current reality. So, put on a happy face and learn to love secure passwords, as that’s what it takes to stay safe on the Internet.
So, what makes for a strong password? First off, we need to forget old password advice from twenty years ago, such as: (1) passwords only need to be eight characters. Not true; has not been true for a very long time; (2) “My password should be something I can remember.” No, it should not; we do not need to memorize our passwords. We have computer programs, like password managers and browsers, to memorize them for us. Even a well-hidden notebook or piece of paper can be a viable password repository; (3) it’s OK to use the same password for all my accounts, as long as it’s complicated with upper case, lower case, numbers and symbols. Not true, never has been true. If a bad guy knows your password, and it’s the same for all your accounts, he has access to all your accounts, no matter how complicated you made it.
Strong passwords are long. They contain many characters. This is the rule that trips people up the most, because they think they can’t memorize a long password, when they don’t have to be memorized, in the first place. Refer to number 2, above. Also, you need unique passwords for every account you have, whether you think it’s an important account, or not. Refer to number 3, above.
There are only two ways you should store your passwords: (1) using a password manager, like Dashlane, or (2) in a notebook hidden in your house. Make sure you date each password, be precise in how you write it down, and make sure to note what account it’s for.
Upper-case, lower-case, numbers and special characters are fine, but it’s length that makes a password stronger, not complexity. You can use a “passphrase,” made up of actual words, if you like. It should be a minimum of five words, and, again, the longer, the better. Add a number and special character, to make it even stronger. Do you want minimum security, or maximum security?
Passphrases also should not be a phrase that makes sense, like “Mary had a little lamb,” or, “Sooner football is number one.” It should be more like, “bucketTrainantennapaperjack.” You could memorize that if you had to, and it’s a whopping 27 characters long, but fortunately, we have password management programs and notebooks to memorize things for us. Dashlane (www.dashlane.com), KeePass (keepass.info) and Password Safe (pwsafe.org) are all good choices for free password managers.
Two-factor authentication (2FA) and multi-factor authentication (MFA) are terms describing the same thing: a way of presenting additional evidence (called “factors”) in order to prove you are who you say you are when you try to sign in to an online service.
Factors include something you have (like a bank card), something you know (like a password or PIN), something you are (biometrics, like a fingerprint or other physical characteristic unique to you), and somewhere you are (such as connected to a specific network, or location information like GPS).
The old username/password model only uses one “factor,” that being the password. One reason for having another “factor” is that so many password databases have been hacked and exposed to anyone who wants to look. Some people are also guilty of using weak, easily-guessed passwords which they never change. Yet another reason for needing another “factor” is too many people using the same password for all of their accounts. Having more factors makes it more difficult for the wrong person to access an account.
It is important that everyone start using MFA/2FA as soon as possible. We have too much to lose, and there are too many Internet bad guys who want to help us out. For more information, visit davemoorecomputers.com, search for MFA and read the three columns there on the subject.
Next week: security questions.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org