Do you have problems creating and remembering passwords?

PasswordThere’s no doubt that the single biggest issue that my computer support clients ask for my help and advice with is passwords. In almost all cases, I can not help retrieve lost passwords. All I can do is guide the client through the process of changing the password when it has been forgotten.

As we all know, this is not necessarily easy as you may be asked seemingly ridiculous questions to prove you are who you say you are. I’ve never had a pet, or a favourite film, or a favourite teacher, or any of those other things they ask, so I tend to make them up when I’m creating accounts and they insist I create answers to “security questions”. The trick, of course, is to WRITE THESE FAKE ANSWERS DOWN so that they can be checked if they’re ever needed.

To go back to the beginning of the process, I often see my clients getting a bit frustrated and flustered when creating passwords. Nowadays, most places that ask you to create a password insist that it conforms to something like this:

  • Minimum eight characters (a “character” is any typeable letter, number or symbol)
  • At least one upper case (capital) letter and one lower case (small) letter
  • At least one number (the digits 0-9)
  • At least one special character (eg any of !”£$%^&*()<>{}[]~#@’:;?/|\`)

So, a “legitimate” password might be “Charlie-99”. Another might be “27Tomatoes?”

The reasons for this complexity are very simple:

  • To prevent someone guessing your password
  • To prevent a computer program from trying all the possibilities until it “cracks” your password (or, more precisely, to make it unfeasible to crack your password by this “brute force” method by making it take a ridiculously long time for the program to hit on the right combination)

BurglarThe reason that password requirements become more stringent as time goes on is quite simple. As computers become faster and more powerful, they are able to “crack” passwords of a given complexity with brute force attacks more and more quickly. And just so that your passwords remain adequate for a while to come, I recommend that you make them at least 12 characters long (and not the minimum of eight characters that is currently often stipulated).

Think of one of the passwords you use and then create a fake one of the same complexity. So, for instance, if your password is “Spain-2012”, you could create (for this test) a fake password of “Italy:1984”. This has the same numer of upper and lower case letters, numbers, and special symbols.

Now open a web browser and go to this website – https://howsecureismypassword.net/

Where it says “ENTER PASSWORD”, type in the fake password you’ve just created. The website will then tell you just how long it would probably take a computer to “break” your fake password with a brute force attack. If your password had simply been “italy1984” it would probably take a computer about 42 minutes to crack it. That’s well within the bounds of possibility for someone with the right software who is determined to get into your account. Simply increasing the complexity by making the password “Italy:1984” increases the likely time to crack it to ten years!

OK, so I hope I’ve convinced you that passwords need to be increasingly long and complicated to do their job. How on earth are you going to remember them? Please, please, please do not use the same password for several accounts. Suppose a website where you use a particular password gets hacked and your username and password for that site are stolen. If you use that same combination of username and password for other accounts then you are wide open to having those accounts accessed as easily by someone else as if you had accessed the accounts yourself. This is made even more likely by the fact the “username” is usually your email address, so that is very likely to be the same for many accounts.

There are four ways that I know of that you can record passwords:

1) Remember them

That way insanity lies. I really do not advise this. Seriously. I am often with clients when they create a password and I gently advise them to write it down. “Oh no, I’ll remember that”, they retort. Well, you’ve got more brain-space than I have, then. Can you really remember which of the following you might have used:

Fotheringay-1973
1974fotheringay
Fotheringay_1975

There are 36 variations of the above three passwords that don’t use any different naming methodology or characters – eg fotheringay1973, Fotheringay:1973 etcetera almost ad nauseam

2) Use a method that will allow you work out what your password must be for a particular site – eg “Tesco-2016”, “Amazon-2016”

This might seem very clever, but the easier it is for you to remember the method, the easier it would be for someone else to work it out – for all your passwords. Maybe not as brilliant an idea as it seemed at first.

3) Use a password manager

This is computer software that stores (and might also create) passwords for you. This is great as long as you always have access to that (password-protected) program and all the data it is holding. If you’ve only got it installed on one computer, if it’s not backed up, and if that computer has a catastrophic hard drive failure, then you are right royally stuffed (technical term). So, if you are thinking of using such a program then you need to make sure that you’ve got yourself covered against the computer/device being unavailable, the program becoming corrupt, your data file becoming corrupt, the software publisher not maintaining it such that it eventually becomes unusable.

4) Write them down

Yes, I know. Someone could steal them. Well, I put it to you that if you are burgled then the bad guy is looking to nick your TV to sell so that he can buy crack, rather than looking to steal your passwords. If you really believe that someone is likely to want to steal your little book of passwords and that they’re going to look in your sock drawer for it, then I suggest that either (a) you have something so desirable – and known – to the bad guys that you really should seek some professional security advice or (b) you are paranoid.

Over the years, I’ve seen just how much grief lost passwords can cause. I’ve never heard of any of my clients suffering any grief through having their sock drawer rifled through.

Search Box at www.davidleonard.london

Just type “password” (and Enter) on any page at www.davidleonard.london

I’ve covered this topic many times in these blog posts. To see previous entries, just go to any web page at www.davidleonard.london and type “password” (without the quotes) into the “search” box

Padlock with key

Following on from last week’s blog, how do you go about saving usernames and passwords for websites, and how do you go about seeing what has been saved in your browser?

All of the following instructions are for the latest version of the browser (as at 29/10/2015) when viewed on a Windows 10 PC. The exception is, of course, the Safari instructions. All instructions are for desktop/laptop machines.

Firefox-logoFirefox v41.0.2

  • Click on the Menu button at the top right of the Firefox window (three horizontal lines representing, I suppose, a menu)
  • Click on the cog wheel (with “Options” written underneath)
  • Click on the padlock (representing Security) on the left sidebar
  • From here, you can tick or untick the box next to “Remember passwords for sites” and you can see the passwords you have saved by clicking on “Saved Passwords” and then clicking on “Show Passwords”

Note that, in Firefox, you can set a master password that grants/denies access to the saved passwords, but if you do set one Firefox asks you to enter it every time you open the browser – a bit of a pain.

Chrome-LogoChrome v46.0.2490.71

  • Click on the Menu button at the top right of the Chrome window (three horizontal lines representing, I suppose, a menu)
  • Click on the “Settings” option
  • Scroll down to “advanced settings” and click on it
  • Scroll down to the section entitled “Passwords and forms”
  • Click in the box next to “Offer to save your web passwords”
  • To see your passwords, click on “Manage passwords”. Initially the passwords are represented by bullet points. Click on a password entry and then click the “show” button to see the password. You then need to enter the Windows password for the user that is logged in. This is the password for the Microsoft account of the logged-in user. I have no idea how Google Chrome is able to read your Microsoft password and I don’t know what happens if you are on a version of Windows that didn’t require a password for the user. Certainly, Windows 10 would not let me create another Windows user without supplying both an email address for that person and a password with which to log on.

IE9 - Internet Explorer 9 - logoInternet Explorer v11.0

  • To save passwords, just click on “Yes” when Internet Explorer offers to store a password that you have just typed in
  • To view saved passwords, carry out the following instructions:
    • Go to the windows Control Panel
    • Click to open the Credential Manager
    • Click on “Web Credentials”
    • Click on the entry that is of interest and then click on “show”
    • You will then need to enter the password of the currently logged-on Windows user.

Note: the above instructions for all three browsers are for Windows 10. I haven’t had time to check on previous versions of Windows.

Safari-logoSafari (on a Mac) v9.0.1

  • Click on the “Safari” menu option
  • Click on “Preferences”
  • Click on the “Passwords” tab
  • To see a password, click the box next to “show passwords for selected websites” and select the required site by clicking on its entry. You will need to enter the administrator’s password for the logged-in user.

I’m often asked by my computer support clients whether it is a good idea to let browsers save the logon credentials for websites

Knocking on Google login panelFrom the point of view of security, there are two types of threat to consider:

  • Anyone who has access to your computer might be able to use and/or steal your passwords. Only you can assess whether household members (or office colleagues, for that matter) pose a threat to your privacy and security.
  • The browser software could be hacked to reveal your passwords. I don’t, personally, know of anyone who has had this happen to them, but I have read several times on the internet that there is malware out there that can do it.

So, I can’t actually answer the question for you. I think it comes down to something we do all the time without even thinking about it – balance risk against convenience. If we wish to cross the road and we are on a quiet country lane then we are unlikely to walk 100 yards to the nearest pedestrian crossing. We might be prepared to walk much further than that for a safe crossing if it’s the Euston Road we are trying to negotiate.

I’d like to suggest a few questions that you might ask yourself to give you an idea of whether it is a good idea for you to save passwords in your browser:

  • Do you think that online banking is too risky? If so, I think your caution will probably extend to never letting browsers store passwords. Personally, I trust online banking and would hate to do without it but if I was cautious enough not to trust online banking then I certainly wouldn’t trust my browser to keep my secrets safe.
  • Would the consequences of someone finding a particular username and password combination be catastrophic? If so, it probably wouldn’t be wise to commit that specific password to your browser.
  • Do you tend (despite advice to the contrary) to use and re-use the same password(s) over and over again? If so, you must bear in mind the risk that discovery of one of your passwords could give someone access to other accounts. Committing even one username/password combination to your browser could expose many other accounts to being hacked.
  • Do you have children in the household? In my experience, households with children suffer far more from malware attacks than households without. I’m not blaming the children. I think it’s probably because the nasty scrotes that write malware know that children have less mature judgement than adults, less fear, a greater propensity to be led by others into visitng specific (dangerous) websites, a greater propensity to share online content (including malware) with each other, and so on. If your risk of catching ANY malware is increased, then it probably follows that the risk of catching malware that can find your passwords is increased.
  • Do you think that usernames and passwords give you a huge amount of grief in your online life? I know some people who seem to be able to remember an enormous number of combinations of usernames and passwords, whereas others can’t even remember their own phone number. If passwords give you a huge amount of grief then it might well be worth reducing the burden somewhat by getting your browser to remember some of the less important username/password combinations.

Hooded Computer UserQuite often, when I have (annoyingly) answered the original question with “it depends….”, the client will then ask “what do YOU do about saving passwords online?”. The answer is that I use some software called LastPass to remember most of my online passwords, but I also record all my usernames/passwords somewhere else as well. I don’t use LastPass to remember the most important financial combinations. If you asked me to rationalise why I do what I do, I can’t. What I can say is that I think I balance risk against convenience in a way that seems to suit me. And when I see my clients struggling to find specific passwords, I often think that they would probably be better off by committing at least some of them to their browser for safe-keeping.

© 2011-2015 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha