The State of Passwords in 2019

Passwords have been in the news a lot lately, mostly due to various breaches at an assortment of online service providers.

I want to briefly touch on four topics:

  • Best practices: what makes a good password
  • Storage strategies: how to securely keep track of it all
  • Two-factor authentication: protection against breaches
  • The possible death of the password as an security identifier

Read moreThe State of Passwords in 2019

Is Changing My Password Enough?

I regularly hear from people who’ve had their email or other online account compromised, are able to recover access to it, and change their password, only to have the account stolen again almost immediately.

The problem is simple, but the solution is a bit of work.

First, you have to realize that while someone else has access to your account, they have access to everything related to that account.

As a result, changing your password just isn’t enough. You need to do more.

Read moreIs Changing My Password Enough?

Do I Need a New Email Address if Mine’s Involved in a Breach?

//

My email address was in one of breaches we keep hearing about. Is that address still safe to use? Should I get a new email address?

There’s no need to get a new address just because your email account was part of a breach — as long as you can still log in to your account.

There are steps you should take, but that’s not one of them.

If you can’t log in to your email account any more, though, you may have no other choice.

Read moreDo I Need a New Email Address if Mine’s Involved in a Breach?

Password Checkup: A Recommended Chrome Browser Extension

Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.

Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.

That’s where Password Checkup comes in.

Read morePassword Checkup: A Recommended Chrome Browser Extension

Why ANY Two-Factor Is Better than No Two-Factor at All

This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:

  • An exploit kit was published allowing a phishing attack to hijack a two-factor secured login.
  • Various media declared, “Two-factor has been hacked!”

Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader:  “This makes 2SV quite useless in many cases.”

No. Just … no. That’s a seriously mistaken conclusion.

I’m re-visiting this topic yet again because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.

Read moreWhy ANY Two-Factor Is Better than No Two-Factor at All

How Can I Use a Password Manager for My Security Questions?

//
How do password managers handle random security questions?  I’ve never seen this mentioned in any of the articles that I have read.  Am I still going to have to maintain a readily available list of security question answers?

Not surprisingly, password managers are all about passwords. More specifically, they’re about automatically saving and entering your username and password when you need to log in. When it comes to security questions, often also referred to as “secret questions” — well, that’s just not their job.

But that doesn’t mean they can’t help.

Read moreHow Can I Use a Password Manager for My Security Questions?

I’ve Lost All My Passwords, What Do I Do?

//
Do you have a general technique for creating new passwords for every single site that needs them? Yes, I did the unthinkable, I lost my LastPass account and have to start over. This is a reminder of the old saying, “When you have dug yourself into a deep hole, stop digging.” Unfortunately, I was stupid enough to keep digging. I hope you can spare some advice for someone who seems to get more stupid with age. There may be others on your list that have the same problem.

The technique is simple.

The problem is that the technique is time-consuming and ponderous.

Let’s review that technique, and what you can do to avoid this situation in the future.

Read moreI’ve Lost All My Passwords, What Do I Do?

How Do Websites Store Passwords Securely?

//
In reading your excellent article, “How Can a Hacker Try All Possible Passwords If Systems Block the Login Attempts?” I still don’t understand. Even if a hacker has stolen the user database of logins and hashes, how can they duplicate the method of hash creation used by any particular website? I would think different websites would use different hash creation formulas.

You would think.

That’s what makes it so frustrating when these attacks end up being successful.

The problem is that security is often an afterthought. In fact, it’s often not thought of in any deep sense until after a successful attack.

The good news is, there’s something simple you can do about it.

Read moreHow Do Websites Store Passwords Securely?

How Do I Back Up LastPass?

I’ve long recommended password managers like Roboform and LastPass to keep track of passwords for all online accounts. Besides offering an incredible level of convenience, these tools give you a greater level of security by making it practical to use truly long and complex passwords and generate different ones for every site.

But, as with all things relating to security, there are risks.

For example, what happens if you forget your LastPass master password? Master passwords cannot be recovered. While there are a couple of options that might regain access to your password vault, the worst-case scenario is that you lose the vault  — and everything in it — forever.

Not to keep beating the same old drum, but the best solution is very simple.

Back up.

Read moreHow Do I Back Up LastPass?

Enable Two-Factor Authentication in LastPass

Two-factor (or multi-factor) authentication is one of the most reliable ways to secure an account from being hacked. With two-factor authentication enabled, hackers can’t log in to your account, even if they know the password.

LastPass is a utility used to store and remember your login credentials. Using a tool like LastPass makes you more secure by creating long, complex passwords you don’t need to remember, because LastPass remembers them for you.

The most common concern about password vaults is this: what if someone, somehow, gets the master password to your LastPass vault? While extremely unlikely, the cost of failure is pretty high: that person would have access to every account stored in your LastPass vault.

That’s why I recommend adding two-factor authentication to your LastPass account.

Read moreEnable Two-Factor Authentication in LastPass

Why Do Password-strength Meters Give Different Results?

//
There are some websites that determine how strong is a password. I tried to compare them two of them. [One said that my 20-character example] password can be hacked in 16 billion years. [Another] says the same password can be hacked in 3 seconds. What a joke it is. In your opinion what site might be a reliable password checker?

From a purely algorithmic, or mathematical, perspective, cracking passwords is a fascinating problem.

From a user’s perspective, however, it’s not that fascinating at all. In fact, it’s downright frustrating. One of the best examples of that frustration is the scenario you outline: one sites’ “great” password might be considered horribly insecure by another.

What’s a user to do?

My recommendation? Create strong passwords that don’t need a password-strength meter at all.

Read moreWhy Do Password-strength Meters Give Different Results?

Why Can’t I Just Use One Password Everywhere?

//
Can you use the same password for everything you need one for? Having a lot of different ones is really hard to remember, to the point that I have had to write each one down.

Yes, you can use the same password everywhere, but I really, really, don’t recommend it. The general consensus is that it significantly increases the risk of your accounts being compromised.

There are several approaches to password management that don’t require using one password everywhere, and also don’t require you to remember dozens, if not hundreds, of different passwords.

Read moreWhy Can’t I Just Use One Password Everywhere?

Why SMS Two-Factor Is Better than No Two-Factor at All

In recent weeks, there have been reports of flaws in the SMS (text messaging) protocols that allow attackers to essentially hijack SMS two-factor authentication for accounts they’ve targeted.

This is causing many people to avoid two-factor authentication altogether when SMS is the only option available.

I believe that’s a serious mistake. SMS-based two-factor authentication is still better than no two-factor authentication at all.

Read moreWhy SMS Two-Factor Is Better than No Two-Factor at All

Are Password Managers Safe?

//
Recently I tried to use RoboForm for an account at a large financial institution, but I couldn’t get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use tools like RoboForm?

Some believe using password managers represents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.

Not-so-technically, I strongly believe they are seriously misguided.

Using a password manager is significantly safer than the alternatives.

Read moreAre Password Managers Safe?

Two-Factor Authentication Keeps the Hackers Out

We rely on passwords to protect our online world. At the same time, hackers seem to be getting better at deciphering them.

In response, security folks created something called “two-factor” or “multi-factor” authentication.

It’s something I strongly suggest you understand and consider using.

Two-factor authentication relies on two different types of information, both of which must be correct in order to confirm your identity.

Read moreTwo-Factor Authentication Keeps the Hackers Out

Why Is It So Important to Use a Different Password on Every Site?

//
I keep hearing that I’m supposed to use a different password on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password, why isn’t that enough?

The hacks of several online services have brought this issue to light once again.

I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.

And yes, you must devise a way to manage them all.

Let me run down an example scenario that’s causing all of this emphasis on multiple different passwords.

Read moreWhy Is It So Important to Use a Different Password on Every Site?

Possible LastPass Phishing Vulnerability

News broke over the weekend about an approach to a phishing attack that could fool you into giving a hacker your LastPass credentials, even bypassing two-factor authentication. It’s not yet been seen in the wild, but code has been made available, so I’d expect it to start appearing.

Quick bottom line

If you get a message from LastPass that your session has timed out and you need to log in again, don’t. Instead, I recommend you close your browser, re-open your browser, and log in using the LastPass icon on the browser’s menu bar.

Read morePossible LastPass Phishing Vulnerability

How Long Should a Password Be?

For a long time, the common thinking was that the best, most practical passwords consisted of a random combination of upper and lower-case letters, numbers, and a special character or two. If so composed, password length needed to be only eight characters.

Randomness remains important, but as it turns out, size matters more.

A password today should have a minimum of 12 characters, and ideally, 16 or even more.

Read moreHow Long Should a Password Be?

How do I change my LastPass master password?

As I write this, the folks at LastPass recently announced that they saw unexplained traffic on their network and could potentially have seen some of their internal data compromised. It’s important to note that no user accounts have been hacked, and no unencrypted user account information has been compromised.

However, to err on the side of caution, they are recommending that we all change our master passwords.

Here’s how you do that.

Read moreHow do I change my LastPass master password?

Is a Periodic Password Change a Good Thing?

//

I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.

Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.

Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.

Do you have a view on how to build such a good routine?

As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available – at least not in a convenient form.

But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.

I disagree.

Read moreIs a Periodic Password Change a Good Thing?

The Easily-avoidable Risk of Two-factor Authentication

I’m a very strong believer in using two-factor authentication for important online accounts. For example, I rely heavily on Gmail and I have it protected using Google’s two-factor authentication option. Even if they somehow got my password, a hacker still wouldn’t be able to get in.

Two-factor authentication (often referred to as multi-factor authentication, 2FA, or MFA) adds the requirement of “something you have” to “something you know” in order to log in to an online service.

You’re already familiar with something you know: that’s a password. Something you have might be a mobile phone capable of receiving a text message, an authenticator application running on a mobile device, a dedicated key fob, or even a specialized USB device. Two-factor authentication simply means that you provide not only a password, but you must also prove that you have the second factor in your possession. If you don’t, you can’t log in even if you know the password.

Neither can hackers – and that’s the point.

Failing to prepare for loss of that second factor, however, is an easily overlooked, yet easily avoidable risk of two-factor authentication. The risk? Losing access to that important account … forever.

Read moreThe Easily-avoidable Risk of Two-factor Authentication

How do I disable remembered passwords in my browser?

//
Please describe how you disable the “remember password” feature in browsers. And how to clear previously remembered passwords, as well.

That was a comment posted on my article How safe is it to let my browser save my passwords? where I essentially discouraged the use of browser built-in password saving features, in favor of utilities like Lastpass.

Fair enough. Let me show you how in Internet Explorer, Firefox and Google Chrome.

Read moreHow do I disable remembered passwords in my browser?

How Safe Is it to Let My Browser Save My Passwords?

//
 I’ve got a quick question concerning saved username/passwords in browsers. Whenever you visit a website and need to login, you’ll be asked (depending on your browser settings) if you’d like to “save” the username/password information to make future logins easier. If you choose to do so, is this username/password information made visible to anyone who has compromised your computer when you access the website in the future? Since the fields are already filled in for you, you don’t actually need to type in anything.

The short answer is yes – if you’re not careful, anyone who walks up to your computer can access those websites as you, or perhaps even walk away with a copy of all your usernames and passwords.

There are actually several important issues around letting your browser – or any utility for that matter – save your passwords. Particularly when we advocate using multiple complex and different passwords for different sites, it’s not only important to use these types of features to keep it all straight, but to use them properly so as not to expose yourself to security issues should your machine ever be compromised.

I’ll review how these features work, and how to use them safely.

Read moreHow Safe Is it to Let My Browser Save My Passwords?

Why Is It Important to Have Different Passwords on Different Accounts?

//
Is it safe to have the same password for all of my email accounts? If one has an account in Yahoo! mail, Gmail, rediff mail, etc., and sets the same password for all of them, will it be easier for a hacker or phisher to find out about it?

Using different passwords is much safer than using one password everywhere. In fact I’ll say it’s critical these days.

Why?

Because hackers know that most people don’t take the trouble to set that up.

And they know that we typically have more than one account.

Read moreWhy Is It Important to Have Different Passwords on Different Accounts?

Why Can’t Online Services Tell Me What My Password Is?

//
Why can’t an online service like Gmail or Hotmail or any of the others, just tell me what my password is rather than forcing me to reset it all the time? I mean, they have to know what it is anyway so that they can check that I’ve entered it in correctly. Right?

Believe it or not, online services don’t necessarily know your password.

Some services actually can tell you your password, and that’s a really, really bad thing. Among other things, it calls in to question that service’s understanding of security.

Read moreWhy Can’t Online Services Tell Me What My Password Is?

Why are sites making it difficult for password managers?

//

Following your advice, I use a password manager so I can use long, secure passwords and simply copy-paste into websites. Recently, however, it seems more sites use a technology that prevents this. The temptation now is to use shorter passwords, making them less secure so copying and typing them is easier. Why are sites doing this?

I haven’t seen a site that actually prevents pasting a password in the Password field, but I definitely have seen sites that either intentionally or unintentionally make password managers more difficult to use.

It’s backwards thinking, if you ask me.

Read moreWhy are sites making it difficult for password managers?

Is a Long Password of Repeating Characters Good or Not?

//
In a recent newsletter, you answered someone’s question about passwords. I didn’t understand your answer. Could you clarify with an outright, direct, plain, clear answer? The person was asking about passwords, an idea he had, and would it just be safer to use repeating letters as passwords? I couldn’t understand if you were saying it was good and safer as it was harder to hack with hacking software or just the opposite. I don’t understand the explanation about how hacking software works and I don’t need to. Just the answer to that question about a series of same letters would be sufficient enough for me to know what would be good to do or not to do.

As direct, plain, and clear as I can be, the answer is no, you should not use a password that is a single repeating character.

In my defense, the answer really isn’t that simple or that easy. It actually does require a little bit of thought. The problem is that it’s a very complex topic. And there aren’t always simple yes-or-no answers.

Read moreIs a Long Password of Repeating Characters Good or Not?

What If a Password is Limited to only 8 Characters?

//
I installed a new supposedly very good Buffalo WZR-D 1800H router. It will not accept more than 8 characters for a router password. Because of your articles and other it doesn’t seem as secure as it should be. Is there any way to add more characters to the password? It just stops accepting characters after the 8th entry.

Unfortunately, the answer to the question you ask is is no.

If a device or a website or anything that requests a password is limiting you to only 8 characters, then there is really nothing you can do to somehow increase that limit. It’s a hard-coded limitation of the software involved.

The real question then becomes: what do you do instead?

And that, in turn, depends on your application.

Read moreWhat If a Password is Limited to only 8 Characters?

How Do I Create a Windows 7 Password Reset Disk, and Why Would I Want To?

Since the day that password protection was invented, users (and the people that help them) have been dealing with the “lost password problem.” You know how it goes; you or someone you know can’t log in to their account because they can’t recall their password.

Take it from me, it happens. A lot.

For a long time – at least since Windows XP and probably before – Windows has included the ability to create a password reset disk that you can use in cases where you’ve forgotten your Windows login password.

There are a few prerequisites to using this tool. The most important one is you must create the disk before you actually need it.

Read moreHow Do I Create a Windows 7 Password Reset Disk, and Why Would I Want To?

What’s a Good Password?

//
I told my friend my password, and she said it was a really bad one. What does it mean to have a “bad” password? And what’s a “good” one, then?

You told someone else your password? Yikes! I’ve seen more accounts get stolen by that one simple act than by any other single cause. I sure hope you know what you’re doing – most people that have told a friend their password have come to regret it.

So what’s a bad password? One that someone could easily guess.

A good password? One that’s hard to guess, of course.

The problem is that people are way better guessers than you think. And it gets worse if the guesser starts using a computer to do the “guessing” for them.

Read moreWhat’s a Good Password?