I don’t pretend to be a computer expert but I am now being driven mad by demands for my ‘password’ from companies with whom I have done business for years. I have noted that these have developed since the Facebook scandal some months ago about ‘account security’.
I have further noted that all these demands carry the necessary (compulsory) agreement that my détails will be made available to third parties ‘in the interests of providing me with a more sepcific internet experience’ or weasel words to that effect.
Now I am not a fool, and know there is nothing for nothing in this world, BUT far from offering even the same experience as before, I now get a WORSE experience than before, including a frustrating non contact with my own account. Biggest offender by far for me has been Amazon, and their subsidiary CreateSpace through whom I have published many books. Now they won’t let me access my own account without my password, which they don’t accept and now tell me they will send a code which never arrives!
Awesome Books is another demanding my password when I wish to order a book which I have ordered and paid for through PayPal. I have pointed out that if I go to a bookshop I do not have to provide a password to purchase an item, and there is no advantage in having a password anyway as I can order separately and quicker as a ‘guest’. Anyway their products never get delivered either for some reason.
I now have a list of passwords of which more than 50% are no longer accepted. Am I alone in this?
Years ago my father arrived at work to be met with the ‘you must change your password ‘ message. Not being the most patient of men he entered the new password ‘bastard ‘ only to be met with. - This password is already taken.
More like didn’t meet the password check rules - which is fair enough as it is a terribly weak password.
I do however have a special place reserved in hell for sites which have rules on password length, mix of characters etc and then reject a password without telling you why or even botheriing to publish the rules a password must meet to be deemed acceptable.
Well as my dad is 88 this was in the years before complicated passwords. At least 30 years ago.
Up until I left the NHS hospital where I worked as a lab technician almost 3 years ago I had a colleague who just changed her password by one character every 3 months. Some of the younger lads would try to guess others staff passwords often with great success and it was usually passwords belonging to senior members of staff!
At work I have, in addition to my Windows user password, passwords to several different systems and outside agencies. All with their own rules and, importantly, their own expiry interval so it is difficult to impossible to have the same password across all systems. It is not surprising that some staff have one password and a “generation” number on the end.
It’s supposed to be all about ‘security’ though isn’t it? Can’t think that these would confound a codebreaker or a hacker for more than about five minutes.
But the ones that really drive me crazy are the ones that send Me an email and then ask (order) me to prove who I am when I reply!!!
Let me throw my 2 cents in considering that I spent a good deal of time in my career in the IT security field.
1: Passwords are, unfortunately, an ugly fact of life. Personally I recommend (and prefer) what is referred to as a pass phrase - in other words, an entire sentence of sorts. Ideally something you can remember; the XKCD comic that was linked pretty much explains it all.
2: Get yourself a good password manager (or have good memory); most password managers out there are available on multiple devices so it’s easy to share. Alternatively, if you use Chrome, let Chrome do it.
3: On important accounts, think about enabling 2 factor authentication. The ideal type is one where you have to use an Authenticator app on your mobile that generates 6 digit time based codes (also known as TOTP - Time based One-Time Password - you have to punch that in after logging in.
I don’t like password managers personally and all this will fade away as biometrics take over, so for now I’m happy with two factor for one’s few sensitive accounts, banking etc., and any old guff for the myriad of others that don’t really matter. Already HSBC telephone banking uses one’s voice print for example and Applepay uses face recognition. It’s all gong to get easier IMO.
Problem with biometrics is that it’s not foolproof either. Regarding password managers, you could always write them down in a little black book - yes, everyone will scream about oh-my-god don’t write down passwords, but it’s not inherently bad. Leaving them where anyone can see them, that’s the problem
Also the reason I suggested a password manager (that I forgot to put in my post) is that ideally you use a different password for every account, re-using passwords is bad™ because generally speaking if any combination of username/email + password gets leaked, people will start seeing what other services they could access with that set of credentials. Using a different password for everything makes sure that a leak on one side doesn’t lead to grief on the other
A few side notes: Applepay’s face recognition can be fooled by a picture of your face - which would be relatively easy to obtain. Voice print recognition is also not a silver bullet - it has to allow for enough variation to work when you have a cold, this means that someone who sounds a lot like you can probably fool it as well. I know it’s a contrived example and ridiculously far-fetched, but the point remains that biometric security is good, but they’re not foolproof.
It’s fairly easy to come up with a password which is a) memorable and b) secure.
The most secure would a totally random string of characters - probably at least 10, say hy*eD%2@Bq - but you aren’t going to remember that. This is what some of the password managers do however - they generate and remember the passwords for you.
You can go the whole xkcd thing but that tends to produce overlong strings (and some systems disallow passwords over a certain length, or truncate the text) so just using two dictionary words glued together with some special chars or numerals is OK for all by the most sensitive needs. Make it amusing for easier recall.
For example - Gnarly£womBat32! or Sneaky*sauSage65.
Not much can protect you from bulk downloads from insecure systems which store passwords in plain text (should never happen but does) or sites which use a weak cryptographic hash to encode them (but this can be mitigated by having a decently long password) - not even completely random passwords will do that.
About five or six years ago Chris, when my password spreadsheet started to get a bit long, I bought 1Password, which had excellent reviews. It works across platforms so you have all you passwords on all your devices all the time but I got a bit scared of having really impenetrable, random passwords for all my accounts generated by the app and then forgetting the master password. I might look at trying it selectively because the spreadsheet is ridiculously long now.
True, nothing is foolproof. I password protect my password spreadsheet as did my late wife. When she passed away suddenly I couldn’t figure out which of her favourite passwords she’d used to encrypt it. I downloaded a free bit of software that ran for a few days and finally came up with the answer, which was the one I should have thought of in the first place
Ours are all written down and with long passwords with random characters it has become apparent that we don’t always write them down correctly…irritating when you need to log on to something.
