- Passwords are ubiquitous, but not the most secure or convenient way to authenticate someone's identity.
- Create passwords as strong as possible (or at least, more than required).
- Store, sync and access most of your passwords via an encrypted 'password manager' (PM) -- most commonly, an application (like 1Password); Apple-only users could use barebones, built-in iCloud KeyChain; the budget-minded could copy/paste via an encrypted file
- Ideally, you need to remember only 2+ strong passwords: one for PM, one for (each) device.
- World Password Day: May 5th create strong passwords; use a different password for each account; get a password manager; turn on multi-factor authentation; Betty White videos; security quiz
What is a "Strong" Password?
- Unique -- don't reuse
- Uncommon -- don't choose from worst: 25, 100, 500
- Typically, 15+ characters long -- long phrases, and/or including mixed case, digits, punctuation.
- Main (device & PM) passwords should be memorable -- and not too inconvenient to enter on your device.
- For a phone/tablet,make longer than minimum 4-digit passcode, e.g., 8+ digits.
- Strong passwords usually don't need to be changed (unless they've been compromised).
- If site requires answers to security questions, provide answers to questions that no one can lookup or easily guess -- or lie; create your own questions if possible.
- If a site allows only a short, weak password, consider creating an unusual username -- together they'll be stronger
- We'll look at multi-factor methods later, e.g., using codes from mobile phone.
How to Generate a Password
- To avoid predictability, consider creating a random password.
- Use "password generator" in your Password Manager, e.g., pronounceable
System Preferences > Users & Groups > Password > Change Password > "lock": Password Assistant : Memorable
- Be cautious about using online password generators: https? logging?
- Manually generate multi-word phrase, e.g., Diceware; English
- Roll die 5 times to select a word from a list of 7776 (65) words in a language.
- Generate 4+ words; customize to increase strength even more
- Other passwords (stored in your PM) can be long, random, complex, e.g., 64 characters of gibberish -- since you don't have to remember or type them.
How to Test Password Strength
- Test the strength ("entropy") of your current passwords and new candidates.
- Entropy is roughly a function of
- the size of character set (# of possibilities): 0-9, A-Z, a-z, punct.!, dictionary list
- to the power of the length of password sequence (number of characters / words)
- decreased by rules, such as common recognizable patterns, e.g., 12345, pet names, common phrases, keyboard sequences, etc. -- and cracked password lists
- Higher entropy means less predictable, i.e., more attempts / time to guess or crack by brute force
- General recommendation: passwords should have 'high' entropy: 75 (or more)
thousands of "centuries" to crack; though time estimates are unreliable due to sharing of known password lists by hackers, and increases in processing power.
- Different sites can evaluate same password differently; Poor/Good/Strong labels or 'strength gauge' are crude.
- Similar caveats (to generation) for online password testers; disable network after loading if you're paranoid.
- My favorite checker: zxcvbn: numerical score with explanation; zxcvbn can be run locally (no network).
- Short 'random' phrases, e.g., correcthorsebatterystaple: 45 (only; via DiceWare).
- Increase strength: more words, punctuation, misspellings, invented words, other languages.
- Include 'unusual' chars: ¡ ¿ ™ £ ¢ ∞ § ¶ • -- check availability / compatibility for cross-platform use, e.g., opening password manager
System Preferences > Keyboard > Keyboard > show viewers for keyboard, emoji, and symbols in menu bar > Show Keyboard Viewer
- Keyboard Viewer: view / select key
- keyboard: press appropriate key combos, e.g., Option-
Settings > General > Keyboard > Character Preview; iOS 10: always on?
- keyboard: hold down key to see possibilities
- Weaker passwords, e.g., 8-digit phone PINs, might be adequate if device limits login attempts or can auto-erase.
- 64 random characters, e.g., via a Password Manager, typically might have entropy: ~346 (trillions of centuries)
How to Store Passwords
- Human memory should be fine for several strong passwords: one for PM, one for (each) device -- but be sure to backup elsewhere, e.g., Safety Deposit Box
- Paper or a file might be ok if it's truly hidden and/or coded
- Recommendation: use a password manager app, such as 1Password
- PM encrypts passwords on your device; shares (sync / backup) between devices / cloud
- PM navigates to correct site; PM automatically fills-in userid and password -- usually
- PM recognizes password changes, and automatically updates -- usually
- PM organizes sites like bookmarks / favorites -- usually searchable
- PM integrates with your browser (and maybe system & other apps via icon menu)
- PM can store other related info, e.g., unusual answers to security questions
- 1Password and password security AshMUG: Peter DeGroot presentation; video; links; how-tos; 9/8/2015
- Later section: Browsing: Passwords, discusses passwords, password managers (e.g., 1Password, Dashlane, LastPass), and related issues in more detail, along with reviews and articles.