A year ago, I wrote a short list of rules or suggestions for choosing and managing passwords. I reread it today. The advice is still good, but the urgency has increased, if that is possible. The unfortunate fact is that the criminals have not let up. Law enforcement is still often stymied by cybercriminal assaults. Some assaults are from places where cybercrime laws are lax. When a crime is committed from out-of-state or out-of-country, an extradition is usually required, expenses that local law enforcement agencies often cannot afford. On top of all this, the criminals, both domestic and foreign, are getting better at their “art,” if you can call it that.
There is a bright side. The computing industry is taking security much more seriously in 2018 than they did ten years ago, even three years ago. The current arguments over election hacking, as disheartening as they are, have helped focus the spotlight on computer security. The industry has invested heavily in multi-factor and biometric authentication. Although I have reservations about biometric authentication, I’ve been using Windows 10 facial recognition authentication on my go-to tablet and I have found it convenient, although I still doubt that my device is well protected if I let it slip out of my hands. If I were a high-profile target with precious contents on my device, I would not rely on facial or fingerprint recognition to keep my contents safe.
The big news is the rise of multi-factor authentication, which I wrote about recently. Multi-factor authentication uses more than one kind of verification to authenticate the identity of a user. I will not equivocate: multi-factor authentication is always more secure than relying on a password alone. However, some forms of multi-factor are more secure than others. But multi-factor is always more trouble than simply entering a password or having your face scanned. If you are going to submit to the hassle, and I recommend you do submit when anything important is at stake, then why not choose the most secure alternative?
Verification via a token sent by email or a text message is substantially stronger than a password alone, but both email accounts and text messages are subject to hacking that is not that difficult. Use of an authentication application or a physical authentication key like Yubikey or Google Titan is much more difficult for hackers to circumvent. If I were a high-profile target, I would have a physical key.
Nevertheless, does multi-factor make good password hygiene obsolete? Absolutely not. An easily hacked password is an open door that makes the hacking life easier. And, unfortunately, some sites do not offer multi-factor authentication in any form, so password hygiene is still a necessity.
2018 password hygiene rules
- Never use a password for more than one site or account. Some of the biggest security breaches in recent years were caused by password reuse.
- To resist the temptation to reuse or to use easily crackable passwords, consider getting a password manager like LastPass to generate and manage long random passwords. Password managers are a single point of vulnerability. If your password manager is hacked, you are a slice of toast in a shower bath. However, a well-designed and maintained manager is much more secure than a badly managed set of weak passwords.
- Longer passwords are better. The longer a password is, the harder it is to crack. A password 15 characters long is still hard to crack today. As computing hardware improves, longer passwords may be needed.
- Mixing lower case and uppercase letters, numbers, and symbols like !@#$ make cracking harder, but not as much as increasing the length.
- A long phrase is often strong and easy to remember, but common phrases, even common phrases obfuscated with tricks like replacing “s” with “$” or “o” (letter) with “0” (number), are relatively crackable. Skilled hackers know the tricks as well as you do. Start with a plain phrase that gets no hits on Google and go from there.
- A long random sequence of mixed lower and upper case, numbers, and symbols is very hard to crack, but also hard to remember. A password manager mitigates this issue.
A final word
Quantum computing threatens to blow encrypted passwords away completely. In theory, a quantum computer could crack any password in milliseconds. This danger is theoretical and a few years in the future, but real. An outlying possibility is quantum encryption that thwarts quantum decryption, but I am aware of nothing real yet. However, because I recognize the quantum threat, I continue to explore biometric solutions and emphasize multi-factor.
A final final word
Avoid sites that are sloppy or predatory in design and management. These places are like dark alleys in a bad neighborhood. If you must deal with these sites, be sure that the benefits are worth the risk and watch yourself. If you can’t recognize cyber danger, stay away. If you are subject to hubris over cyber threats, find a secret hole and crawl in it. You are in danger.