A Password World

A Password World: a reader asks…

I am constantly losing the password to some website or another, or my email account, or some other online entity. I don’t like the idea of putting all my passwords in some password manager app (fear of it getting hacked), and it’s just so much work to keep writing them down on pieces of paper that get lost. Isn’t there a simpler, easier way? But I don’t want to get hacked…

Tough question. You want the benefits of using online resources in the digital world, but you don’t want to have to manage proving to the digital world that you are you. Welcome to our current state of affairs. There is a glimmer of hope coming, where all our access to the digital world will be authorized by our own selves, fingerprint or facial recognition or some other biological or physical thing we use to prove our identity to someplace on the internet – aka “passwordless authentication”.

We started down this digital identity path with the simple username & password combo, which is still widely used today. It is inherently weak, as evidenced by all the hacking and scamming victims racked up every day. Over the last few years we layered on top of that two-factor authentication, which adds another step in the process of proving your identity. That too has inherent weaknesses. Over the last year or so, we’ve started moving toward this passwordless authentication future, with companies like Apple, Microsoft, Google and others offering this new type of authentication to actually replace the username/password (and two-factor authentication) method.

But it’s slow going. Part of what’s slowing this down is that each company wants to be “the method” used for everything, and our competitive business culture is very much against that. So you have Apple’s Passkey, Microsoft’s Authenticator app, and Google’s passkeys all vying to be your digital identity authenticator for the internet. Other companies are also fielding their own passwordless authentication services, and of course, no one service or app handles all your needs. Plus, passwordless authentication is very slowly rolling out and is insanely complicated to setup correctly. Likely most of the online organizations you deal with don’t yet support passwordless authentication, and rely on the tried and true username and password combo, sometimes with two-factor authentication on top of that.

So at this point in the development of the digital age, the answer to your question is no, there’s no easier, simpler way for you to prove your identity across the internet. Assuming you have a smartphone, I’d suggest you get started moving (partially) into the new passwordless future, while using something else to manage the vast majority of online destinations where you still need to use strong and unique passwords, along with two-factor authentication where available.

Working on the latter item first, I’d recommend you get over the distrust of password management apps. Yes, many or most have been hacked, but their very business model means that even they can’t decrypt your password ‘vault’ completely, so your login credentials are safe. Everyone you talk to who uses something will suggest to you what they use, and the various reviews online all have differing recommendations. If you don’t want to have to parse out all the plusses and minuses, you could simply take any one of these leading apps (and the last non-tech option):

• 1Password Individual (highest on my recommended list)
• Apple iCloud Keychain (for iPhone/Mac users)
• BitWarden Premium
• Dashlane Premium
• LastPass Premium (now lowest on my recommended list)
• Physical ‘little black book’ of passwords (don’t lose it!)

This is just a partial alphabetical list, you can google “best password managers” and get links to these and more. I don’t recommend the free versions of any of these (except a trial of the paid version, or Apple’s which is part of your iCloud account). If you want to protect more than just your own digital life, they all offer family or team subscriptions. If you’re stuck at “too many choices”, I happen to use LastPass right now, but am transitioning to 1Password (I’m bothered by how badly LastPass handled their last hacking incident). Of course, if all you use are Apple devices (iPhone, iPad, Mac), then you’re likely already using Apple’s iCloud Keychain and there’s really no reason to switch to something else.

Notice that I don’t recommend using the password manager built into your web browser (Edge, Chrome, Firefox, etc.). My opinion is there are too many security risks associated with doing that, and too many restrictions on use. They are very convenient, but that convenience isn’t worth it in my opinion.

In addition to having a method of storing your digital credentials for proving your identity online, you’ll want to implement two-factor authentication wherever it’s offered. For that you can use the less-secure method of the entity texting you a code to enter, or the more-secure method of using an app. For the latter, there are many options (and more every day as companies jump into the space), Assuming you use a smartphone (iPhone or Android) I’d suggest you use the one that goes with your password manager of choice, if available. If they don’t have an authenticator app, you can use the Microsoft Authenticator, Google Authenticator, or Authy Authenticator. Apple’s keychain also has an authentication capability. Use an authenticator app for any online entity that supports two-factor authentication.

Once you’ve gotten that all set up, you can take a look at moving towards the passwordless future. If you’ve an iPhone, you’re ready for doing this for everything Apple, and for any entity that supports the Apple Passkey method of passwordless authentication. Apple explains how to set up and use this with your iPhone in this support document, part of the iPhone User Guide. The built-in Apple iCloud keychain can not only store your login credentials (username/password) but also create Passkeys for the online entities that support it.

If you’re a big Microsoft 365 user, then you can add the Microsoft Authenticator app to your smartphone and remove your password from your Microsoft account. Microsoft’s support document tells you how to do this. Oh, and don’t think you can use the Apple Passkey for your Microsoft account, you have to use Microsoft’s.

If you’re a big Google user, then you can add Google Passkeys (read about how to do this on this Google Support document). Again, this method has limitations, works best in an all-Google environment, and is device-specific (meaning you have to setup a passkey on each device you use to access the digital entity). For those of us with smartphones and computers, this can be a hassle.

If the above sounds like a big mess, it is. You can of course choose not to try out this future until it matures. At some point, you’ll be forced to by the big players who’ve signed onto the fido Alliance (Apple, Alphabet, Microsoft & Google), as they replace the old username/password and two-factor authentication methods (with its inherent security vulnerabilities).

Does this mean you won’t be hacked? No. Hackers and scammers are constantly finding new ways to get past your online security. Most common methods include impersonating an authority or business, or using psychology to get you to trust the scammer and do things you wouldn’t ordinarily do, such as sending bitcoin or buying gift cards and giving them to the scammer. Don’t think you’ll fall for that? We are all susceptible regardless of our education or intelligence, so the best option is to not engage – don’t give the scammer a chance to talk you into something, you’re not as immune as you think you are.