Dunedin Computing

Passwords

Welcome to my new blog! I thought I would start by writing about something that bothers all of us. Passwords!

We all like the simple life and we all hate passwords, but the fact is that for now, we need to have passwords and they need to be “good ones” which are able to protect you. In the last few years a significant number of calls from clients have been about being unable to log into websites or other services (like email) either because they forgot their passwords or because the websites have “locked them out” because of a security problem. In a handful of cases, clients’ accounts were breached by hackers, which was even worse! So, what is to be done? 

Do not remember your passwords!

My clients often tell me that they keep their passwords identical and simple because they wouldn’t be able to remember them all. That is true, but help is at hand. Here are three ways which will save you from having to remember your passwords:

  1. Write them down in a book. Do this properly: get a notebook for the purpose, and write the name of the site or service (e.g “email”, “WHSmith”, “Network Rail”), your username (if it’s your email address use a shorthand symbol such as “@”), the password and the date. That last piece of information is important since, if you ever change the password and don’t erase the old one from your notebook, you won’t be able to tell the new password from the old one! This low tech approach is perhaps a little slow, but very effective!
  2. Let your computer remember passwords for you! Web browsers such as Google Chrome, Firefox or Microsoft Edge offer to remember your passwords when you log onto web sites. If you have “sync enabled” (an easy option to enable if required), the passwords will also be backed up to Google Cloud or the equivalent service for the other browsers.  Apple’s Macintosh goes a step further and in addition to remember passwords in Safari, it will save any passwords that you use on your computer, and will also “sync” them to other Apple devices such as iPhones so long as the relevant option is enabled in the System preferences. All you need to remember is the password to log into the Mac in the first place, and your Apple ID password (if different).
  3. Those who need a more sophisticated solution and are willing to tinker with the technology, can use a password manager such as the excellent Bitwarden. At the heart of this is a website which keeps your passwords secure. You can log onto this site using a regular web browser from anywhere, search for the service you’re after and get the username and password. This works, but it’s a little clumsy. To streamline the process, you can download the Bitwarden extension for your web browser and this will automate most of the work for you. When you first log onto a site (or when creating an account for the first time), you can use the extension to save the details and every time you visit that website subsequently, you can log onto it by clicking on the extension’s icon in the browser (it appears at the top, usually on the right, but the exact location varies from browser to browser). The only passwords you will need to remember are the computer’s login and Bitwarden’s own password (which must be a strong one). The advantage of a password manager is that you can use it with different software and on different systems (I use it on my phone as well as on my computer) and you can save not just passwords but other sensitive information. 

Use different passwords for different sites

The most common way accounts are compromised is when a website is hacked and entire databases of users’ email addresses and passwords are stolen. Such breaches have become common enough that you have to assume that at some point, someone will have your details. They will then try to use them on other sites. For example, if they have your Dropbox logon details, they might try to use the same email address and password to access your email account, your Amazon account and so on. If your stolen password has a simple number at the end (e.g. “Walrus1”) and it doesn’t work with another site, the hacker will try it with other numbers (“Walrus2”, “Walrus3” etc). You can take it as a given that this will happen and you must prepare accordingly.

At a bare minimum, identify your critical accounts and make sure they have passwords that are not related any other passwords you have. Your critical accounts usually include your primary email account (if this is hacked, most other accounts can be hacked via a simple “reset password” request) and anything that is either very important to you personally (e.g. storage space for document or photos) or has access to money (bank, investment accounts etc and even some online shops). 

That said, I strongly urge you to change all your passwords even if this takes many months to achieve fully.

Use Strong passwords

A strong password is a password that can’t be guessed easily, not even by a computer. For a password to be strong, it has to be long,  the longer the better (though web sites impose an upper limit). A strong password is also not related to you in any obvious way (for example, it should not contain your name, your mother’s maiden name, your street address, the name of your pet etc). Finally, it must not be based on a single word (even a long one) from the dictionary, not even with a number at the end… (because of Rainbow Tables and Dictionary attacks).  Many sites require upper and lower case letters, numbers and special symbols and these certainly add to the password’s strength they are far less important than having having a long password. Here are some schemes for creating good passwords:

  1. Take three random words and string them together (leaving spaces between them!). For example, jolly rampant down or corn market today. You can also, if you like, impose a scheme to have the first word in capitals and add a number and a special symbol at the end so the passwords would become JOLLY rampant down 23? and CORN market today 23? respectively.
  2. Create three groups of characters by typing “runs” on the keyboard. There should be a sequence of numbers, a sequence of lower case letters and a sequence of upper case ones, as well as a special symbol. For example: 123qweASD! is made of 123 which are in the top row, qwe which appear just under it on the keyboard, ASD which are the keys in the next row and an exclamation mark. This gives you a reasonably strong password of 10 characters and, once you have established a scheme, you only need to know the first character to be able to type the rest. Of course, you can create a variation of the scheme to make the passwords longer, easier to type or whatever, but the principle is to have a scheme that you know, but no-one else can guess even if they know one of your passwords!
  3. Just make stuff up! u9dfbgs/$5fk is an excellent password! Such passwords are difficult to remember and difficult to type, but we have already established that you shouldn’t attempt to remember all your passwords!
  4. As a variation on no. 3 above, you can let your software come up with random passwords! All browsers will suggest strong, long passwords when you create an online account or try to log in. Unfortunately, those passwords are occasionally too complicated for certain websites! Bitwarden goes a step further and allows you to define how complex the password should be (e.g. “up to 12 characters long, with upper and lower case letters and numbers, but not special symbols”).

Summary

As you can see, there is a lot to this password malarkey, and it can take some effort to get your passwords in order. However, it is entirely doable, and as long as you take a systematic approach and make sure to have good, different passwords, you will keep yourself protected online.

What do you think? Do you have questions or comments? I’d love to hear from you, and if there are other subjects you’d like to see covered in my blog, do let me know!

Privacy Policy

14 Craigmount Bank,
Edinburgh EH4 8HH
Scotland, UK