Why you don't need 27 different passwords
Posted: May 4, 2017 by Wendy Zamora
Last updated: May 3, 2017
Passwords. The bane of modern existence. To celebrate this nuisance, the
holiday gods have given us World Password Day, where thousands of people come
together online and pledge to improve their password habits. How many of those
pledges do you think stick? According to the 2017 Verizon Data Breach
Investigation Report, not many. A little over 50 percent of all breaches in the
last year leveraged either stolen or weak passwords.
Coincidentally, today is also Star Wars Day (May the 4th Be with You). And
while we all wouldn't mind having a lovable droid guard our passwords as
loyally as R2D2 guarded the blueprints for the Death Star, the reality is we've
got to do the guarding ourselves. And that has become burdensome enough to
send Yoda himself over to the Dark Side.
Current state of affairs
According to a poll by Intel Security, the average person has 27 discrete
online logins. From social media accounts to banking to online shopping to
utilities, credentials-which usually include a username and password-are
required for each. And if people are practicing good password hygiene, they're
engaging in the following recommended practices:
DO: Use a different password for each account.
DO: Use a long password. In fact, the longer, the better.
DO: Use special characters, numbers, and capital letters.
DO: Change your passwords every couple of months.
DO NOT: Write down your password, whether that's on a piece of paper or
stored electronically.
DO NOT: Share passwords via text, email, or chat.
DO NOT: Use easily identifiable information, such as a birthday or a
child's name.
DO NOT: Use an incredibly generic password such as 12345. (That's the
combination an idiot would use on his luggage.)
All of this, for 27 different logins, is simply unmanageable. In fact, the
Intel study found that 37 percent of its respondents forgot a password at least
once a week. And people are so sick of juggling dozens of different passwords,
that 20 percent said they would give up ESPN if it meant never having to
remember another one. Six percent said they'd give up pizza. PIZZA.
This level of discontent and security fatigue means that very likely, most
users are falling back on bad habits: writing passwords down in a notebook or a
Google sheet, for example, or using the same password across multiple logins.
(A study by the National Institute of Standards and Technology confirms this:
91 percent of its respondents admitted to reusing passwords.)
So this is why we say: stop it. Stop the bad habits, yes, but stop the "good"
ones, too. Having 27 different passwords that are lengthy and full of
characters and numbers and need to be changed every few months and can't be
written down-you'd need the memory of an eidetic elephant to keep up. Online
services will only multiply, so what should you do?
It's very simple. Get a password manager.
Password manager 101
For those who might not be familiar, password managers assist in generating,
storing, and retrieving passwords from an encrypted database. They typically
require that users create and remember one master password to rule them all.
One master password to find them. One master password to bring them all, and in
the darkness bind them.
One master password to stand at the precipice and shout gallantly, "YOU SHALL
NOT PASS!"
Sorry, it couldn't be helped. As we were saying. Generally, most password
managers work the same way. You'll be asked to create a strong master password
during setup (and here's where you'll use those password best practices, such
as generating a long passphrase with numbers and capitals that steers away from
guessable personal info). From there, you'll add your other credentials to the
password manager either manually or through tools that can automatically find
and upload passwords for you.
While most password managers have similar setups, they secure passwords in
different ways. Web-based password managers store your passwords encrypted in
the cloud. Some are built into browsers, such as Safari, Firefox, and Chrome.
Others may store your passwords locally in an encrypted file on your computer,
tablet, or phone.
In addition, some password managers have features that help you audit your
credentials, allowing you to weed out duplicate login info and remove sites you
don't use, or alerting you to breaches that have happened to the companies you
log into. Many have customizations that allow increased security, such as
regional lockout and two-factor authentication (which we highly recommend
taking advantage of).
But aren't I just asking to be hacked by storing everything in one place?
While some folks might be wary of using a single point of access for all their
sites, remember that password managers still use your individual passwords to
log in to your accounts. Those passwords are locked in an encrypted database,
which is way more secure than a post-it on your office desk or a faulty memory.
Ask yourself this: is it safer to store all your money in one bank or to hide
it in piles underneath several mattresses?
As for fear of password managers being breached-sure, it's possible. In fact,
it's already happened, as was the case in 2015 when LastPass was breached.
However, even though cybercriminals got their hands on some email addresses,
they were unable to crack master passwords. This is because master passwords
are protected with military-grade security, hidden behind thousands of rounds
of hashing, or algorithms that convert strings of text into longer strings of
text. So far, no reputable password manager has leaked consumer master
passwords (that we know of).
So which password manager should I use?
The following password managers come highly recommended by our staff and tech
reviewers from The New York Times, Lifehacker, and PCMag:
1Password
LastPass
Dashlane
Sticky Password
If you don't trust third-party apps with all of your personal information, you
can try an open-source password manager such as KeePassX, though it requires a
fair bit of technical know-how to set up.
I am absolutely opposed to a password manager. What else can I do?
While we stand by our recommendation to use password managers, we understand
the urge to reject placing all your trust in the hands of another company. So
here are a few alternate methods for choosing more secure passwords than the
random hodgepodge you're likely working with now.
Split up your online services into major groups, such as bills,
entertainment, shopping, and social media. Assign a single password to each
group according to a theme. For example, you could choose movies as your theme
and assign quotes from one movie to one group, or character names from a second
movie to the second group. Rotate these passwords every 90 days by
incrementally adding a number or changing a character. This requires a lot more
effort but is still preferable to using the same password across all accounts
or having to reset forgotten passwords every week.
Choose one semi-difficult password for all accounts but insert a naming
convention in the middle of the password to denote which account you are
signing into. For example, if your password is L3tme1npleaz, your Gmail
password could be L3tme1nGMAILpleaz. Your Amazon password could be
L3tme1nAMAZONpleaz, and so on and so forth.
When possible, choose a service that has two-factor authentication over one
that does not. More than 150 applications currently implement two-factor
authentication. You can check them out here.
Passwords don't have to rule your life. You can lock them up behind a password
manager and worry about remembering a single, slightly complex phrase instead
of 27. You can relax knowing how well guarded your passwords are. And you can
go ahead and burn that secret list of passwords you keep in your address book
even though you're not supposed to.
Do you have a favorite password manager? Or a method for creating and
remembering unique passwords? Let us know in the comments below.
Regards,
Roger
--- DB 3.99 + W10 (1703)
* Origin: NCS BBS - Houma, LoUiSiAna (1:3828/7)
|
Gossip and chit-chat echo 
