The Time to Do the Right Thing

Be honest. How many times do you use a password for multiple websites because you need to remember it? You know that a string of 16 to 20 random characters upsets any pattern a hacker might use to steal a password for one site and maybe get into multiple places.

One of our clients recently told us how they saw the light, and it was a really gratifying conversation for me. He said: “I listened to what you said about passwords, and I did everything. Life is so much simpler now.”

It shocked me because that’s not usually what we hear. I wish more of our clients would get on the bandwagon when it comes to passwords and password managers. I can’t emphasize enough how password managers enable you to have unique, complex passwords for every website you need to access and how easy they are to use. You don’t always get to “stronger” and “simpler” as adjectives for a single concept.

What’s the “stronger” part of password managers? They generate those ideal passwords of 16 to 20 random characters that include upper and lower case letters, numbers and special characters. If everyone in your password chain – the people, companies and institutions you deal with – has a strong, generated password, that should make everyone as hack-proof as you can get. The problem is that the weakest link in the chain is the easy-to-crack password.

The” simpler” part is that you only need to remember one master password. (The hard part is making sure you have access to it in case you do forget it.) Before getting all his passwords into a password manager, our client said he would change a password by adding a number or a character because it was easier to remember. But it wasn’t simple. He would still need to remember what number or character he added to the old one, and maybe he had 50 passwords to remember – or carry around in a list.

A good password manager that can work across multiple devices can cost $50 to $100 a year. We believe that’s relatively cheap for the security you gain and the time you save from trying and retrying passwords or resetting them. The password manager becomes stronger and simpler when you combine it with facial recognition on a mobile phone.

Using a password manager and other forms of authentication will take some getting used to. But it’s worth it to take the time to do the right thing to protect your online security and your sanity.

Call us – 973-433-6676 – or email us if you need help in choosing a password manager and setting up the basics. We can also help you with other ways to authenticate your online access. See our article Pass the Key, Please.

 

Pass the Key, Please

If you’re sick and tired of managing passwords (see our article Take the Time to Do the Right Thing), take a new look at using passkeys and forget about the hassle. A passkey is a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account. They may take some getting used to, but the security boost will be well worth the effort.

Microsoft is encouraging everyone to use a passkey when they sign up for a new account, and they’re moving away from the default of passwords for all new accounts allowing you to ditch them altogether. Just as a related side note, when you create a Microsoft account, do not create a local passkey. It will only work on the device you used to create the account, and that will defeat the purpose of being able to sign in from anywhere on any device.

A passkey is a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account. If you remember going to your safe deposit box at the bank, you had one key in your possession, and you got a key from the bank for your visit. This is an electronic variation of the theme.

Microsoft introduced passkey support across most of its consumer apps a year ago, eliminating the need for two-factor authentication (2FA) or passwords. Now, it’s encouraging all new signs up to use passkeys as it removes passwords as the default. Websites are increasingly allowing you to passkeys for secure access.

Passkeys and password managers are able to work together for the most part. Usually, the device or software generating the passkeys uses a biometric authentication tool, such as FaceID or TouchID, to authenticate your identity. If your password manager is the passkey source, you can log in with your master password. Passkeys are unique to each app or website and stored in a password manager’s vault or your device’s keychain. Passkeys can also sync across devices, making them a convenient choice.

There are some holes in the passkey strategy that you should be aware of. The websites themselves can be the source of weakness in the security chain. Security experts say criminals can easily get around a passkey by stealing users’ validated browser cookies using malware.

While that puts an onus on the websites  to tighten up their operations, you can help protect yourself better. For example, don’t just accept the website’s data privacy settings when a box pops up on a website. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window. You can also turn off various marketing and targeting cookies.

Again, passkeys take time to set up, and there’s a learning curve to using them effectively. We believe it’s well worth your time to start using them. Call us – 973-433-6676 – or email us to learn more about passkeys – and how they work with password managers. We can help you select and configure passkeys and password managers together and move you up to the next level of online security.

No-Fear Password Management

Many people are scared off from installing and using a password manager because they fear making a mistake somewhere and forever losing access to websites that are linked to their well-being. The password manager companies don’t help because they use too much jargon and dance around the issues that concern customers.

One of our clients decided to take the plunge, making sure we were in the water with them until they were confident they could swim safely.

The two password issues they wanted to solve were: 1.) they needed to remember or have written access to more than 100 website accounts, and 2.) they were concerned they were reusing too many passwords or combinations of passwords for expediency (or convenience). All the descriptions from password manager sales sites claimed they were easy to use, but our client never felt comfortable with how the steps to set up and use the manager would give them easy, secure access.

In this case, we helped them set up Dashlane, which they are keeping after a 30-day trial. The process involved creating an account with Dashlane and using Microsoft Authenticator to make sure all the information they were adding would be secure. For this client, it involved using the computer to create the account and the Authenticator app on the cell phone. It also involved setting up the Dashlane extension through their web browser. On a computer, Dashlane installs as an extension of your web browser, and you can activate it at any time by clicking its icon. They installed the Dashlane app on their cell phone, where it essentially self-activates when you start the login for a website.

The first part of the setup involved creating the master password to reach their own “vault,” which is the general term for the place where you store your username and password for each site you visit. Our client created one that had upper- and lower-case letters as well as numbers and special characters. It was special enough to remember and not too laborious to type on a keyboard or mobile device. They were also prompted to create a PIN that will be used as part of an access-recovery process if it’s ever needed. They wrote the info on a piece of paper and put it in a safe place.

The rest of the setup was straightforward. We advised our client to enable Dashlane to control the storage of usernames and passwords and to disable websites, Google, Microsoft and others from storing that info. It makes Dashlane more efficient. You can save “Remember Me” information.

One other setup item that’s vital to look at is your Password Health Score. You can access it from the menu along the left side of your Dashlane screen; it has a heart rate monitor icon. It will tell you where you are reusing passwords and how many of your sites have the same password. The idea is to get to a score of 100, but you may have reasons to use the same word from some sites, such as shared sites for video streaming. You can change them during setup to use Dashlane-generated passwords, or you can change them later. Our client opted to change them later – after all their sites were put into Dashlane.

One thing our client found early on is that Dashlane-generated passwords are not accepted at all sites. It wasn’t a problem. Dashlane allows you to see the entire generated password, and you have the option to add a character. Most times, that’s all that’s needed.

The tedious part of installing Dashlane is to log in to every website you visit and allow Dashlane to save your username and password. Make sure you’re signed into Dashlane when you log into the site. Our client found it best to make sure their current saved password was working before responding to Dashlane’s request to save the login credentials. While it’s a simple process, they noted that you have to make sure Dashlane saves the email address or username you use for the website you’re saving. By default, Dashlane uses the email address you tied to Dashlane. Your login info will automatically be saved to any other devices you’re using with Dashlane.

As with all password managers, Dashlane allows you to download your login info for each website you have in its system. It’s a good idea to keep the list up to date and stored in a safe place. If you decide to stop using any password manager, you’ll need that list to reenter all your passwords manually. If you change password managers, be sure to take advantage of any capability to transfer your credentials. If not, you’ll have to renter everything.

Dashlane and most password managers have free versions, but they are limited to one device and a specific number of websites. Paid versions typically allow you to store login credentials for a virtually unlimited number of sites across multiple devices – and they have family plans or group plans for multiple users.

Whichever password manager you choose, you’ll upgrade your online security significantly. Call us – 973-433-6676 – or email us to learn more or have us walk you through the initial setup steps.