Safer Internet: Offline: Passwords Intro

Non-expert Online Practices
1. Use Antivirus Software
2. Use Strong Passwords
3. Change Passwords Frequently
4. Only Visit Websites They Know
5. Don't Share Personal Info
Expert Online Practices
1. Install Software Updates
2. Use Unique Passwords
3. Use 2-Factor Authentication
4. Use Strong Passwords
5. Use a Password Manager

Summary

  • Passwords are now covered in a separate 3-session OLLI course: P@s$w0rdz
  • As an introduction, each section below includes highlights copied from P@s$w0rdz --
    each Heading links to the corresponding detailed P@s$w0rdz section for the latest information.
  • A later section Browse: Protect Passwords originally covered advanced password issues;
    it now provides only an updated list of Reference articles about Passwords

Weak Passwords? Stronger Passwords

Generate Memorable / Complex Passwords

  • Three types of passwords:
  • 1. phone PIN/passcode -- memorable & typable; 8+ digits; optional: alphanumeric
  • 2. computer/tablet passcode; password manager; some online accounts
    -- memorable and/or typable; 4+ word phrases; optional: customize w/ digits, puncutation
  • 3. most online accounts -- complex & pastable: 20-64 complex character sequences
  • Possible random password generators:
  • Your imagination -- not so random, really!
  • Diceware: roll die 5 times to select a word from a list of 7776 (65) words in some language;
    repeat 4+ times to generate a random phrase; e.g., "correct horse battery staple"
    -- famous XKCD:cartoon
  • Diceware-like functionality in macOS and 1Password -- "Memorable"
  • mac pw assistantOS: e.g., macOS: System Preferences > Users & Groups > Password > Change Password > "key icon": Password Assistant : Numbers Only; Memorable; Random
  • mempina password manager, e.g., 1Password > Generate Password: PIN, Memorable, Random
  • Misc. web sites: quality varies; not so private if site logs trial passwords!

mac randTest Password Strength

  • Different web sites can rate the same password differently: Poor, Good, Excellent.
  • For more reliable, consistent result use one of these testers:
  • OS: e.g., macOS Password Assistant; only up to 31-characters
  • 1pw ollia password manager, e.g., 1Password, works for longer sequences
  • recommended online tester: zxcvbn
    -- zxcvbn also directly embedded in P@s$w0rdz:Testing
  • optional: disconnect network after loading page to prevent possible password logging (not necessary for zxcvbn).
  • below demo heading, enter password/passphrase into input field
  • goal for important accounts: entropy value: 75+ -- with crack time: centuries; explanation provided.

Store Passwords Securely

  • paper: ok for accounts if well-hidden? good for backup in Safety Deposit Box.
  • human memory: good for 2+ strong passwords -- for devices, password file/manager
  • browser autofill: avoid -- possible exception: if all Apple devices via iCloud?
  • "Single Sign-On" -- avoid entering Google, Facebook, Twitter credentials on 3rd party sites
  • computer file: fine if strongly encrypted, e.g., Excel doc via 7-Zip or Keka (AES-256); more manual step;s
  • Password Manager (PM): best. features: strong encryption (AES-256); sync/share between devices & family members;
    generate random passwords; autofill login credentials, organize/update passwords; credit cards; 2FA support; ...
    downsides: learning curve, possible cost
  • recommended PMs: 1Password, LastPass, Dashlane

Updating Passwords

  • Only change passwords if they're weak, reused or compromised -- or site insists on it.
  • Check if any of your accounts have been hacked ('pwned')
  • Plan an upgrade strategy for many passwords -- to avoid overload / procrastination.
  • Use password manager, e.g., 1Password "WatchTower", to proactively identify Reused; Weak; Compromised; Vulnerable passwords.

Security Questions / Secret Answers

  • "I don't have a bank account because...
  • Some sites use so-called 'secret answers' to questions as a pseudo-authentication factor besides a password.
  • However, an answer isn't secret if hackers can find it in public records, from breaches from other sites,
    or on social media sites -- don't post such personal details widely, or participate in 'fun' quizzes that reveal this info!
  • Instead, supply untrue, opposite, misspelled, foreign language, or unpredictable answers -- even random phrases.
  • If you're using a password manager, no need to remember these -- just store; then later, copy & paste

Recovery; User Names

  • Include email address and possibly phone # in account information, to facilitate account access and possible recovery , e.g., password reset.
  • For a primary email account, specify a secondary email address to receive notices about suspicious activity.
  • Most sites require an email address as a 'username';
    if so, provide a 'permanent' email address (rather than an ISP email address), or an email alias;
    if not, provide a unique username (not email) that marketers and hackers can't use to easily correlate your information.

Biometrics

  • You still need a strong passcode -- not only for initial setup and after updates / restarts,
    but also if you want to grant access to someone you trust or if you injure your finger, face...
  • A fingerprint or facescan is fairly reliable, and fairly secure (though subject to spoofing).
  • Biometrics can be a convenient shortcut to avoid entering device passcode too frequently, but use apprpriate timeouts.
  • Be extra cautious if using with important applications / sites, e.g., password manager
  • Legally you can be compelled to provide a fingerprint or facescan -- it's considered public;
    a password/passcode is considered private ("self-incrimination"), but courts or border crossing agents may try to compel you anyway.

2-Factor Authentication (2FA)

  • Although unique user names & random secret answers provide minor additional protection,
    for especially important accounts, e.g., financial, email, use a different second "authentication factor" (2FA)
    -- in addition to a strong password.
  • Generally, a good 2nd factor is a temporary code, provided via SMS (texting); issues: spoofing, service access
  • Best 2FA is a TOTP (Time-based One Time Passcode) provided via an "authenticator app" or physical token
  • Once set up, both the site and app generate -- in sync -- the same, new random code, which changes frequently.
  • Examples of authenticator apps: 1Password (built-in), Authy, Google Authenticator, Microsoft Authenticator