Pa88w0rds!

The struggle is real

Today’s world revolves around passwords. You have a password for everything, from your hydro, to your bank, to your social media, to your TWU email. We do whatever we can to avoid typing in that password every time we want access to something.

Nowadays, our computer or phone remembers the password for us, so we don’t have to. We all love the “remember me” check box. But is that safe?

Or we use the same password for everything, so we don’t have to think and our fingers automatically move with muscle memory to type the same keys every time. What’s the big deal? Do you really need to be concerned about being hacked? What if I don’t have anything to steal anyways?

And there are so many conflicting opinions about password length and complexity. What is 2 factor authentication about anyways? Do I really need to change my password every 6 months?

Let’s attempt to break down the struggle into manageable pieces and we can talk about the threat of a compromised account.

Remember Me?

We’ve all see the window that pops up after entering your credentials on a website: “Would you like to save this password?” Or the check box after your password, to “Remember me”.

Is it safe to “remember” your password? Officially TWIT would say that it’s not a good idea to save your passwords in your browser, because you are not controlling how that password is saved. Where is it saved anyways?

There are a few different ways your device can “remember” your password. The most common, is your browser doing the remembering for you.

Chrome for example does encrypt your passwords that are saved, however, there are ways to decrypt the Chrome database on your computer to gain access to your passwords. If malware got in and got access to that database, you would be compromised.

Another way to “remember” a password is through your operating system (Windows, Apple) Windows calls this your Credential Manager, Apple calls this your Keychain. Using either of these methods can be secure. But…

How often do you lock your computer so no one has access to it when you step away? How complex is your Windows or Apple password for logging into your computer? How may times have you used the same password for other accounts?

Without going into a lot of detail and technical speak, TWIT would recommend a dedicated and proven password manager for saving passwords. That way you know it’s secure and you know where your passwords are being saved. We’ll talk more about this at the end of the post.

You should still lock your computer every time you walk away from it.

Windows: Windows key + L

Apple: Control + Shift + Eject

Mobile device: set a password and lock screen

 

Hackers –> Spear Phishing

Hacking is a real threat. It happens every day and it happens at TWU. Check out our blog post on spearfishing to provide some insight. You need to be aware of the threat and the two best ways to defend yourselves:

  • Watch and read what you click
  • Use a unique complex password for your login

If a hacker can guess your password because it’s not complex you’re opening yourself up for your account to be compromised. You may think that you have nothing to steal but an identity is worth stealing because an identity can be used to fool other people let alone gain access to other accounts if for example you are using the same password.

You don’t want to be hacked. We are in a day and age where almost everyone knows somebody that has been hacked or their credit card has been compromised or their Facebook account was hijacked. If you ask any of them if they would like to go through that again, there would be a resounding no!

When it comes to TWU if your account is hacked you’re opening up the rest of the University to be vulnerable. There is a real risk to the data that we have (eg. Student Records, Financial, and Research) being compromised if your account is hacked.

Multiple accounts

The thing with having so many accounts online is ensuring that these accounts have DIFFERENT passwords to access them. If one account was compromised not all of them would follow. Of course this poses the problem of memorizing so many different passwords. Again, we will talk about password managers or software that uses a master password to keep your list of passwords secure and encrypted on your device.

Multi factor

You may have heard of multi-factor Authentication and this is the answer to the problem that any password can be guessed overtime. With multi-factor you have two (or more) steps of Authentication and these steps can have varying degrees of complexity or security.

You may have seen or heard of the option to get a text message every time you enter your password for your Google account, for example, that way you enter your password and enter a code that is texted to your device so someone would have to know your password and have your device in hand, with a time limit before that code expires.

Now someone could have your device if it was stolen so again multi-factor is not literally impossible to compromise but it is much more secure. A lot of web-based accounts offer multi-factor authentication now. At TWU we will soon have the option of adding multi-factor Authentication to our accounts.

Complexity

Password complexity makes a big difference in how vulnerable your account is. And complexity doesn’t mean that it’s a bunch of crazy characters and numbers that are incredibly difficult to memorize.

Complexity can just mean a LONGER string of characters. The more characters there are in your password, the more possibilities a hacker needs to guess through. Then the more variety to your characters, for example numbers, capitals, symbols, there are even more possibilities to be guessed.

TWIT recommends having a strategy for your passwords.  You may think that’s too geeky for you to think about, but hear us out. When you have to sign up for a new HR online payroll system, what password are you going to choose? Are you going to re-use that old reliable password that you also use for your email and your bank?

If you have a strategy, a way to create a new password on the spot, you will be prepared to keep your data and identity secure. Here are a couple examples:

  1. A few words with numbers and symbols thrown in like:
    !ocean*LAKE=33
  2. Use a phrase that you can remember, like:
    I like to play volleyball on the beach in the summer! = Iltpvotbits!
  3. One of the most secure, is to use a password generator.

At TWIT we use a password generator to help us when we are resetting passwords for customers. There is no exact number or degree of complexity that we can tell you is complex enough. There are many recommendations, but there is no exact answer. Any password no matter how complex can be deciphered with time. Your goal is to make it take years to decipher!

With a well integrated password manager, you don’t even need to know your passwords, because the manager (authenticated by a master password) enters it for you or you can copy paste. This way you can have a incredibly long character password that will be extremely more complex than you can memorize.

Password Keepers

Now right off the bat I know some of you are going to say that putting all your passwords in a file is just asking for trouble. But how secure is your situation right now? With a password keeper or manager, the power is now put into your hands rather than in somebody else’s, because you can have a secure master password and you decide how secure you want to be. You can even add multi-factor authentication, rather than leaving it to chance, when all your passwords are the same, or you have a little black book under your mattress, or sticky note under your keyboard.

Here at TWIT we use a password keeper that is secured and encrypted and I personally use a password keeper on my device mainly because I have so many personal accounts and so many different passwords it’s impossible for me to remember them all. Some of you may say it’s inconvenient to have to look up your password every time, and there is some truth to that. However, how many of us have a phone that we are on a million times a day anyways.

There are password Keepers that can integrate into your browser as well that skips a memorization step and you don’t even have to look up the password. The manager recognizes that the page is asking for credentials and just asks for your master password to fill in the blanks. So now you’re only remembering your ultra-secure master password rather than 17 other passwords.

There are many apps available for password managing or keeping. We can list a few of the top ones but this is not a review site this is a recommendation on due diligence for your own security and security of the University.

Last Pass

KeePass

Dashlane

1Password

Password Safe

 

In closing, I think the point has been made to take your accounts and passwords seriously. Come up with a strategy for your passwords so you are ready the next time you need to create an account. Personally, I couldn’t survive without a password manager. Professionally, it keeps my colleagues and University data records safe.

 

For more fun reading on passwords:

Schneier on Security

How Big is Your Haystack?

Educause: Password Managers

The world’s most common passwords

 

 

Image credit: http://www.information-age.com

Leave a Reply

Your email address will not be published. Required fields are marked *