Who thought passwords were a good idea?

Before computers the only password you needed was, as a kid, the one to get into your gang’s hut. Now they’re everywhere and we’re suffering from “Password fatigue“.

Computer log-ons; Internet Sites; Banks; Phones, you name it, you probably need a password for it. And with the internet of things coming, you’ll probably need a password to open the fridge (In my case, this might not be a bad idea 🙂 ).

When you go to a new internet site they usually want you to log-on. To do so you need to register and, as part of the registration process you need to supply a “secure password” even if it’s only to read the news! Crazy!

Some researchers are suggesting that, in today’s world, the average person needs 25 different passwords. There’s no way most of us are going to remember 25 different, secure passwords. If you need to remember more than 25 you’re really in a pickle.

So what can you do?

Most people have two different needs for passwords.

1. Passwords for information that needs to be kept very secure like Banking, Tax and Social Media sites etc.
2. Passwords for  “Frivolous” sites that require registration but where no personal information is held other than your name and email address.

Let’s look at Frivolous sites first.

Here it doesn’t matter if you forget your password or if the site is compromised as there’s no personal information held on the site. You could use the same password for all of these sites, though if one site is hacked then all are hacked – so not really a good idea.

You could “reset” your password at each visit. Better than nothing but a little time consuming as you have to wait for the email to arrive then create another password before logging-on.

The other problem is that there maybe different information requirements for each of these sites and, if a hacker gets access to a number of them, they can build up a “picture” of your life.

Therefore, even on these sites, it’s a good idea to have a secure password.

A word to the wise. Beware of Password Strength meters. They are only a very rough and ready guide to the strength of your password. Don’t believe me? Try this in a password strength meter: Fred/Smith!1990. It will show as better than 90% secure. This password can be cracked in less than a second even though it’s 15 characters using letters, numbers and symbols. Never use words or names in a password – ever.

Personal Information Security

This includes bank PIN numbers as well as passwords for your online banking, tax and other personally sensitive information.

Here you need a very secure password and you must use a different password for each site. The really bad news is that you should change these passwords regularly, after every 80 – 100 uses is a good rule of thumb.

Most of us are only just starting to remember easy passwords after 80 uses. Therefore, there’s no way we’re going to remember a new, secure password after every 80 or so uses.

So what can we do? Well, before we can answer that question we need to understand a little more about passwords.

What is a Secure Password?

Well, unfortunately, there isn’t one.

All passwords can be broken given the “will”, enough time and money. All you can do is make it difficult for the hacker so that they try someone else instead.

To understand how to make it difficult for a hacker let’s look at how quickly passwords can be “cracked”.

Using equipment you can buy in virtually any computer shop and software from the web this is how quickly random character passwords can be broken today:

• 4 numbers (like your PIN) – instant
• 4 characters (just lower-case letters) – instant
• 4 characters (just upper and lower-case letters and numbers) – instant
• 6 characters (just upper and lower-case letters and numbers) – 10 seconds
• 8 characters (just upper and lower-case letters and numbers) – 15 hours
• 8 characters (upper and lower-case letters, numbers and symbols) – 60 hours

There are reports that these times are already out of date and that a 16 character password can be broken in about 1 hour so, effectively, 6 and 8 character passwords can now be broken instantaneously as well.

Note: If you use words or names in your password, an 8 character password is cracked instantly and a 16 character password in just a few seconds. Never use dictionary words or names from any language in a password – ever.

What all this means is that, to secure personal information, you need at least 24 random upper and lower-case characters, numbers and symbols. There is no way you’re going to remember a password made from a random selection of this:

AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz 0123456789 !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~

We now know that a secure password is at least 24 random upper and lower-case characters, symbols and numbers. With the speed at which passwords can be cracked advancing every day, you should be looking at 32-48 character passwords.

There’s no way on this earth that most people are going to remember 25 of those. And, more to the point, how are you going to generate these types of secure password? This is where Password Managers come in.

Password Managers

Password Managers are applications which help you store, organise and, usually, create passwords, fill in forms etc. They are available for most computer systems and Smartphones.

There are two basic types of Password Manager, Offline and Online.

Offline Password Managers store your passwords on your computer. Though some also offer to store the data in the Password Manager’s online storage (their “Cloud”).

Online Password Managers store the data both on your computers and Smartphones as well as in the provider’s cloud.

Password managers usually store passwords in an encrypted form. This requires the user to create a Master Password. A Master Password is a single, preferably very strong password which gives you access to your password database.

 

To create your secure Master Password you could look at using the mnemonic system. This is a system intended to assist you in memorising difficult or long items. So how do you create a password mnemonic?

In your life you have a number of things which are important to you. Things like Names, Dates, Places, Belongings etc. You can use these “things” to create a mnemonic for a secure password.

For example:

• Brother’s name: Fred
• First Girlfriend: Mary
• Little Sister’s Date of Birth: 23/08/1990
• Daughter’s Name: Helen
• First House Number: 63
• Make of first car: Fiat
• Wedding Anniversary: 6/06/2012
• Dog’s name: Charlie

Use the 1st letter or number (“character”) from each one, Capitalise the last letter and add an exclamation mark and you’ve got an easy to remember password that’s quite difficult to guess.

fm2h6f6C!

You can use lots of different combinations of things which are important to you.

You can also use different sequences like the list number for the character (1st item, 1st character; 2nd item, 2nd character etc.) or the 1st character if there aren’t enough characters:

fa/e6f0C!

Although this example is only 8 characters, it is better if you can use 12 or more. You will need to use the Master Password a few times in a day so a 64 random character, Master Password, although secure, will soon become tiresome.

For more information on using mnemonics for passwords see: How to create a password that’s easy for you to remember.

Which Password Manager should I use?

This all depends on your requirements. Here is a list of the most popular Password Managers with a brief review of each one to help you select the one most suitable for your needs. Prices are shown in US Dollars for comparison purposes.

RoboForm ★★★★★

From free (10 stored logins) to $9.95 (first year, $19.95 thereafter) there’s also an Enterprise version

Available for: Android, Linux, Mac, IOS, USB, Windows, Windows Phone, Windows RT (Metro)
Browsers: Chrome, FireFox, Internet Explorer, Opera, Safari

RoboForm is the daddy of the password managers. It’s been around since 1999. It’s recently undergone a facelift and full update to make it more user friendly and more secure. Roboform synchronises passwords and fills in forms on Windows, Mac, and mobile. There’s a one-time password authentication system for devices, and you can manage your devices online.

RoboForm Password Manager gives you secure access to your passwords wherever you go. One license works on all of your devices and their advanced syncing technology always keeps each device up to date.

Further details on RoboForm Everywhere.

LastPass ★★★★★

From free to $12.00 there’s also an Enterprise version

Available for: Android, Linux, Mac, IOS, USB, Windows, Windows Phone, Windows RT (Metro)
Browsers: Chrome, Dolphin, FireFox, Internet Explorer, Opera, Safari

LastPass syncs your passwords across all your devices. It includes a powerful multi-factor authentication system. lastPass also includes automated password changing and password sharing.

DashLane ★★★★★

From free to $39.99 there’s also a Business version

Available for: Android, Mac, IOS, Windows, Windows Phone
Browsers: Chrome, FireFox, Internet Explorer, Safari

DashLane has a very slick interface. It includes a two-factor authentication system, an automated password change system for up to 500 sites, secure sharing. Advanced form-filling. Captures receipts for online shopping in a digital wallet.

KeePass ★★★

Free – Open Source

Available for: Linux, Mac, IOS, USB, Windows  also Android, Blackberry & Windows Phone and others

Your passwords are stored inside an encrypted database that you control, on your own system, and are never synchronised or uploaded anywhere unless you want to take them from machine to machine. This also means it’s one of the most secure password managers. KeePass is a portable application, meaning it’s easy to take with you on a USB stick and use on multiple computers.