Your passwords are a tremendous security measure, but sometimes they seem to be no more than an inconvenience, designed to stop or slow you from accessing a computer or web site.
For decades (literally since the 60s) passwords have been the first line of defence to secure access to computer systems, and are increasingly important against a growing cyber threat; from the password you type to log in to your Mac, to the PIN you enter on your iPhone.
Even apparently fancier technologies like Apple’s TouchID and FaceID have only one job; ensure access to the existing PIN on your iPhone. It’s the PIN (or more complex password) which in turn actually unlocks the phone.
So passwords aren’t going anywhere, and consequently it’s always a perfect time to review your approach to passwords, and find out how a few simple changes can give you an immediate security boost.
But, in this digital world, password are everywhere. Each time you login to your computer, iTunes, FaceBook, Google Drive, iCloud, work-based systems, DropBox, Zomato, Seek, Uber, Tinder, and (of course) the numerous financial systems which we take for granted these days. The list is almost endless.
So how do you effectively protect yourself?
Do you go the simplistic route, and pick one really good password and use it everywhere? No. Absolutely not. If someone gets that password then you’re compromised everywhere.
But having secure, unique passwords to everything is unusually complex, and entirely impractical. So now what?
Fortunately, technology (the cause of the problem) also has a number of solutions. Below are 6 ways in which you can get the best of both worlds; security and simplicity.
This article should be viewed as essential reading, not just as a set of recommendations.
Go Long
Despite what all those prompts for unique characters and uppercase letters might have you believe, length matters more than complexity, as is elegantly displayed in one of our favourite geek comics, XKCD. The more characters, the more mathematically complex it becomes to guess a password, and the longer an attack would take.
Stringing together a sentence, and mixing in some symbols, numbers, and upper-case (think &, 4, U) makes a password much, much harder to assail.
“inever4getaface!” is a great, easy to remember but complex to guess password.
Let your Mac do the heavy lifting
Don’t trust foreign browsers. A convenient shortcut to remembering all those passwords, or getting a paid password manager account, is letting your browser remember them for you. You’ve seen the option yourself. You probably even use it on at least one site. Don’t! The option is convenient, but the underpinning security is often undocumented, and it doesn’t require that your password actually be, you know, good. If you need a free and easy option, go with a password manager like Dashlane instead of trusting everything to Chrome.
The only problem is that apps like Google’s Chrome don’t take advantage of the keychain, so you’ll need to manually enter passwords from the keychain to Chrome, and Chrome can save the password in it’s own database.
Use a password manager
Password managers like 1Password or LastPass create strong, unique passwords for all of your online accounts, and then store them for you to access across all your devices. So you have strong, unique passwords, and if one of your passwords does get caught up in a data breach, criminals won’t have the keys to the rest of your online services.
Now all you need to do is remember one master key.
The limitations with these applications is that, like all 3rd party software, you’ll need to download a separate app, and then you’ll need to install the appropriate browsers plugin for them to work.
Use keyboard patterns
A much-less-often used password mechanisms is using a keyboard pattern.
Instead of making up a sentence or using substitutions, you pick a pattern on your keyboard as a password. This has the advantage of being extraordinarily easy to type in, but hard for others to hack.
Of course, there’s an obvious downside; if typing in the password on a foreign or virtual keyboard, the layout may not be exactly the same as your normal keyboard. Also, keys like the numbers and symbols (the top row) may not even appear on virtual keyboard – so you’ll need to really remember this type of password.
An example… “cftyuijnbvc” makes so sense as a word, but you’ll see how nifty it is when you type it out.
Single-serve passwords
What makes safety glass so safe? Simple… it’s designed to stop little cracks becoming big ones, resulting in tiny, relatively innocuous pieces of glass rather than large, sharp, extremely dangerous shards of glass.
In the same way, using unique passwords means that if the password to one online service is discovered, then it means your other online services are not in compromised.
If you’re use a password manager then you’re already all over this. If not, then a midway solution would be to create 10 unique passwords, and evenly distribute their use, so that the exposure of any password is not entirely catastrophic. Don’t believe that your passwords may have been compromised? See for yourself: The website Have I Been Pwned has nearly 5 billion compromised accounts on file – and yours may be one of them.
Use multi-factor authentication
Increasingly, online services are using multi-factor authentication.
Users can be authenticated more than one way, including:
- Something you know – a password or PIN
- Something you have – a smart card, a SecureID token, a YubiKey USB key, an app like Authy, or a code via SMS
- Something you are – a biometric measure like a fingerprint, voice pattern, or retina scan
The third factor is usually only used for physical access to something; a building, a research facility, etc.
But two-factor authentication is increasingly used for online services, and codes via SMS are by far the most popular. If an online service offers two-factor authentication then you should used it. The only down side is that you may not be able to receive an SMS code if you’re overseas and don’t have roaming turned on.