Password Shorts

Password Shorts: a reader asks…

Hey Coach, I’m unhappy. My work won’t let me use ‘unauthorized’ programs like LastPass on my company-issued smartphone and computer, and they make me change passwords every 90 days. Can you give me some ammo to get them to change their stupid policy and let me get in the 21st century with password management? At this point I’m writing down the passwords on a piece of paper I keep in my wallet.

Corporate America (and the world) is still pretty behind the times when it comes to computer and online security. That’s because they don’t realize that instituting good password creation policies (making them impossible to remember) and stringent password change policies (making you change them often) results in a normal human response (writing the darn things down) which negates the intended effects of the policies. So let me give you this set of arguments that explain how it’s very risky to keep employees from using 21st century tools to deal with 21st century problems like password management.

Hackers are moving big-time into big data. That means that for every person, a database of records exists and is being fleshed out. Everything known about you online is in that database, including a lot that you probably don’t realize. Hackers scan social media, public records, and every corner of the internet for snippets of information about you – and dump that into a data file somewhere. There’s a brisk black-market trade for that information going on out of sight of most of us, and your information is bought and sold. The fact is that personal privacy no longer exists, and most of the information about you that you would consider private really isn’t. Your dog’s name, mother-in-law’s birthday, favorite foods and places, and pretty much anything you’ve said or shared over social media or email (which for the most part flies across the internet unencrypted) is being cataloged into a profile of you. And yes, hackers are doing this to all of us – modern automated bots and scripts handle the heavy lifting, and the hacker just builds and refines those tools (and sells them to other hackers).

Short of using 2-factor authentication, good password practices involve these requirements:

1. using enough characters: any password that is under 9 characters can now be quickly broken using brute-force methods (trying all possible combinations of letters, numbers and other characters). Common processing power is..that powerful. Current thinking is that 13 characters is the absolute minimum that any password should be, and I’m betting that within 2 years, even 15 characters won’t be enough. So I’m suggesting to everyone that any password they use should now be 15-21 characters long.
2. using enough variety of characters: passwords that only use letters, or only use numbers are trivial to crack. Somewhat harder are those that use both – but that’s still pretty easy for master crackers. You really need to use both upper and lower-case letters, numbers and other type-able characters (just look on your keyboard for characters you can type using the Shift key) – these are all needed to make a good password.
3. being unguessable: using words in pretty much any language make for an easily guessable password, even if you replace a character with a number, or add numbers, or use multiple words. Hackers use ‘dictionary’ attacks which try out all the possible combinations. My old standby recommendation (to use a mnemonic as in this tip) is still ok.
4. being unique: using the same password in more than one online place reflects being out of touch with the current reality. The chance that any online entity will be hacked and your password scooped up is 100%, and with that information added to your hacker’s profile of you, they will of course try out that same password elsewhere. So you can never use the same password twice, without risking every online account that uses it.

The kicker is that you have to follow all four of these guidelines for good password practice. Neglect even one of them and you risk everything. Hackers are working diligently to refine their algorithms, malware, scripts and bots to get past every attempt by you or your company to protect their or your data.

There is no way a human can manage the above password requirements. At best you could commit perhaps one password to memory, but for most people, they need some type of memory aid, like the aforementioned mnemonic in order to remember a password without writing it down. But #4 above is the kicker, you probably have anywhere from a half-dozen to hundreds of online destinations that require a password, your email account, your bank, your credit card company, each shopping site you visit, and so on. Some plucky netizens kept their passwords on a spreadsheet, which works but is a lot of work to maintain.

Fortunately, we now have powerful, purpose-built password managers like LastPass or 1Password that can manage all this mess for us. Btw, LastPass gets its name as being the last password you’ll have to memorize, and even that’s now less of an issue if your smartphone and web browser can remember even that for you. But I recommend you come up with a really long password (perhaps using a mnemonic) to secure your password manager account, and memorize that. Don’t let your web browser remember it for you. If your smartphone has a fingerprint sensor, you could secure access to the app using that, or just depend on the smartphone’s main passcode to keep anyone who stole your phone from getting into your password manager. You should also turn on 2-factor authentication to further protect your password manager. That can be as simple as the app sending you a text message with a code you need to gain access, as well as the password.

My message to the corporate world is: wake up and smell the coffee! Forbidding an employee from using a good password manager is just plain stupid. You are inviting hackers to crack into your company and steal everything. So stop. Now.