A Few Words on Passwords

There’s an old joke about passwords being like underwear: namely, that they should be changed frequently and not shared with others.

But passwords have done nothing if not proliferate.  You accumulate them like junk mail and most every website now prompts you to create a user account.  This creates two big problems for the user.  First, creating unique and separate passwords for each site that conform to each site’s individual criteria (capital letters? special characters?), and more importantly, how in the world to remember them all.  If your passwords aren’t strong (your kid’s birthday or your street address) hackers can guess them easily using brute force tactics.  And if you use the same password for different sites, you’re essentially waiting for some big company to get hacked (like they do all the time) to hand over your digital keys to anyone.

Using A Password Manager

Password managers remove these problems by generating and storing complex passwords for you.  The application typically lives in a browser, but some are stored to a local hard drive.  Most can pre-fill your login info and automatically open your favorite sites with a single click.  And you’ll just have a single, master password that unlocks the password manager itself.  Naturally, the master password needs to be incredibly secure, which is why many security professionals recommend using a passphrase instead of a password.

Passphrase versus Password

A password is typically composed of 10 letters or symbols, or a combination of both.  It might be a string of random characters like “G@x1LnP7” or a common word like “basketball” or a combination of both such as “Y@nkee5F@n.”  By comparison, a passphrase is much longer than a password and contains spaces in between words such as this: “be so good they can’t ignore you.”

A passphrase can contain symbols, and doesn’t need proper grammar.  The key difference is that passwords are a single “word” while passphrases contain spaces and are much longer.

So why are passphrases better than passwords?

  1. Passphrases are easier to remember.  It’s much simpler to recall a lyric from your favorite song or a quote by your favorite author than a random bunch of symbols.
  2. Passwords are relatively easy to crack. Cyber-criminals have incredibly advanced hacking tools designed to crack even complex passwords.
  3. Passphrases satisfy website rules. Using punctuation, uppercase and lowercase letters general meets complexity requirements for most sites.
  4. Supported by major OS and Applications. Windows, Linux and Mac accommodate passphrases up to 127 characters.
  5. Next to impossible to crack. Even advanced password cracking tools break down at around 10 characters.
Credit to XKCD.com


What About Two-Factor Authentication?

Two-factor authentication (aka 2FA or TFA), is an extra layer of security that requires not only a password and username but also something that only the individual user has on them.  This typically is a piece of information only they should know or have immediately at hand, such as a physical token.

TFA is not a new concept but its use is becoming more widespread thanks to the digital age we live in.  In fact, you’re already using many forms of two-factor authentication in your daily life.  When you use your bank’s ATM, you’re providing both something you have (your debit card) with something you know (your PIN).  TFA can help decrease your risk of identity theft online because even if a criminal were able to obtain your username and password, they would still be lacking the second piece of information.

Popular sites like Twitter, LinkedIn, Google and many others have begun offering TFA services for users.  Typically, this is done by sending a confirmation code via text message to the user’s phone.  When logging into a site, the user would present their username and password details as normal, but the login attempt triggers the site to send a secure code to their mobile device, which also must be entered to gain access to the site.  A simply TFA setup like this prevents a criminal from gaining access because even if they had stolen the user’s credentials, they would not have access to the user’s phone to obtain the access code.

Many password managers support TFA, and should be considered when choosing a service.

Where Do I Get A Password Manager?

There are literally dozens of password managers available.  Some carry a subscription fee while others are free.  PCMag.com recently did a wonderful review of over 20 password managers for 2018.

Securing Your Environment

Remember, strong passwords and passphrases are a critical piece to your security plan, but they are not the entire equation.  The security experts are OneLink IT have years of experience helping businesses create and sustain a protected environment.  Contact us today for a free risk assessment and to learn about ways of improving your security posture.