Safer Internet: Offline: Passwords Intro


  • MRI cloggedPasswords are ubiquitous, but not the most secure or convenient way to authenticate someone's identity.
  • Create passwords as strong as possible (or at least, more than required).
  • Store, sync and access most of your passwords via an encrypted 'password manager' (PM) -- most commonly, an application (like 1Password, LastPass, Dashlane); Apple-only users could use barebones, built-in iCloud KeyChain; paranoids could copy/paste via a local encrypted file
  • Minimize sharing passwords with others maybe within family for streaming devices?
  • Ideally, you need to remember only 2+ strong passwords: one for PM, one for (each) device.
  • A fingerprint can be convenient, and stronger than simple 4-6 digit passcode, but it can be cloned by hackers, and compelled by police.
  • World Password Day: May 5th create strong passwords; use a different password for each account; get a password manager; turn on multi-factor authentation; Betty White videos; security quiz

What is a "Strong" Password?

  • babyUnique -- don't reuse
  • Uncommon -- don't choose from worst: 25, 100, 500
  • Typically, 15+ characters long -- long phrases, and/or including mixed case, digits, punctuation.
  • Main (device & PM) passwords should be memorable -- and not too inconvenient to enter on your device.
  • For a phone/tablet, make longer than minimum 4-digit passcode, e.g., 8+ digits
  • iOS: ... > Passcode options > Custom Numeric/Alphanumeric Code -- see Accounts
  • Strong passwords usually don't need to be changed (unless they've been compromised).
  • If site requires answers to security questions, provide answers to questions that no one can lookup or easily guess -- or lie; create your own questions if possible.
  • We'll look at multi-factor methods later, e.g., using temporary codes from mobile phone or an authenticator app.

How to Generate a Password

  • correct horse battery stapleTo avoid predictability, consider creating a random password.
  • Use "password generator" in your Password Manager, e.g., pronounceable
  • macOS: System Preferences > Users & Groups > Password > Change Password > "lock": Password Assistant : Memorable
  • Be cautious about using online password generators: HTTPS? logging?
  • Manually generate multi-word phrase, e.g., Diceware; English
  • Roll die 5 times to select a word from a list of 7776 (65) words in a language.
  • Generate 4+ words; customize to increase strength even more
  • Other passwords (stored in your PM) can be long, random, complex, e.g., 64 characters of gibberish -- since you don't have to remember or type them.

How to Test Password Strength

  • best practicesTest the strength ("entropy") of your current passwords and new candidates.
  • Entropy is roughly a function of
  • the size of character set (# of possibilities): 0-9, A-Z, a-z, punct.!, dictionary list
  • to the power of the length of password sequence (number of characters / words)
  • decreased by rules, such as common recognizable patterns, e.g., 12345, pet names, common phrases, keyboard sequences, etc. -- and cracked password lists
  • Higher entropy means less predictable, i.e., more attempts / time to guess or crack by brute force
  • entropy equationGeneral recommendation: passwords should have 'high' entropy: 75 (or more)
    thousands of "centuries" to crack; though time estimates are unreliable due to sharing of known password lists by hackers, and increases in processing power.
  • Different sites can evaluate same password differently; Poor/Good/Strong labels or 'strength gauge' are inexact.
  • Similar caveats (to generation) for online password testers: HTTPS, logging?
  • My favorite checker: zxcvbn: numerical score with explanation; zxcvbn can be run locally (no network).
  • correct horse battery stapleShort 'random' phrases, e.g., correcthorsebatterystaple: 45 (only; via DiceWare).
  • Increase strength: more words, punctuation, misspellings, reversals, acronyms, invented words, other languages; however, hackers already anticipate simple substitutions like $ for S, 1 for L, etc.
  • Include 'unusual' chars (accented, foreign, etc.) -- check availability / compatibility for cross-platform use, e.g., opening password manager
  • macOS: System Preferences > Keyboard > Keyboard > Show keyboard and emoji (&symbol) viewers in menu bar > Show Keyboard Viewer
  • macOS: System Preferences > Keyboard > Input Sources > Show input keyboard in menu bar (this is still enabled if you disable Show kbd and emoji viewers)
  • (kbd icon) > Show Keyboard Viewer: view / select key
  • keyboard: press appropriate key combos, e.g., Option-
  • iOS: keyboard: hold down key to see possibilities
  • iOS11: Settings > General > Keyboard > Smart Punctuation: off -- if some chars don't appear; note:
    'flick down' can be used instead of Shift
  • strength change tomorrowWeaker passwords, e.g., 8-digit phone PINs, might be adequate if device limits login attempts or can auto-erase.
  • 64 random characters, e.g., via a Password Manager, typically might have entropy: ~346 (trillions of centuries)

How to Store Passwords

  • postitsHuman memory should be fine for several strong passwords: one for PM, one for (each) device -- but be sure to backup elsewhere, e.g., Safety Deposit Box
  • Paper or a file might be ok if it's truly hidden and/or coded
  • Recommendation: use a password manager app, such as 1Password
  • PM encrypts passwords on your device; shares (sync / backup) between devices / cloud
  • PM navigates to correct site; PM automatically fills-in userid and password -- usually
  • PM recognizes password changes, and automatically updates -- usually
  • PM organizes sites like bookmarks / favorites -- usually searchable
  • PM integrates with your browser (and maybe system & other apps via icon menu)
  • PM can store other related info, e.g., unusual answers to security questions
  • 1Password and password security AshMUG: Peter DeGroot presentation; video; links; how-tos; 9/8/2015
  • Later section: Browsing: Passwords, discusses passwords, password managers (e.g., 1Password, Dashlane, LastPass), and related issues in more detail, along with reviews and articles.