Safer Internet: Offline: Passwords Intro

Summary

• Passwords are now covered in a separate 3-session OLLI course: P@s$w0rdz
• As an introduction, each section below includes highlights copied from P@s$w0rdz --
  each Heading links to the corresponding detailed P@s$w0rdz section for the latest information.
• A later section Browse: Protect Passwords originally covered advanced password issues;
  it now provides only an updated list of Reference articles about Passwords

Weak Passwords? Stronger Passwords

• "Passwords are like underwear:... you don't let people see it, you should change it very often, and you shouldn't share it with strangers." ~Chris Pirillo (note: frequent changing no longer generally recommended, at least for passwords)
• "The 25 Most Popular Passwords of 2018 Will Make You Feel Like a Security Genius:...
  1. 123456; 2. password; 3. 123456789; 4. 12345678; 5. 12345; 6. 111111; 7. 1234567;
  8. sunshine; 9. qwerty; 10. iloveyou; 11. princess; 12. admin; 13. welcome; 14. 666666;
  15. abc123; 16. football; 17. 123123; 18. monkey; 19. 654321; 20. !@#$%^&*; 21. charlie
  22. aa123456; 23. donald; 24. password1; 25. qwerty123" ~from 5 million passwords that have leaked online in the last year
• During a recent password audit, an OLLI student was found using the following password:
        "MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"
  When asked why such a long password, the student replied...
        "I was told that it had to be at least 8 characters long and include at least one capital."
• "Don't use 'beef stew' as a computer password... It's not stroganoff."
• Crossword (by Steve) with weak passwords theme
• Unique: don't reuse passwords on multiple sites; don't login to 3rd-party sites using Google or Facebook credentials (SSO)
• Uncommon, Unpredictable: avoid common words phrases, patterns, etc.; sharing
• Unchanging: change only if they're weak, reused or compromised
• Long: the longer the stronger: 20-64 characters
• Memorable / Typable: you should only need to remember 2+ passwords:
  
• one for each device: random 8+ digits passcode/PIN for phone;
  random 4+ word passphrase for desktop/laptop, e.g., correct horse battery staple
  -- we'll discuss how/where to change these under Accounts
• 1 primary password for a password manager, which can generate/store/fill-in everything else
• -- or, Complex / Pastable: normal upper/lowercase, digits, symbols, e.g.,
  5iFt*b>Qyk[xpjrz@QoC2exanclhLvQ10izlX8hwxK6i=vwix14dwWVznQkvHrWh
• Reinforced: passwords-alone are often not secure enough;
  leverage other forms of authentication, if avail.: e.g., 'secret' answers, usernames, 2-Factor Authentication (2FA)
• Unknown: other sections of this course will discuss other Privacy & Security practices to keep passwords private

Generate Memorable / Complex Passwords

• Three types of passwords:
• 1. phone PIN/passcode -- memorable & typable; 8+ digits; optional: alphanumeric
• 2. computer/tablet passcode; password manager; some online accounts
  -- memorable and/or typable; 4+ word phrases; optional: customize w/ digits, puncutation
• 3. most online accounts -- complex & pastable: 20-64 complex character sequences
• Possible random password generators:
• Your imagination -- not so random, really!
• Diceware: roll die 5 times to select a word from a list of 7776 (6⁵) words in some language;
  repeat 4+ times to generate a random phrase; e.g., "correct horse battery staple"
  -- famous XKCD:cartoon
• Diceware-like functionality in macOS and 1Password -- "Memorable"
• OS: e.g., macOS: System Preferences > Users & Groups > Password > Change Password > "key icon": Password Assistant : Numbers Only; Memorable; Random
• a password manager, e.g., 1Password > Generate Password: PIN, Memorable, Random
• Misc. web sites: quality varies; not so private if site logs trial passwords!

Test Password Strength

• Different web sites can rate the same password differently: Poor, Good, Excellent.
• For more reliable, consistent result use one of these testers:
• OS: e.g., macOS Password Assistant; only up to 31-characters
• a password manager, e.g., 1Password, works for longer sequences
• recommended online tester: zxcvbn
  -- zxcvbn also directly embedded in P@s$w0rdz:Testing
• optional: disconnect network after loading page to prevent possible password logging (not necessary for zxcvbn).
• below demo heading, enter password/passphrase into input field
• goal for important accounts: entropy value: 75+ -- with crack time: centuries; explanation provided.

Store Passwords Securely

• paper: ok for accounts if well-hidden? good for backup in Safety Deposit Box.
• human memory: good for 2+ strong passwords -- for devices, password file/manager
• browser autofill: avoid -- possible exception: if all Apple devices via iCloud?
• "Single Sign-On" -- avoid entering Google, Facebook, Twitter credentials on 3rd party sites
• computer file: fine if strongly encrypted, e.g., Excel doc via 7-Zip or Keka (AES-256); more manual step;s
• Password Manager (PM): best. features: strong encryption (AES-256); sync/share between devices & family members;
  generate random passwords; autofill login credentials, organize/update passwords; credit cards; 2FA support; ...
  downsides: learning curve, possible cost
• recommended PMs: 1Password, LastPass, Dashlane

Updating Passwords

• Only change passwords if they're weak, reused or compromised -- or site insists on it.
• Check if any of your accounts have been hacked ('pwned')
• Plan an upgrade strategy for many passwords -- to avoid overload / procrastination.
• Use password manager, e.g., 1Password "WatchTower", to proactively identify Reused; Weak; Compromised; Vulnerable passwords.

Security Questions / Secret Answers

• "I don't have a bank account because...I don't know my mother's maiden name." ~Paula Poundstone
• Some sites use so-called 'secret answers' to questions as a pseudo-authentication factor besides a password.
• However, an answer isn't secret if hackers can find it in public records, from breaches from other sites,
  or on social media sites -- don't post such personal details widely, or participate in 'fun' quizzes that reveal this info!
• Instead, supply untrue, opposite, misspelled, foreign language, or unpredictable answers -- even random phrases.
• If you're using a password manager, no need to remember these -- just store; then later, copy & paste

Recovery; User Names

• Include email address and possibly phone # in account information, to facilitate account access and possible recovery , e.g., password reset.
• For a primary email account, specify a secondary email address to receive notices about suspicious activity.
• Most sites require an email address as a 'username';
  if so, provide a 'permanent' email address (rather than an ISP email address), or an email alias;
  if not, provide a unique username (not email) that marketers and hackers can't use to easily correlate your information.

Biometrics

• You still need a strong passcode -- not only for initial setup and after updates / restarts,
  but also if you want to grant access to someone you trust or if you injure your finger, face...
• A fingerprint or facescan is fairly reliable, and fairly secure (though subject to spoofing).
• Biometrics can be a convenient shortcut to avoid entering device passcode too frequently, but use apprpriate timeouts.
• Be extra cautious if using with important applications / sites, e.g., password manager
• Legally you can be compelled to provide a fingerprint or facescan -- it's considered public;
  a password/passcode is considered private ("self-incrimination"), but courts or border crossing agents may try to compel you anyway.

2-Factor Authentication (2FA)

• Although unique user names & random secret answers provide minor additional protection,
  for especially important accounts, e.g., financial, email, use a different second "authentication factor" (2FA)
  -- in addition to a strong password.
• Generally, a good 2nd factor is a temporary code, provided via SMS (texting); issues: spoofing, service access
• Best 2FA is a TOTP (Time-based One Time Passcode) provided via an "authenticator app" or physical token
• Once set up, both the site and app generate -- in sync -- the same, new random code, which changes frequently.
• Examples of authenticator apps: 1Password (built-in), Authy, Google Authenticator, Microsoft Authenticator