All you need is Word or Excel (other word processing and spreadsheet programs are available!)

PadlockIn my last blog post, I found another reason for not re-using passwords.

However, the problem a lot of my IT support clients complain of is that they just can’t keep track of multiple passwords and that that is a reason for re-using the same one or two. The complete solution is probably to use a password manager such as LastPass or Safe in Cloud, but this seems to be overkill for a lot of people and just seems to make the situation even more complicated. And one thing we do know about computer software is that if it is too complicated or difficult to use then people will not use it.

What we need, therefore, is something simple, readily to hand, and quick enough to use that it is not a horrendous chore to keep up to date.

To begin with, what is the data that we need to keep? My recommendation is that, every time you need to create a new account and password, you record the following information:

  • Today’s date – you may think that is superfluous, but it may help you decide which of two passwords is correct if you’ve written it down in two different places. Also, if you get locked out of your Google account, for instance, one of the questions they ask during the process of convincing them that it is, indeed, your account, is the date that you created the account.
  • The username on the account – this is probably, but not necessarily, an email address. And most of us have several of those. If you are having trouble getting into an account and you might have used one of three emails accounts as the username and one of three passwords that you habitually re-use (!), then there are already nine combinations that you might have to try. Add the complexity of “was the first letter a capital?” and “did I add 99 at the end of the password?” and you are very quickly into the realms of thousands of possible combinations. Just right the username down as soon as an account is created and avoid all that grief.
  • The password – natch.
  • Other information -such as the web address of where you actually get into the account. Note that both Excel and Word will automatically create clickable links to web addresses that they find in any worksheet/document.

ConfusedWhether you use a word processing document or a spreadsheet is just a matter of choice and I’ll leave the formatting of the document/worksheet to you. Personally I would use Excel and place one username/password combination on each row.

Now for the important point – you are strongly advised to password-protect your document/worksheet. This is how that’s done in Office 2016 (which is the same as Office 365):

The process is exactly the same in Word as in Excel except that Word refers to “documents” and Excel refers to “worksheets”:

  • Click on the “File” menu (top left of Word or Excel window)
  • Click on the box with “Protect Document” (or “Workbook”) written in
  • Click on “Encrypt with password”
  • Type your new password in the box provided and then click on “OK”
  • Type the same password again (to ensure that you typed the password as you intended)
  • Save your document/workbook by clicking on “Save” in the left sidebar

HappyOf course, you could use other word processing or spreadsheet programs for this, but I do recommend that you use one in which you can password-protect your document/worksheet.

Are the days of the post-it note numbered? As far as passwords are concerned, they certainly should be.

Yes, I know I’m always banging on about passwords

Username and password theftThe simple fact is that this issue causes more problems than any other for my IT support clients. Therefore, I can’t resist telling you about something that happened a few weeks ago that offers yet another reason why you really shouldn’t use passwords more than once.

I received a phone call from a client saying that she’d just had a nasty email from someone saying that they had managed to access her Mac and, to prove it, they told her the password to get into her Mac. The email said they had stolen contact information, personal files, etc. I won’t describe what they said they were going to do next, but the bottom line was that they wanted about £3000 not to go ahead and do it.

Luckily, my client is a level-headed person who knew that a lot of what they said couldn’t be true. However, she was still – quite rightly – concerned about the accessing of her computer and asked me what to do. Since I was completely tied up with another client at the time I couldn’t give it detailed thought at that moment, so I advised her to contact the police and her bank and that I’d get back to her later.

The police said that it was a scam (ie, there was no real threat – they were just trying to “con” money out of her as opposed to extorting it). However, the police didn’t tell her how it was done.

ScamWhen I got a chance to look at the email itself later on, it seemed to me that absolutely everything in the email – except one fact – could be explained by saying that this was just a scam (that they were bluffing, lying, and hadn’t managed to get into her computer at all). The one inconvenient fact that didn’t fit this explanation was that they knew the Administrator’s password for her Mac. If they knew that, then there was a possibility that they could have accessed her Mac. That was why I had advised her to contact the police and her bank.

And then it struck me that the email address they used wasn’t her normal one, so maybe that was a clue. Maybe the combination of that email address and password had been used by her in another context and that that combination had become known to the bad person.

So, I checked to see if she had been “pwned”. This is when data is stolen in a data breach. You can check to see if your email address has been involved in a data breach by visiting “Have I Been Pwned?“. Sure enough, her email address and LinkedIn password had been stolen many years before in that organisation’s huge loss of data. Wikipaedia says of that data breach:

The social networking website LinkedIn was hacked on June 5, 2012, and passwords for nearly 6.5 million user accounts were stolen by Russian cybercriminals. Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident.

PwnedMy client did seem to remember being told of that data breach and undoubtedly did as LinkedIn suggested and changed her password. I asked her if she knew what the old password was and she couldn’t remember. Crucially, though, she said that it COULD have been the same password that she is now using (or was using until a few weeks ago!) as the administrator’s password on her Mac. What is almost certain is that her email address, together with that password, are up for sale on the Dark Net.

So, we concluded that what had probably happened is that the putative blackmailer bought her email address and LinkedIn password (probably on the Dark Net) and then just emailed her, assuming that the password for her Linked In account was the same as the password for her Mac. And he was right, so the scam worked (up to a point – but he certainly didn’t get any money from her). He managed to mis-direct us into thinking that he’d gained access to her computer when, in fact, he hadn’t.

This scam can only work if people re-use passwords and if they don’t keep a record of what passwords they used, when, and for what. Had my client not re-used passwords, and had she kept such records, she would have been able to tell that the password he claimed was her Mac’s password, was, in fact, an old password stolen in a data breach and not related to her Mac at all. The whole thing would then have been immediately obvious as a scam.

I rest my case (for now).

Globe and Keys

Do you get hassled by your browser offering to save passwords?

All major browsers can be configured to save the username and password of your account at the website you have just accessed. That’s all very well if:

  • You don’t use a password manager (such as LastPass) to handle this for you and
  • You trust the browser to keep the information safe

If either of these conditions is untrue then you may prefer your browser to stop being so eager to help. Detailed below are the instructions for configuring the current versions of the major browsers.

One browser will quite happily display all your passwords without asking for any credentials at all. So, anyone accessing your computer can easily see these passwords. And which one is it? Firefox – see below

Firefox logoFirefox

  • Click on Menu option (three horizontal bars at top right)
  • Click on “Options”
  • Click on “Security”
  • Untick “Remember login for sites”
  • Close the “options” tab (or the entire browser)

Note that, before closing Options, you can click on “Saved Logins” and then “Show Passwords” to display all the passwords you’ve asked Firefox to save for you. I can’t imagine why they make this so insecure.

Chrome logoChrome

  • Click on Menu option (three dots at top right)
  • Click on “Settings”
  • Scroll down to “Advanced” and click on it
  • Scroll down further and, under the “passwords and forms” section, click the arrow to the right of “manage passwords” and slide the blue switch left to the “off” position
  • Close the “Settings” tab (or the entire browser)

Note that, a bit further down, there is a section called “Saved Passwords”. If you click the 3 dots to the right of a saved password then you can click on details. In the popup window, you can then click on the “eye” symbol to see the password. It will then ask you for your Windows password. This is the password you use to log on as a Windows user. It won’t accept a pin (even if that’s your normal logon method). I haven’t tested what happens if you sign on to your computer as a local user with no password.

Safari logoSafari (on a Mac)

  • Click on the “Safari” menu option
  • Click on “Preferences”
  • Click on the “passwords” tab
  • Untick “Autofill user names and passwords”
  • Close the passwords window

IE11 - iconInternet Explorer

  • Click on the Settings “cog wheel”
  • Click on “Internet Options”
  • Click on the “Content” tab
  • Click on “Settings” in the AutoComplete section
  • Untick “User names and passwords on forms”
  • Click on “OK” on each of the two open boxes

Note that there is an option “Manage Passwords”. Clicking on this (in Wondows 10, anyway) will open Windows “Web Credentials”. You will need to supply your Windows user password to access the stored passwords.

Edge logoEdge

  • Click on menu (3 horizontal dots)
  • Click on “Settings”
  • Scroll down and click on “View advanced settings”
  • Scroll down and slide the switch leftwards that is next to “offer to save passwords”
  • Click somewhere to the left of the “Settings” menu to close it

Do you have problems creating and remembering passwords?

PasswordThere’s no doubt that the single biggest issue that my computer support clients ask for my help and advice with is passwords. In almost all cases, I can not help retrieve lost passwords. All I can do is guide the client through the process of changing the password when it has been forgotten.

As we all know, this is not necessarily easy as you may be asked seemingly ridiculous questions to prove you are who you say you are. I’ve never had a pet, or a favourite film, or a favourite teacher, or any of those other things they ask, so I tend to make them up when I’m creating accounts and they insist I create answers to “security questions”. The trick, of course, is to WRITE THESE FAKE ANSWERS DOWN so that they can be checked if they’re ever needed.

To go back to the beginning of the process, I often see my clients getting a bit frustrated and flustered when creating passwords. Nowadays, most places that ask you to create a password insist that it conforms to something like this:

  • Minimum eight characters (a “character” is any typeable letter, number or symbol)
  • At least one upper case (capital) letter and one lower case (small) letter
  • At least one number (the digits 0-9)
  • At least one special character (eg any of !”£$%^&*()<>{}[]~#@’:;?/|\`)

So, a “legitimate” password might be “Charlie-99”. Another might be “27Tomatoes?”

The reasons for this complexity are very simple:

  • To prevent someone guessing your password
  • To prevent a computer program from trying all the possibilities until it “cracks” your password (or, more precisely, to make it unfeasible to crack your password by this “brute force” method by making it take a ridiculously long time for the program to hit on the right combination)

BurglarThe reason that password requirements become more stringent as time goes on is quite simple. As computers become faster and more powerful, they are able to “crack” passwords of a given complexity with brute force attacks more and more quickly. And just so that your passwords remain adequate for a while to come, I recommend that you make them at least 12 characters long (and not the minimum of eight characters that is currently often stipulated).

Think of one of the passwords you use and then create a fake one of the same complexity. So, for instance, if your password is “Spain-2012”, you could create (for this test) a fake password of “Italy:1984”. This has the same numer of upper and lower case letters, numbers, and special symbols.

Now open a web browser and go to this website – https://howsecureismypassword.net/

Where it says “ENTER PASSWORD”, type in the fake password you’ve just created. The website will then tell you just how long it would probably take a computer to “break” your fake password with a brute force attack. If your password had simply been “italy1984” it would probably take a computer about 42 minutes to crack it. That’s well within the bounds of possibility for someone with the right software who is determined to get into your account. Simply increasing the complexity by making the password “Italy:1984” increases the likely time to crack it to ten years!

OK, so I hope I’ve convinced you that passwords need to be increasingly long and complicated to do their job. How on earth are you going to remember them? Please, please, please do not use the same password for several accounts. Suppose a website where you use a particular password gets hacked and your username and password for that site are stolen. If you use that same combination of username and password for other accounts then you are wide open to having those accounts accessed as easily by someone else as if you had accessed the accounts yourself. This is made even more likely by the fact the “username” is usually your email address, so that is very likely to be the same for many accounts.

There are four ways that I know of that you can record passwords:

1) Remember them

That way insanity lies. I really do not advise this. Seriously. I am often with clients when they create a password and I gently advise them to write it down. “Oh no, I’ll remember that”, they retort. Well, you’ve got more brain-space than I have, then. Can you really remember which of the following you might have used:

Fotheringay-1973
1974fotheringay
Fotheringay_1975

There are 36 variations of the above three passwords that don’t use any different naming methodology or characters – eg fotheringay1973, Fotheringay:1973 etcetera almost ad nauseam

2) Use a method that will allow you work out what your password must be for a particular site – eg “Tesco-2016”, “Amazon-2016”

This might seem very clever, but the easier it is for you to remember the method, the easier it would be for someone else to work it out – for all your passwords. Maybe not as brilliant an idea as it seemed at first.

3) Use a password manager

This is computer software that stores (and might also create) passwords for you. This is great as long as you always have access to that (password-protected) program and all the data it is holding. If you’ve only got it installed on one computer, if it’s not backed up, and if that computer has a catastrophic hard drive failure, then you are right royally stuffed (technical term). So, if you are thinking of using such a program then you need to make sure that you’ve got yourself covered against the computer/device being unavailable, the program becoming corrupt, your data file becoming corrupt, the software publisher not maintaining it such that it eventually becomes unusable.

4) Write them down

Yes, I know. Someone could steal them. Well, I put it to you that if you are burgled then the bad guy is looking to nick your TV to sell so that he can buy crack, rather than looking to steal your passwords. If you really believe that someone is likely to want to steal your little book of passwords and that they’re going to look in your sock drawer for it, then I suggest that either (a) you have something so desirable – and known – to the bad guys that you really should seek some professional security advice or (b) you are paranoid.

Over the years, I’ve seen just how much grief lost passwords can cause. I’ve never heard of any of my clients suffering any grief through having their sock drawer rifled through.

Search Box at www.davidleonard.london

Just type “password” (and Enter) on any page at www.davidleonard.london

I’ve covered this topic many times in these blog posts. To see previous entries, just go to any web page at www.davidleonard.london and type “password” (without the quotes) into the “search” box

Padlock with key

Following on from last week’s blog, how do you go about saving usernames and passwords for websites, and how do you go about seeing what has been saved in your browser?

All of the following instructions are for the latest version of the browser (as at 29/10/2015) when viewed on a Windows 10 PC. The exception is, of course, the Safari instructions. All instructions are for desktop/laptop machines.

Firefox-logoFirefox v41.0.2

  • Click on the Menu button at the top right of the Firefox window (three horizontal lines representing, I suppose, a menu)
  • Click on the cog wheel (with “Options” written underneath)
  • Click on the padlock (representing Security) on the left sidebar
  • From here, you can tick or untick the box next to “Remember passwords for sites” and you can see the passwords you have saved by clicking on “Saved Passwords” and then clicking on “Show Passwords”

Note that, in Firefox, you can set a master password that grants/denies access to the saved passwords, but if you do set one Firefox asks you to enter it every time you open the browser – a bit of a pain.

Chrome-LogoChrome v46.0.2490.71

  • Click on the Menu button at the top right of the Chrome window (three horizontal lines representing, I suppose, a menu)
  • Click on the “Settings” option
  • Scroll down to “advanced settings” and click on it
  • Scroll down to the section entitled “Passwords and forms”
  • Click in the box next to “Offer to save your web passwords”
  • To see your passwords, click on “Manage passwords”. Initially the passwords are represented by bullet points. Click on a password entry and then click the “show” button to see the password. You then need to enter the Windows password for the user that is logged in. This is the password for the Microsoft account of the logged-in user. I have no idea how Google Chrome is able to read your Microsoft password and I don’t know what happens if you are on a version of Windows that didn’t require a password for the user. Certainly, Windows 10 would not let me create another Windows user without supplying both an email address for that person and a password with which to log on.

IE9 - Internet Explorer 9 - logoInternet Explorer v11.0

  • To save passwords, just click on “Yes” when Internet Explorer offers to store a password that you have just typed in
  • To view saved passwords, carry out the following instructions:
    • Go to the windows Control Panel
    • Click to open the Credential Manager
    • Click on “Web Credentials”
    • Click on the entry that is of interest and then click on “show”
    • You will then need to enter the password of the currently logged-on Windows user.

Note: the above instructions for all three browsers are for Windows 10. I haven’t had time to check on previous versions of Windows.

Safari-logoSafari (on a Mac) v9.0.1

  • Click on the “Safari” menu option
  • Click on “Preferences”
  • Click on the “Passwords” tab
  • To see a password, click the box next to “show passwords for selected websites” and select the required site by clicking on its entry. You will need to enter the administrator’s password for the logged-in user.

I’m often asked by my computer support clients whether it is a good idea to let browsers save the logon credentials for websites

Knocking on Google login panelFrom the point of view of security, there are two types of threat to consider:

  • Anyone who has access to your computer might be able to use and/or steal your passwords. Only you can assess whether household members (or office colleagues, for that matter) pose a threat to your privacy and security.
  • The browser software could be hacked to reveal your passwords. I don’t, personally, know of anyone who has had this happen to them, but I have read several times on the internet that there is malware out there that can do it.

So, I can’t actually answer the question for you. I think it comes down to something we do all the time without even thinking about it – balance risk against convenience. If we wish to cross the road and we are on a quiet country lane then we are unlikely to walk 100 yards to the nearest pedestrian crossing. We might be prepared to walk much further than that for a safe crossing if it’s the Euston Road we are trying to negotiate.

I’d like to suggest a few questions that you might ask yourself to give you an idea of whether it is a good idea for you to save passwords in your browser:

  • Do you think that online banking is too risky? If so, I think your caution will probably extend to never letting browsers store passwords. Personally, I trust online banking and would hate to do without it but if I was cautious enough not to trust online banking then I certainly wouldn’t trust my browser to keep my secrets safe.
  • Would the consequences of someone finding a particular username and password combination be catastrophic? If so, it probably wouldn’t be wise to commit that specific password to your browser.
  • Do you tend (despite advice to the contrary) to use and re-use the same password(s) over and over again? If so, you must bear in mind the risk that discovery of one of your passwords could give someone access to other accounts. Committing even one username/password combination to your browser could expose many other accounts to being hacked.
  • Do you have children in the household? In my experience, households with children suffer far more from malware attacks than households without. I’m not blaming the children. I think it’s probably because the nasty scrotes that write malware know that children have less mature judgement than adults, less fear, a greater propensity to be led by others into visitng specific (dangerous) websites, a greater propensity to share online content (including malware) with each other, and so on. If your risk of catching ANY malware is increased, then it probably follows that the risk of catching malware that can find your passwords is increased.
  • Do you think that usernames and passwords give you a huge amount of grief in your online life? I know some people who seem to be able to remember an enormous number of combinations of usernames and passwords, whereas others can’t even remember their own phone number. If passwords give you a huge amount of grief then it might well be worth reducing the burden somewhat by getting your browser to remember some of the less important username/password combinations.

Hooded Computer UserQuite often, when I have (annoyingly) answered the original question with “it depends….”, the client will then ask “what do YOU do about saving passwords online?”. The answer is that I use some software called LastPass to remember most of my online passwords, but I also record all my usernames/passwords somewhere else as well. I don’t use LastPass to remember the most important financial combinations. If you asked me to rationalise why I do what I do, I can’t. What I can say is that I think I balance risk against convenience in a way that seems to suit me. And when I see my clients struggling to find specific passwords, I often think that they would probably be better off by committing at least some of them to their browser for safe-keeping.

© 2011-2018 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha