190 likes | 206 Views
Pesky Passwords. Key to keeping safe… Janine Scott 17 th July 2019. do we need passwords?. Passwords used to be used solely by secret societies and kids playing 'spies' now we have to deal with them daily.
E N D
Pesky Passwords Key to keeping safe… Janine Scott 17th July 2019
do we need passwords? • Passwords used to be used solely by secret societies and kids playing 'spies' now we have to deal with them daily. • So do we need them really? The answer is a really big YES! (for the moment at least) • Passwords do two things for us – they are the equivalent of the keys we use for our houses, cars & safes etc. and they also hide things from nosy parkers. • Many people don’t take passwords seriously enough until something untoward happens.
Taking passwords seriously • Instead of thinking of a password as just an annoyance consider what it is protecting… compare the item e.g. e-mail with a ‘real’ thing and realize that by connecting to the internet we a basically in a ‘public area’. • Example... If we kept all our correspondence in a public area we would naturally want them in a solid box with a key • Example … If we are dealing with money we don’t want all our bank account details ‘out there’ either. • Example … When we have expensive portable equipment we either hide it or lock it with a key. E.g. Locking our houses, cars and secure locations
Silly things we often do! • We have very quickly learnt to take for granted certain things that once puzzled us – I remember puzzling over what was a ‘user name’ and how did it differ from a password ? !! • I’m sure we all know the difference now so why do we often use different usernames for different accounts but then use the same password for all of them! • Or we keep the same passwords for years! So what’s wrong with that if it’s a really good password? Consider one of the ways hackers work … they either buy or hack into a large company database. Although no databases actually keeps your password, they do have what is called a ‘hash’ of your password. The hackers run programs that try thousands of password combinations until they find one that matches a specific ‘hash’ – and that is your password… and if you use the same one for everything, and you haven’t changed them for years then …………
1 1234562 password3 123456789 4 12345678 5 123456 1111117 12345678 sunshine9 qwerty10 iloveyou11 princess12 admin13 welcome14 66666615 abc12316 football17 12312318 monkey19 65432120 !@#$%^&*21 charlie22 aa12345623 donald24 password125 qwerty123 • Or we use a really simple password because it’s easy to remember or type. • DON’T ! Targeted brute force is less sophisticated but depressingly successful here are the top 25 passwords used in 2018 • Lists of the top 100 ‘bad’ passwords are regularly published but Hackers can and do “stack the deck” by taking the top 1,000 or 10,000 or 100,000 passwords and trying them in order of popularity. Given how many people use bad passwords, it’s worth the hackers’ time to try them, even if there are periodic delays. • Just the top 1,000 passwords tried against a large number of accounts will get them access to a surprisingly and depressingly large number of accounts.
Silly things we often do • The opposite thing also happens we decide to change everything but don’t keep a record when we do – so we lock ourselves out - • So instead we click on the ‘let [insert browser name here] save the password for you’; or perhaps we never ‘log out’ – because we aren’t sure we can log in again! • So what’s wrong with that…? Your password is stored as a cookie on the browser – and cookies are vulnerable plus it’s like leaving the key in your car or your front door open- or putting your car in a garage but giving someone else has the key – if other people get physical access to your computer or steal your laptop or phone etc. they are straight into your accounts with no need of a password. • Finally how often have we, for example, taken our computers into Paphos Computers or SOS with sensitive files unprotected, you may trust them implicitly but you don’t know who else is in the shop…
So what is sensible?Let’s talk about passwords The definition of “good password” has changed (according to Leo) It used to be that eight random characters was considered a secure password. That’s no longer true; 12 characters is the minimum. Leo uses 20 characters when possible. Random characters are considered best. But — and this is often not well understood — length is more important than complexity. Increasing the length, even by just a character or two, exponentially increases the time needed to crack a password. While the password “password” is horrid, “1234 password 1234” isn’t that bad, being many orders of magnitude more difficult to crack (or guess). Just as important as using strong passwords is that you never, ever, use the same password for more than one purpose. When passwords are discovered, hackers absolutely try them across the various services they’re attempting to hack into. (and remember hackers aren’t just doing by themselves they are using computers and possibly other hackers to help them )
Password basics • Choose a password that no one will easily guess or hack - Strangely difficult to do! • Don't use a word or phrase of special importance to you—like a birthday or family member. That's the kind of information that can be discovered easily by someone doing a little digging. Also, do not use default passwords, as they are easily cracked. Some default passwords include password, password123, 1234, admin, and guest, among others. These can be found across the internet. • Ideas for creating a good password… (for those that need some help) • Create a series of images or phrase as the basis for your password.This is a useful starting point for making a password that's complex and difficult to guess while easy for you to remember. It stays away from personal information that others could easily guess. A classic idea is to picture three objects that are different in themselves but are strongly linked in your mind – an example that applied to me might be Titus + Cushion + Car using these images as a starting block I might create a password like this 7!&u5_cU8]0n+C4r
Other considerations • This particular example 7!&u5_cU8]0n+C4r demonstrates several properties of a good password • Make sure your password is long.It should be at least 10-12 characters long, and longer passwords are even more secure. Some sites or applications may limit the password length, however. • Use at least one capital letter and one lowercase letter in your password.The capital and lowercase letters should not be consecutive, on the keyboard or in the alphabet. Mixing them up makes the password more difficult to predict. • Use spaces and symbols in your password.Many password systems don't allow actual spaces, but it can be useful to insert one into the middle of a password with systems that do. Alternatively, an underscore "_" or two can serve a similar function.
So lets create anotherbecause lots are needed • Generate similar but distinct passwords for separate accounts.You can use similar base words or ideas to help you remember your passwords easily without making them too easy to crack. Never use the same password for multiple accounts -is an easy thing to say but working out what new password to use each time is a challenge. • Sooo …. How I do it…. • Link what your account is for with a phrase or idea that’s linked to account you are creating e.g. wedding website “top hat and tails” … 70pH@t_& 7a!!5 • Or a skype account password might be associated in your mind with your children’s names and the idea of time keeping so e.g. Oliver, Hilary could then be 9;kc3t&Nuosft by using the keys in turn above, to right, below and then to left of the ones in the names. • Or it might be easier to have a standard idea e.g. the day of the week you create an account and then look for ways to ‘adapt’ e.g. 258M0n(^£D$y Words that have no real meaning to anyone else in relation to an account are obviously best I might consider something like ‘a nice cup of tea’ as the password base for a holiday account - 4n1c3 Cu90F-T34 . Interflora? How about M4nW17HW1nG5 • Another idea for recording /creating your passwords is straight from the spies – use a code book - in other words a book that you are likely to have around that doesn’t attract attention if kept near your computer, and you use it as the base for your passwords e.g. record the page & that will also give the numbers e.g. 42 FP is (!c7ur3%F0rF1L35
Even More password basics • Despite having passwords that are easy to remember make sure your password is also written down and kept in a safe place.(I actually work them out & write them down before I use them) Choose a location away from your computer (and from prying eyes), but make sure you can easily access it. If you forget your password, hopefully you can retrieve it without much trouble. When writing your password down, consider coding it with an offset pattern to make your password more difficult for others to decipher. Thus ri7%Gi6_ll might be written as 2tk9&Ik8_nn (where the offset for the coding is indicated by the first character, in this case +2). This would mean that each subsequent coded character is two alphabetical letters or numbers greater than the actual password character, or you might know it means 2 keys to the right or left on the keyboard. Use your mobile phone to store your passwords … there is a locked memo portion on mine where I store all my passwords (I also have passcode protection in place of course – using a different code to the memo lock) • Do not share passwords especially in e-mails.This is an open invitation to your online accounts, and it's often exploited to accomplish online identity theft. One way this can also be used is that you get an e-mail which is quoting one of your (hopefully previous) passwords – if this happens don’t panic... This is actually a indication the mail is spam because no legitimate bank or other provider would quote a password – scammers send out millions of phishing e-mails using the most common passwords to make them look authentic (even a few people fooled can net them a fortune). DO change all you passwords however to more secure ones because it suggests that your accounts are be compromised or perhaps there has been a breach of a database somewhere. • Do not write down your passwords - on anything linked to the account they refer to e.g. credit cards, keep the records of the passwords separate BUT IF THIS IS ALL TOO DIFFICULT …
UsE a password vault/Manager • For 99% of all users, password vaults are the solution. Tools like LastPass, Roboform, 1Password, KeePass, and others collect, retain, and often enter your login credentials for you. They all strongly encrypt your collection of passwords and require that you authenticate with a master password in order to gain access. • The biggest objection is, “What if the vault provider gets hacked — doesn’t the hacker now have access to all of your accounts?” The answer is simply, strongly, and emphatically NO. • LastPass, for example, stores your passwords as extremely well-encrypted data that even they do not have access to. Your data is only decrypted on your device(s), and only when you provide the correct passphrase. In the case of some of the other vaults, by default the encrypted database isn’t kept online at all, and must be accessible to you, often in the form of a USB thumb drive you carry with you.
More on Password managers • Link to YouTube video https://www.youtube.com/watch?v=DI72oBhMgWs • Be aware that although password managers are, in theory, an excellent idea they don’t all work as seamlessly as they should and there is a learning curve and level of discipline involved. Of course there is also a huge level of trust that is involved as well – doing your research is very strongly recommended – e.g. don’t just read the top few reviews, especially if they are all 100% +ve! Make sure you dig deeper – the slightly –ve reviews are more likely to give you a clear picture of a product.
Minimizing the risks • There is always risk for any solution you choose, but the risk of someone gaining access to your vault pales in comparison to the risks associated with using weak passwords or re-using passwords across multiple sites. Put another way, password vaults allow you to give every account its own unique, long, strong password that you don’t have to remember (or type, in most cases). • Other ways to minimize risk … • 2 Step authentication/verification – the simplest is getting a text or e-mail of a code you then enter into the log-in but many site do offer other ways for extra authentication. • Add the information that sites ask for (if you can). e.g. put in a recovery e-mail address, memorable information etc. you never know when you need it. And also you want to do it before someone else does!
If you haven’t got a mobile or can’t add a Cyprus number to a site… • Instead of using your actual mobile phone number, in theory you can get a free Google Voice phone number and use that number for SMS messages to your computer from websites. You can login to Google Voice on your computer or phone to see the SMS messages you receive. It’s pretty simple to set up but unfortunately its currently unavailable in Cyprus. • Another option, which is a viable solution for Cyprus, is to make use of a UK sim card but if it’s solely used for verification purposes in an old phone (rather than as a 2nd sim in an active phone) then making sure the phone is charged, and remembering the pass code to access it has to be a consideration!
Protection against breaches • Even if I were to tell you my banking ID and password, you would still not be able to log in to my account. That’s because of something called “two-factor authentication”. • When I log in to that account for the first time on a new computer (or after clearing cookies) my bank sends me a text message with a code I must enter. That proves I am in possession of my second factor: my mobile phone. • Another approach uses an application that displays a cryptographically synchronized number associated with your account that changes every 30 seconds. Entering the number proves that you are in possession of the device running that application. There are also hardware devices such as the YubiKey. It is a USB device that, when inserted, provides cryptographically synchronized information, proving you’re in possession of the key. • If long and strong passwords are the gold standard, two-factor authentication is the platinum standard. Even if your passwords are discovered, hackers still can’t get in. Accounts that support it are usually banking and e-mail accounts – whenever it is available make sure you set it up.
Passing of the password… soon…? The (slow) death of the password? We’ve gone from one factor (a password, or something you know) to two (adding proof of something you have). Now we’re seeing some services drop back to using only that second factor. This could be the first step in the death of the password. One example is accounts where you log in by providing only your email address. They then send an email with a link that, when clicked, logs you in. Your ability to access your email account and click that link proves you are who you say you are. ??? More recently, some providers are pairing up with apps on mobile devices. Leo’s Experience … “ For instance, I recently logged into my Microsoft account on my PC by providing only my email address, at which point a notification popped up on my phone via a Microsoft app installed there. Authorizing that notification with a single tap completed the login on my PC.” My Experience … to download the app from the computer you needed to add your phone number but the country codes on the list don’t include Cyprus !
New from Nat West… • Log in securely, wherever you are with our mobile app All you need is your fingerprint or face to log in • Our app leads the way when it comes to security and technology. You can log into our app with just your fingerprint, or even just by looking at your phone, depending on the phone you have.And, unlike a password, you can never forget your fingerprint or face. If you'd rather stick with a passcode, don't worry. You can still set up a six-digit passcode to log in securely.
Password protect windows 10 files & folders • Make sure you try this with an unimportant file first! If you can never get in again don’t blame me!! • Using File Explorer, right-click on a file or folder you want password protected • Click on Properties at the bottom of the context menu • Click on Advanced… • Select “Encrypt contents to secure data” and click on Apply • You’ll be prompted to back up your encryption key, you’ll need it if you lose access to your encrypted files • Applies to All Windows 10 Versions