Passwords have been with us for at least since the Romans conquered Europe, and probably long before that. Passwords were first used to access computers in the early 1960s. Almost 60 years later, passwords are a part of practically every aspect of life. And cybercriminals exploit vulnerabilities to take over accounts by the millions.
However, there are steps you can take and tools you can use to manage your passwords safely.
Passwords are inherently insecure. They rely only on something the user knows, which makes them notoriously easy to steal. Criminals can take advantage of this vulnerability by phishing for passwords via email or by hacking a website you use.
Hackers have stolen passwords en masse from websites such as yahoo.com and linkedin.com. Usually, the stolen passwords have to be decrypted, though, and this is the stage at which password simplicity causes problems. The more straightforward or popular a password is, the more likely criminals can decrypt it.
Unfortunately, many digital device users are terrible at creating unique, difficult to crack passwords. In early 2017, Keeper Security Inc., a stolen-password management software company, scoured more than 10 million passwords that had been collected and published by hackers. Almost 70% of people who’d been hacked used “123456” as their password. The next most popular? “123456789,” followed by “qwerty.”
CREATING A BETTER PASSWORD
When using passwords to secure your accounts, you should make them as strong as possible. Does this mean mixing numbers, upper and lower case letters and special symbols to create unintelligible gobbledygook? Actually, no. The Maryland-based National Institute of Standards and Technology (NIST) published its Digital Identity Guidelines in 2017, which recommends the opposite.
By all means, ensure that your passwords aren’t single words that you find in the dictionary, popular passwords harvested from prior data breaches or context-specific words such as usernames, the NIST guidelines advise. However, your passwords should be both memorable and unique.
One approach is to use “pass phrases”: sequences of words that tell a simple story that is easy to remember. Still, memorizing these by the dozen will be difficult.
Instead, you could just jump straight to a password manager. These programs encrypt and store passwords for various websites and apps, and usually “autofill” a website page with your relevant password so that you don’t have to remember the password at all. Most browsers offer password storage, but these often don’t focus on security.
Alternatively, dedicated password-management products, such as LastPass, Dashlane and Keeper, are available.
There are several things to consider when choosing one of these tools. For example, ensure that they provide an extension that lets you fill in forms and login fields automatically when using your favourite desktop browser. Another feature to look for is the ability to import passwords that you already store in your browser.
Another useful feature is the ability to share passwords securely with an assistant or colleague who uses the same software, so that person can access the tool on your behalf, for example. On this note, many password managers enable you to designate an emergency contact who can recover all of your passwords should you become ill or pass away.
SECURE ACCESS WHEN ON THE MOVE
Mobile support is another useful feature to have, and most password managers worth their salt will support mobile platforms. The two major mobile operating systems, Apple Inc.‘s iOS and Alphabet Inc.‘s Android, handle password access in different ways, though.
Android will happily let your password-management software log you into your mobile apps. iOS is stricter about this. It doesn’t allow third-party password managers to fill in passwords automatically. Instead, it previously used its own password manager, called Keychain, to fill passwords automatically in the Safari browser.
Traditionally, iOS app developers had to support the Keychain autofill feature explicitly in their apps to log users in seamlessly. But in iOS 11, Apple introduced a new feature called Password Autofill for Apps, which lets you log in with your saved passwords automatically.
iPhone and iPad users wanting seamless convenience may decide to use Keychain as their password manager, but if they use a Windows PC from Microsoft Corp., then they are out in the cold because Keychain isn’t supported on the Windows platform. As so often happens in technology, if the products in your pocket and on your desk are not from the same vendor’s ecosystem, you will have to make some compromises.
These compromises will fade over time, though, thanks to the use of biometrics on smartphones. Most modern smartphone makers feature biometric access. iPhone versions 5s through 8 support TouchID fingerprint-based access, and Apple allows third-party app developers to support this form of login directly. Amazon, Dropbox, Evernote and Mint are just some of the apps enabling iPhone users to log in with their fingerprint or thumbprint.
Now, any app supporting TouchID also will work automatically with the new FaceID facial recognition feature on the iPhone X platform. This feature will let you log in just by looking at your iPhone.
Biometric fingerprint and facial recognition represent the future of system access. Fingerprint scanners and facial recognition are becoming a thing on desktops, too. Various Mac computers now have TouchID scanners built in, and soon FaceID will make its way onto those systems as well. Many Windows 10 users already have this capability with the facial recognition features in Windows Hello, which let users log onto that platform by staring at a device’s webcam.
AN EXTRA LAYER OF PROTECTION
Biometric access for mobile and computing devices may be taking over slowly, but there’s an extra layer of protection that everyone should be using when accessing online applications if available: two-factor authentication (2FA).
You may use biometrics on your smartphone instead of a password for convenience, but biometric access is not mandatory for people accessing online services. Hackers still can use your website password to access your online accounts without any biometric information.
To prevent hackers using stolen or guessed passwords, many sites now offer an extra layer of protection that requires you to input an extra piece of information tied to a device in your possession. Some websites supporting 2FA send a text message to your smartphone containing a code that you must enter in order to continue logging into the website.
Other websites require you to enter a code displayed in an app on your smartphone. One of the most common 2FA apps is Google Authenticator, but others include Microsoft Authenticator.
Currently, 2FA is the best form of protection for website users; it becomes especially important when dealing with sensitive data, as financial advisors often do. 2FA may introduce some friction by requiring you to enter extra information when accessing accounts, but a little inconvenience will be worth it for the peace of mind you gain in return.