Password Problems

Some of the most common passwords in 2016, according to The Telegraph, a British newspaper:

• password
• qwerty
• qwertyuiop
• 1234
• 12345
• 123456
• 12345678
• 123456789
• football
• letmein

Are any of these your passwords? If so, please change them. Scrolling through the list you'll likely reflect on how unimaginative people can be when it comes to passwords. "Letmein" is probably my favorite, although "qwertyuiop" does have a certain ring to it.

Hacking has been in the news a lot lately, whether it's emails or bank accounts, and I have been getting questions about how clients can secure their personal information better. As we get closer to year-end, it's a good time to start resetting your passwords and thinking about ways to protect yourself. Along these lines, here's a piece from Helen Modly, CFP, that covers this topic nicely (I have added information along the way):

Daylight Savings Time recently ended, and we "fell back" an hour to Standard Time. In addition to changing your clocks and the batteries in your smoke detectors, now is a great time to reset your passwords.

Do you need to change all of them? Not necessarily. You should change any passwords where you use the same user ID and password across multiple sites, which may not have the same level of security implemented. For example, if you use the same user ID and password for your gardening forum as you do for your email account, change your email account to something unique.

You should also change any passwords used on an unfamiliar computer. Did you look up your bank balance while on your friend's computer? Change that password.
Finally, you should change old passwords to implement better password policies--for example, replace "password123" using some of the password tips below.

The longer the better: A longer password such as "AndTheCowJumpedOverTheMoon" is more secure against a brute-force attempt to crack than a shorter but more complex password like "MyP@ssw0rd." Aim for 16 or more characters using multiple words. Avoid using a long single word, as it would be vulnerable to a dictionary attack. Instead, create a memorable phrase or even a nonsense word, as long as you can remember it. You can add complexity with numbers and special characters to a longer password for even more security, but more complexity can become difficult to remember.

I have attended many talks on cybersecurity and there's a concept of "length is strength". While you don't necessarily need 16 or more characters, aim for at least ten. The goal is to make your passwords as random as possible, but not so random that you can't remember them! If you opt for a memorable phrase, consider choosing one of personal significance versus something from literature.

Use unique passwords as much as possible: If someone acquired your login and password to one site, what other sites could they log into, and what could they do? Could they make purchases on your credit card? Glean information about you to use as blackmail or harass you? If nothing else, your email password should be unique and not used anywhere else online. Unique passwords should also be used for your bank, any website where you have stored your credit card or bank account information, and sites such as Facebook that have copious amounts of personal information.

Use two-factor authentication where available: Two-factor authentication sounds complicated but is quite simple: When you enter your password into a site that has two-factor authentication enabled, a second form of authentication will occur. This usually entails a security code being sent via text to your phone or an alternate email address for you to enter. Many major sites now offer this as an opt-in feature.

Banks and brokerage firms typically offer this service for free or at minimal cost. Texting a code works but is not ideal. My suggestion is to use a "security token", or other physical device, that generates a random code each time you log in. This is a more robust two-factor approach and, although it might seem like a nuisance, is easy to get used to. The bank and brokerage firm might offer their own "key fob" token. Or, you could buy your own, such as a Yubikey, at a one-time cost of from $18 to $50. The advantage is that it could work across all your devices, or even be paired with a password manager.

Use a password manager: Using a password manager eliminates the need to remember your various user IDs and passwords, allowing you to have long, complex, and unique passwords to as many websites and services as you like. Whether you choose a paid or free version, it should support two-factor authentication and, if you ever find yourself logging in from more than one device, sync across multiple devices such as your computer and your phone. Most password managers will also offer the ability to designate an emergency contact that will be given your logins and passwords in the event of your incapacitation or death.

Dashlane, LastPass, and Sticky Password are three of the leading password managers. The cost is minimal, from $15 to $40 per year. If you opt for a password manager, it's best to also use a security token to access both the password manager and your physical device (computer, phone, etc). If not, someone could break into your machine and have open access to all of your passwords.

Brute-force software exists that can crack a Windows password in minutes. Think about it this way: you invest time and money into better online passwords, a password manager, even a security token for two-factor authentication. But then someone easily hacks into your computer because you haven't secured it, just your website access. They can glean all sorts of data to get around most of the precautions you've just taken and can cause all sorts of mischief. Take the extra step and secure your Windows computer with a robust password and, ideally, a security token.

Have questions? Ask me. I can help.