Passkeys Not There…Yet

Passkeys hold a lot of promise in eliminating passwords. They rely on an electronic handshake to allow your device to access a secure website, and many password managers claim to link to passkeys. They’re getting there, but they’re not there yet.

A major hurdle right now is that not all websites recognize the passkeys from password managers. Sometimes, recognition depends on the device. Since most of us have fairly new cell phones, our phones usually have the ability to work with facial recognition, which is a form of a passkey. Older devices may not have the ability to work with this type of technology.

We suspect the move to newer computers – especially as Microsoft ends support for Windows 11 – and the need for better security will speed the drive to make more devices capable of using passkeys.

Why are passkeys secure? They eliminate the need to enter usernames and passwords, both of which are stored on the website you’re trying to access. We know the problems with usernames and passwords: they can be stolen by hackers from the website or your device, they can be forgotten, and we can make them less effective by using simple passwords multiple times so we don’t forget them.

Passkey information is stored on the website and in your device. They are not the same info; they rely on the handshake – sort of like two spies who each know what they need to hear in a phrase. On your device, the most common passkey information is a biometric (facial recognition or fingerprint) or a PIN (personal identification number). Because they are device specific, the system relies on you having your device when you log into the website.

When you combine a passkey with some form of 2FA (two factor authentication), you’re using an access method that has proven reliably secure up to now. Many of the leading password manager programs, such as Dashlane, 1 Password and Bitwarden, can create and store passkeys for you, and both Apple and Android can store their passkeys locally and access them using the keychain app on mobile devices.

Even if you can’t use the passkey with your password manager, you’re still ahead. Remember, with a password manager, you only need to remember a single master password. You can let the password manager generate a long, complex password for each website. That password should be immune from guesses based on any of your personal information.

More websites, too, are using passkeys instead of the username/password duo. As the websites use them more, you will have easier access to more websites, but that comes with a caution. The websites will need to tighten their security, too, to prevent more sophisticated hijackers from getting info from their sites. One of their hacks is to hijack cookies. You can help prevent that by not clicking on “Accept” when the cookie dialog box pops up. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window.

To expand the conversation about the internet and security, you can apply the same security measures to any device in your office or home that uses the internet or a Wi-Fi network. Printer manufacturers such as HP have created anti-hacking steps, such as entering a PIN, to gain access to the information stored in a printer.

We can help you install and configure password managers and set up effective passkeys and other security measures. Call us – 973-433-6676 – or email us to talk about it.

Password Sharing

Yes, we should guard our passwords like gold bars in Fort Knox. But at the same time, it’s prudent for individuals to ensure trusted people have access to their accounts. We discussed it before, but it’s worth doing it again, especially when it can prevent more heartache with the death of a loved one or a catastrophic event.

Password problems crop up all the time for both commercial and individual clients. They can be annoying, especially when spouses or kids constantly forget passwords, sending you on a hunt. They can be disruptive, especially when an employee leaves and you need to change passwords for accounts they used for your business. They can be downright heart-rending, especially when you need to handle the affairs of family members or friends who have become incapacitated or have passed away.

That last group of problems takes on particular urgency because you’re out there alone. There’s nobody to help you know what to look for and where to find it – especially while you’re working in a highly emotional atmosphere.

All these problems are avoidable, with or without technological solutions.

Unfortunately, we learned about the non-tech side of it when our friend committed suicide. In his deep depression, he knew his family would be devastated. Yet he had the presence to leave detailed information about what his survivors would need to close his affairs and carry on with their lives. It probably made things easier, though nobody involved could know how much while dealing with their grief.

Because we depend on website access to manage just about every aspect of our personal and professional lives, a trusted person or small group of people must have complete information for all usernames and passwords. The info can be on a list that’s printed out or written in a notebook and stored in a safe place. Most of you probably have a fireproof storage box or a safe for important documents such as birth certificates or passports anyway. There’s nothing wrong with hard copies.

However, we can’t emphasize strongly enough that you can set up a password manager with a family-and-friends feature that solves just about all password and web-based account access problems. You only need to remember one strong master password to access all your websites. We like Dashlane for its reliability and ease of use, but it’s not the only one. And regardless of whether it’s for personal/family use or business, certain principles still apply.

Here’s what to look for:

  1. The ability to work across multiple devices and platforms. Everyone depends on being able to use computers, phones, tablets, and even smart watches seamlessly. Many people use Windows, Apple, and Android systems individually and in corporate networks. Your password manager must be able to work on all devices and platforms.
  2. Facial recognition. We believe this is the most efficient biometric for speed and security, especially when you’re on the go and using a mobile device. In some cases, you don’t even need your master password. That’s a great convenience.
  3. The ability to share passwords with a family-and-friends capability or a corporate plan. Whether it’s another annoying request from a family member or a critical request from a business associate who needs instant access, you can find the password they need and give it to them. It can also make it much easier to oversee the affairs of loved ones when necessary.

We look forward to the day when biometrics or some other technology will eliminate the need for passwords. When that day comes, all of our information will be more secure, and easier to access our websites and online accounts. Until that day comes, a password manager is your best bet to handle everyday online life and emergencies.

We can help you select the password manager that best meets your needs, and we can help you configure an individual plan or a multi-user plan. Call us – 973-433-6676 – or email us to discuss your needs or for configuration help.

Old Security Habits Never Die; They Should

We still seem to see the same bad security habits we’ve always seen. Now, they involve PINs as well as passwords. Here are some bad habits you need to break.

The first bad habit has to do with keeping track of passwords and PINs (Personal Identification Numbers). We’ve discussed passwords ad nauseam, and the problems we find with them are they’re either forgotten, left in places where anyone can see them, used repeatedly, or made so simple that they’re easy to crack.

If you habitually run across any of these problems, you need to seriously think about how you can make your password system stronger. Some of the suggestions we’ve offered include making your passwords long and using a system that lets you vary one or two keystrokes or a word or phrase to keep them different. The system helps you remember your passwords – or at least the ones you use the most or ones you need while away from your computer. In creating your passwords, you’re better off using a longer password instead of a shorter complex one. Longer passwords make it more difficult for hacking software to figure it out.

A related issue is those security questions. Don’t give real answers that involve information in public records. Somebody can easily see where you’ve lived, where you went to school, etc. They can probably find out what your first car was.

PINs are meant to solve most of the issues, but they can run into that “forgetful” problem, too. An additional problem with PINs is that when you change devices, you need to reset the PIN. Again, that can be a real problem if you don’t remember the PIN you used.

Some people use their browser or a feature on their phones to save passwords. The danger there is that those passwords can be easily stolen, especially if you happen to visit a “phishing website,” one that has the look and feel of a legitimate website. When we feel rushed or stressed about things going on in life, we’re more susceptible to clicking one of those links or making a typing mistake. The owners of “phishing websites” typically have website domains related to common typing mistakes – although some companies have those sites, too, to make sure you can reach them. The old habit to break here is to take a deep breath when you’re online to make sure click on a legitimate link or type a domain name correctly.

Rather than use a browser or phone password saver, we recommend you a password manager. Dashlane and Last Pass are two that are well known, but using any manager gives you stronger protection. You’ll need to set aside time to get your password manager properly configured and to enter all the passwords you want to protect. The process includes setting up a master password that gives you access to the electronic vault where all your passwords are stored. The key to success is never, ever forgetting that password or giving it to anyone except one or two trusted people.

Credit card numbers can be hacked, too. A couple of our clients had their numbers stolen, and although they changed passwords, they still wondered what else might be broken in their system.

We can help you with security breaches. We take the time to look closely at your system to see how each change you might make – changing passwords or adding a password manager – will affect you. Our analogy here is to the new kitchen that we’re getting. As we change the room and add things like electrical outlets or lighting fixtures, we have to open holes in our walls and ceiling, and we don’t know what’s there until we get them open. It’s the same with your tech system. Without looking at everything, we can’t tell how one change will affect your system.

Call us – 973-433-6676 – or email us to discuss your needs and do the appropriate patching, including installing and configuring a password manager.

Password123 and Other Common-Sense Anomalies

We continue to be amazed at the utter lack of common sense some people have when choosing strong passwords. Even if you satisfy all the algorithms for an allegedly strong password (upper- and lower-case letters, numerals and special characters), you may leave hints that make all too easy to crack it. Here are some factors to be aware of.

We believe the most important thing anyone has to understand is that nobody – absolutely nobody – is not on the internet. Obviously, you’re an online regular if you’re reading this, but even somebody who has never owned a computer or has paid for everything only in cash has an online profile. Birth certificates, census reports and immigration records from over 100 years ago are available online. Have you ever seen a security question (not one you’ve chosen and answered falsely) that asks about an old, old address of yours or a sibling?

Based on all the available information about you, it defies my logical definition of common sense to know why an attorney uses lawyer123 – or even lawyer123! – as a password. If you promote your profession or business on a website and somebody wants to crack your personal info, they’ll likely try using your profession – with 1234 and a special character.

Use common sense as well as technology’s tools to both make your life convenient and more secure. You can start with a password manager, such as Dashlane, which requires you to know only one really strong, difficult-to-crack password. You use that password to use the password manager, and the program generates random passwords that have no connection to you, your hometown or your first pet.

When you use a GPS system to go someplace, are you always aware of your surroundings in case something just doesn’t look or feel right? Common sense should tell you that you might not be in the right neighborhood or that the system’s algorithms are telling you to make a left turn where you can’t or to go the wrong way on a one-way street. Technology is an imperfect tool. It’s up to you to make sure you have the latest version of your technological tool, which we hope will have fewer imperfections.

Common sense will be society’s best defense in combating the way technology can spread disinformation and misinformation. This is not a political statement. Disinformation and misinformation have been used since before the printing press, but today’s technology makes it much easier to create and distribute words and images. There is no technological tool for critical thinking.

However, we can help you with the tools that can help you enhance your online security and your life. Call us – 973-433-6676 – or email us with any questions you have about better living through technology. It makes sense to be up to date.

Generated Passwords Resolve Two Issues

During the recent holidays, I decided to get around to that one project I’d been meaning to do: change all my passwords. I have 241 unique passwords, and even though my password manager at the time gave them strong scores, I just wasn’t happy with the whole situation. So, I dived into a project for the generations.

As you should expect, I’ve read all the security alerts and everything I could find out about layers of security at the websites I visit for personal matters and those I use to serve clients. Each site is different, and that includes the two-factor authentication steps. It should give you comfort to know that using website passwords can be as complex as nuclear-launch codes – though it’s not comforting to think that any code can be cracked.

Randomly generated passwords that are frequently changed offer the best protection against cracking, which is why nuclear-launch codes always change – and why codes for keyless-entry systems for homes, cars and garages are essentially one-time codes designed to thwart anyone with a code scanner who sits near your car or home. Some password managers can change random passwords automatically when a website requires. No matter which one you use, you’ll need to have a master password – and that’s the only password you’ll need to remember.

Changing all of your passwords is not a task for the faint-of-heart. You’ll need to have a password manager program, such as Dashlane, LastPass or 1Password, and you’ll need to pay attention to details. I happen to like Dashlane for two of its features: random password generation and its integration with all browsers and operating systems. I consider those features to be critical.

When you use a password manager to generate random passwords, you need to pay attention to the requirements of each website. Some websites require the use of symbols, but many of them restrict you to certain symbols. Some require upper- and lower-case letters, and some require numerals. Many websites specify a certain number of characters in a password, such as 8 to 12 or 12 to 16. Just be mindful of all requirements when you set up the random password generator for each website.

One of the steps I took – and something highly recommended for financial websites – was to create a randomly generated password, log in to the site to make sure it worked, and then change it almost immediately. Each randomly generated password should be impossible to remember because it should lack any kind of pattern. For example, there doesn’t appear to be anything meaningful to me in FdXKCX9ZKsw. When a website requires you to change the password, you should have a password manager that does this automatically. Dashlane and LastPass do this, but they handle the process differently.

If you want to change your password manager, you can download all of your passwords so that you can re-enter them in your new password manager.

You should also know that your master password resides locally on your computer or mobile device. If you change computers, phones or tablets, you’ll need to re-enter your master password manually, not all your passwords – and it’s probably a good idea to do so to protect your data.

There are two keys to making a password manager and randomly generated passwords work. One is to make sure that the password manager itself is the latest version available and that you install all updates. Remember, as we’ve said so many times before, updates almost always include security patches and bug fixes.

The other key is to have a strong master password – really a passphrase. An effective passphrase should be something long – 20 to 30 characters – that you can remember and that doesn’t contain any information about you that’s available in public records. It should include upper- and lower-case letters, at least one number and at least one special character. Even if you change it every two or three months, it’s the only one you need to remember.

We can help you evaluate password managers and help you with the installation process. We think passwords have to become extinct as other security measures take hold, but for now, passwords are deeply ingrained in our online lives. Call us – 973-433-6676 – or email us for password manager help.