Passwords have been in the news a lot lately, mostly due to various breaches at an assortment of online service providers.
I want to briefly touch on four topics:
- Best practices: what makes a good password
- Storage strategies: how to securely keep track of it all
- Two-factor authentication: protection against breaches
- The possible death of the password as an security identifier
Become a Patron of Ask Leo! and go ad-free!
The definition of “good password” has changed
It used to be that eight random characters was considered a secure password. That’s no longer true; 12 characters is the minimum. I use 20 characters when possible.
Random characters are considered best. But — and this is often not well understood — length is more important than complexity.
Increasing the length, even by just a character or two, exponentially increases the time needed to crack a password. While the password “password” is horrid, “1234 password 1234” isn’t that bad, being many orders of magnitude more difficult to crack (or guess).
Just as important as using strong passwords is that you never, ever, use the same password for more than one purpose. When passwords are discovered, hackers absolutely try them across the various services they’re attempting to hack into.
Use technology to remember and enable
With completely random characters as the gold standard, this leaves us with lots of unique, long passwords that are impossible to remember.
For 99% of all users, password vaults are the solution. Tools like LastPass, Roboform, 1Password, KeePass, and others collect, retain, and often enter your login credentials for you. They all strongly encrypt your collection of passwords and require that you authenticate with a master password in order to gain access.
The biggest objection I hear is, “What if the vault provider gets hacked — doesn’t the hacker now have access to all of your accounts?” The answer is simply, strongly, and emphatically NO.
LastPass, for example, stores your passwords as extremely well-encrypted data that even they do not have access to. Your data is only decrypted on your device(s), and only when you provide the correct passphrase. In the case of some of the other vaults, by default the encrypted database isn’t kept online at all, and must be accessible to you, often in the form of a USB thumbdrive you carry with you.
There is always risk for any solution you choose, but the risk of someone gaining access to your vault pales in comparison to the risks associated with using weak passwords or re-using passwords across multiple sites. Put another way, password vaults allow you to give every account its own unique, long, strong password that you don’t have to remember (or type, in most cases).
Protection against breaches
Even if I were to tell you my banking ID and password, you would still not be able to log in to my account. That’s because of something called “two-factor authentication”.
When I log in to that account for the first time on a new computer (or after clearing cookies) my bank sends me a text message with a code I must enter. That proves I am in possession of my second factor: my mobile phone.
Another approach uses an application that displays a cryptographically synchronized number associated with your account that changes every 30 seconds. Entering the number proves that you are in possession of the device running that application. There are also hardware devices such as the YubiKey. It’s is a USB device that, when inserted, provides cryptographically synchronized information, proving you’re in possession of the key.
If long and strong passwords are the gold standard, two-factor authentication is the platinum standard. Even if your passwords are discovered, hackers still can’t get in. I can’t recommend it highly enough for accounts that support it.
The (slow) death of the password?
We’ve gone from one factor (a password, or something you know) to two (adding proof of something you have). Now we’re seeing some services drop back to using only that second factor.
This could be the first step in the death of the password.
One example is accounts where you log in by providing only your email address. They then send an email with a link that, when clicked, logs you in. Your ability to access your email account and click that link proves you are who you say you are.
More recently, some providers are pairing up with apps on mobile devices. For instance, I recently logged into my Microsoft account on my PC by providing only my email address, at which point a notification popped up on my phone via a Microsoft app installed there. Authorizing that notification with a single tap completed the login on my PC.
My ability to respond to that notification on that device proved it was in my possession of it, and that I must be who I said I was.
I expect more progress in this arena. Password-based log-in is, after all, upwards of half-a-century old technology.
But until then, long, strong, and unique is the order of the day.
And use a password vault to make all that possible.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 6:27 — 3.0MB)
Subscribe: Apple Podcasts | RSS
32 comments on “The State of Passwords in 2019”
I have considered going to a password vault. Something that I have wondered about is how Lastpass works on the same account across several devices; phone, tablet and laptop. Another concern has to do with two factor authentication when you live or travel out of the country. A lot of accounts accept only US cell numbers. And this includes major banks.
Well, I can say it does work — well — across multiple devices. I have it on multiple computers, as well as on my (android) phone. Quite helpful.
Lastpass has many two-factor options that don’t require phone access. As for other service’s two-factor, I agree it can be a concern, but many also have additional backup alternatives that can be used, if they’ve been put into place before leaving.
When I am abroad (I usually am), I always have my telephone number from my home country active for this purpose. My bank sends an sms message when necessary.
problem with two factor for me is most of them only work
with a mobile device. if you only have a landline you`re SOL.
they demand a cell phone number. marketing ploy? Hmmmm
Hardly. More like inertia. Make sure to check the offering carefully. Many actually do offer multiple two-factor methods, and some even include landline. Often these other methods are difficult to find, as they really prefer the simplicity of SMS when it’s used.
Leo, I migrated to LassPass couple years ago now. There was a learning curve, at least for myself and there are still aspects I have difficulty with. So I quickly learned to just use what I needed and what was relevant to me and worked. It has made my day to day internet activity much easier and less stressful. I also have an Android phone and it sync’s very well with the LastPass app. However, it is quite difficult to log into many of the sites I use without copy/past UID and password into the fields. LP is open and I’m logged in but it will not populate the site, For instance Amazon, PayPall and my Credit Union to name a few. What am I missing? When I go to the LP website looking for answers I just get more confused. At a young 69 I feel quite silly asking for help, I should be good at this stuff by now!
You’re not missing anything. Lastpass’s job (and in fact the job of any password vault) is to try and figure out how every website takes passwords. While there are a few semi-standard ways, there are many that are not and they have to figure it out, often without the help of the site designer. What’s worse is that websites keep changing, so what worked for Lastpass one week may not work once the site is updated. What’s even worse is that some sites specifically disallow or try to break password vaults due to some inaccurate belief that what they’re doing instead is more secure.
I have to copy/paste from Lastpass often. It’s not you. It’s that Lastpass is always playing a game of “catch up” trying to figure out how each site wants the password entered.
I am from a VERy old school of computer use. I have found it very difficult using a cell phone. May be I am using the wrong phone or carrier. So—I am not cell phone literate. I have been lucky so far as I have not had scamming issues. I know I have been lucky but I am VERY careful where I go on the internet.
My question is there is are there other options to password security? I do have a landline and when I seldom use my cell phone the reception is very bad, usually only one line of reception.
I know I am very behind but I would appreciate any and all suggestions
Yes I am a senior, over 80.
There are sometimes other options, but exactly what’s available depends on the service you’re talking about. Some have more, some have only passwords. It’s always evolving.
I am not the best person on a computer but I have a password on everything all different and I have Lastpass should I have sent them all my passwords or do they add and make a list as I use them. I do not have “two-factor authentication”. I am not sure of how to do it correctly, do you have to use a phone #?
Pretty dumb aren’t I?
Hoping for some answers.
I do have Lastpass collect my passwords as I login to sites, so that the next time I visit that site Lastpass can do it for me (or at least offer to). Two factor depends on the specific site — it’s different for each. Check with the important sites you use, like your bank or maybe your primary email, and follow their instructions for setting up two-factor.
I don’t have have mobile access at my home, as is the case for probably millions of people. Sometimes, such as an update, etc, a text number is required to continue. Unless there is a voice text by land line option, I am out of luck untill I can get to a location with cell service. Microsoft is one such site. Although I am aware there are ways to have SMS calls to a computer, I haven’t been able to get that working yet. It appears that those of us who live outside of high population areas are just not inportant enough to be served. I don’t expect you to have a solution that I can use. I am just venting.
Crystal-clear explanation of app-based 2FA, of a quality I’ve never read before :
“An application that displays a cryptographically synchronized number associated with your account that changes every 30 seconds.”
Disagreeing categorically :
“One example is accounts where you log in by providing only your email address. They then send an email with a link that, when clicked, logs you in.”
Whaaat ? This is absolutely rotten security. If your email account was hacked, you’re toast.
About the disappearance of passwords :
A FIDO 2 hardware key theoretically allows passwordless, single-factor strong authentication. It just needs to be implemented by websites.
And finally a question :
Are there any cloud-based password managers that allow easy, safe local backup of the password database ? I trust the way Kee Pass allows me to keep control on the backups of my passwords. Just leaving that to some cloud service makes me nervous.
You can backup Lastpass: https://askleo.com/how-do-i-back-up-lastpass/
I’m sure most have approaches (though it’s one reason I left Roboform — no easy export at the time.)
Another option is to make a printout of all your passwords and periodically update it. Needless to say, you should keep it in a safe place. But should you become disabled a spouse, family member or friend can at least access any essential information. If you use LastPass this is accessible under “Account Options”, “Advanced”.
Hi, here in the UK I recently logged into my online tax account. They have a new system, “My voice is my password “ I had to repeat the phrase several times and apparently that’s it. Do you have any views on it? I assume if the stuffy old tax department thinks it’s fine then it is! Certainly cuts out all those problems you’re talking about.
I’m … skeptical. For many reasons actually. One of them being that I’ve rarely considered (any) government a leading edge when it comes to new, innovative, and truly secure solutions.
One feature of the username – password access method is that it works on any internet connection, even awful ones, using a single piece of hardware. That makes it a pretty reliable method, even if less secure.
Methods using multiple access methods depend on having (usually) a second device and/or a second connection. A common one – 2-factor – requires both a phone AND access from the provider’s website through a voice/SMS connection. The latter is not always the available. with more pieces that can fail, 2-facto and other multiple access security methods are less reliable overall.
I very recently was locked out of my bank accounts due to 2-factor authentication while traveling in not-even-close-to-third-world Holland. As a precaution, I had contacted the bank, turned off 2-factor, and tested to be sure it was turned off – all before leaving USA. Once in Holland, the bank would not process 2-factor authentication over my own cell phone using a locally procured SIM card. They did not provide any alternate method to verify who I was. The bank explained that they stopped allowing 2-factor to be turned off. To authorize my phone in Holland, I had to return to USA (or my phone had to return to USA) and verify the Holland SIM card as being an access method I authorized. They did (after I returned to USA and proved who I was using my cell phone with my USA SIM card) acknowledge the difficulty, apologize and reverse the fees they had charged as a result of refusing me access to my accounts over the 2 weeks. This was a large Canadian based bank, so you’d think they would have the foreign travel thing worked out.
The lesson is that as systems get more sophisticated, they get less reliable, so be sure to have fall backs. I now deal with 2 banks (a definite inconvenience) that have different 2 factor authentication systems and procedures. Hopefully one will work in the future.
Does anyone still offer prepaid travelers checks?
Two factor itself does not require a second connection. For example google authenticator is an app that runs on your phone, which can be completely offline, and still works. Similarly many services allow you to pre-print a set of security codes that can be taken along. Again, no connection, or even device, required. It all boils down to the types of two-factor supported by the service you’re using.
I used to use my name as my user ID, but eventually decided that that user ID could work as part of a two-part password, assuming that the host system would reject a login attempt with a correct password if the user ID were incorrect. With that in mind, I have switched my user IDs to a long, easily remembered, ID specific to each account. I use a unique beginning (say, QQ#9), an account identifier (CapitalOne) and a unique padded ending (quickbrownfox). That way I can always remember my user ID even if I do not have access to my password list. For instance, QQ#9WellsFargoquickbrownfox. I do the same with my passwords, so that they are all long but easily remembered. This last one might be RR$8WellsFargonowisthetime2019. I have added one more item, a random sequence for each password so that even if someone were to come into possession of the plaintext version of one of my passwords he would not be able to crib it into another one (as he could with the above example). However, I have not been able to find any information on the vulnerability of user IDs. Is it worth the effort to essentially encrypt one’s user ID?
Burton B Haviland…
Instead of using your actual cell phone number, you can get a free Google Voice phone number and use that number for SMS messages to your computer from websites. I’ve been doing this for years and it works great. You can login to Google Voice on your computer or phone to see the SMS messages you receive. It’s pretty simple to set up too.
One thing I really like is that I can keep my actual cell phone number private from these websites. Bonus!
I have found that using RoboForm on my mobile is spotty at best. For commonly-used used sites I have been relying on easily remembered password sentences. Are these long strings, with no spaces, easily hacked or is this good?
How about a made-up word combined with an old phone number?
Those all sounds fine. Length matters most.
I use 24 character passwords which would be really hard to remember and I guess I’m too “Old school” and because I suffer from “CRS” syndrome, I have a hard-copy file folder that lists all the names, logins, passwords and security questions of all companies that I do business with. I keep it locked up in my desk at home. The desk was made in 1937 from solid walnut. There are just my spouse and me that live in our home and after 31 years can probably trust one another! LOL
I have 2 bank accounts in Germany. Originally, they sent out T.A.N. (Transaction authorization number) lists with 100 one-time passwords which they would ask for when you made a transfer or other transaction. About a year ago, one switched over to SMS as a second factor. Last week my other bank switched to a TANtoGo smartphone app which I prefer because I can use it no matter which country I’m in. It seem, they can’t trust people to keep their TAN lists secure. I used to scan and OCR it and encrypt the list.
What about auto fill passwords on iPhone?
What about it? What’s your question?
Do you consider the auto fill option on an iPhone a good option for keeping passwords. I think that it is similar to a password vault and since it was not mentioned in your article was wondering if – in your opinion- it is a good option for keeping passwords.
I’m not terribly well versed in the iPhone/iPad universe, but my experience, and the opinions of others, would lead me to say that yes, the iPhone vault is likely very safe.
A simple way to create an extremely secure password that most people can remember is create a sentence similar to the following.
June 24 Sharon and Bob bought 6 pounds of Apples at 3 % discount for $5.00 and 7 pounds of Grapes at 8% discount for $9.00 at Gracies Market
Resulting Password > J2S&Bb6poA@3%d4$5&7poG@8%d4$9@GM
Or = J2S& Bb6p oA@3 %d4$ 5&7p oG@8 %d4$ 9@GM (32 characters)
The sentence can be much shorter. However as Leo states longer is better.
Personally I believe all of the following are too risky to use the internet. Banking online is too risky and i also would never have an account access to Social Security, utility bills or any personal bills like credit cards or hospital / medical bills. Anyone of them if hacked has all your total identification information.
contained in their records. I use an unlisted telephone and “Never” give any company my Cell Phone number.
Passwords are fine. However, another way around good passwords, the security questions as a backup if you do not remember your password.
Favorite Pet: Fido
Favorite Color: blue
Favorite car: Ford
These are simple and in a conversation may be revealed as was the case for a family member.
Since I use a password manager, the following would be what you might find for me:
Favorite Pet: rogqndari
Favorite Color: wkwuwxvjt
Favorite car: uwtacohez
The password manager is used to generate random characters. Obviously, I cannot remember and the response cannot be tricked out in a conversation. My belief is that the security software only wants characters that can be matched to the requested input.
I use 2-part passwords, in the form ‘AB’. ‘A’ is a phrase known only to me, which I use in every password, and which is all I have to memorize. ‘B’ is another phrase that is unique to each password, and which can reference the site/service that password is for, e.g. ‘bank’ for my bank password,which would therefore be ‘Abank’. I have all the ‘B’s written down, for convenience, but not ‘A’. Therefore, even if a hacker gains possession of my ‘B’ list, it is of no use to him.
I agree that 2-factor authentication is good, and should be use more often.
I am not in favour of biometric IDs, i.e. face, fingerprint, retina print or voice. I a password is compromised, you can easily change the password. If your biometric ID is compromised, you can’t change your body!