Password Problems Revisited

To take our discussion of vanishing passwords one step farther, some recent service calls for clients who’ve been hacked – some multiple times – have provided still more reasons to move on to newer technologies.

We are getting numerous calls from clients to help them set up Dashlane, including one client who has been hacked seven times. We tried to get them to use Dashlane or Password Keeper. Now, they’re ready to do it the right way. They’re ready to move beyond the annoyance of having to remember or look up passwords for security and type them into a website. For now, Dashlane or another password manager can resolve the issue for most people who are fearful of trading passwords for newer password-less technologies.

As we’ve noted, people set up passwords that are easy to remember or type. There’s generally enough repeatability that a code cracker can solve the puzzle you’ve tried to create. That happened with our client, whose bank account was hacked. As we were setting up Dashlane and downloading emails, we noticed the client had been getting alerts that the password had been changed. They had not made those changes. It took a phone call to resolve that issue, and it took Dashlane to ward off the hackers.

We should note here that there are a couple of important side lessons to learn from this experience. The first is on you: Call the company – and don’t necessarily use the phone number in the email; get one from their website. The second is on the companies: Make it easier to get a human on the phone when somebody has a security issue. We went through five layers of voice prompts before talking to a person.

Once the “alert” issue was resolved, we were able to fully install Dashlane. The process does take time. Installing any password manager requires you to pay attention to details and maybe some repetition. For financially sensitive accounts, you may want to generate another round of new random-pattern passwords as an extra layer of security. A password management program should allow you to print a copy of your database with all of your passwords – just in case there’s a mistake or if you decide to stop using the program. It should also work across all of your devices: computers, phones, tablets, etc. If you are one of the growing number of people who use an infotainment system in your car like a computer, you might want to change sensitive passwords frequently – as often as once a week.

Again, you only need to remember your master password for the password manager, and that can be a tremendous time saver, especially if you need to access a website from a mobile device.

But again, we believe you should use password-less technologies. They’re more secure, and they are easier to use than many perceive. For example, many Windows 10 computers have Windows Hello, and you can use that to add a fingerprint reader. The reader itself is about the size of a wireless mouse device and plugs into a USB port. Similarly, many mobile devices can use your fingerprint to verify you are the owner and user. If your computer or device has this capability, we strongly urge you to use it.

Many computers and devices also have built-in cameras that can be used for biometrics, and some advanced security measures use locations and usage patterns in place of passwords. As a backup, all of these measures have provisions for a PIN or a password if the biometric program can’t be used or if you don’t want to use it.

We can help you set up a password manager or – better still – go password-less. Call us – 973-433-6676 – or email us to get answers to your questions or to set up an appointment to manage your online security.

Generated Passwords Resolve Two Issues

During the recent holidays, I decided to get around to that one project I’d been meaning to do: change all my passwords. I have 241 unique passwords, and even though my password manager at the time gave them strong scores, I just wasn’t happy with the whole situation. So, I dived into a project for the generations.

As you should expect, I’ve read all the security alerts and everything I could find out about layers of security at the websites I visit for personal matters and those I use to serve clients. Each site is different, and that includes the two-factor authentication steps. It should give you comfort to know that using website passwords can be as complex as nuclear-launch codes – though it’s not comforting to think that any code can be cracked.

Randomly generated passwords that are frequently changed offer the best protection against cracking, which is why nuclear-launch codes always change – and why codes for keyless-entry systems for homes, cars and garages are essentially one-time codes designed to thwart anyone with a code scanner who sits near your car or home. Some password managers can change random passwords automatically when a website requires. No matter which one you use, you’ll need to have a master password – and that’s the only password you’ll need to remember.

Changing all of your passwords is not a task for the faint-of-heart. You’ll need to have a password manager program, such as Dashlane, LastPass or 1Password, and you’ll need to pay attention to details. I happen to like Dashlane for two of its features: random password generation and its integration with all browsers and operating systems. I consider those features to be critical.

When you use a password manager to generate random passwords, you need to pay attention to the requirements of each website. Some websites require the use of symbols, but many of them restrict you to certain symbols. Some require upper- and lower-case letters, and some require numerals. Many websites specify a certain number of characters in a password, such as 8 to 12 or 12 to 16. Just be mindful of all requirements when you set up the random password generator for each website.

One of the steps I took – and something highly recommended for financial websites – was to create a randomly generated password, log in to the site to make sure it worked, and then change it almost immediately. Each randomly generated password should be impossible to remember because it should lack any kind of pattern. For example, there doesn’t appear to be anything meaningful to me in FdXKCX9ZKsw. When a website requires you to change the password, you should have a password manager that does this automatically. Dashlane and LastPass do this, but they handle the process differently.

If you want to change your password manager, you can download all of your passwords so that you can re-enter them in your new password manager.

You should also know that your master password resides locally on your computer or mobile device. If you change computers, phones or tablets, you’ll need to re-enter your master password manually, not all your passwords – and it’s probably a good idea to do so to protect your data.

There are two keys to making a password manager and randomly generated passwords work. One is to make sure that the password manager itself is the latest version available and that you install all updates. Remember, as we’ve said so many times before, updates almost always include security patches and bug fixes.

The other key is to have a strong master password – really a passphrase. An effective passphrase should be something long – 20 to 30 characters – that you can remember and that doesn’t contain any information about you that’s available in public records. It should include upper- and lower-case letters, at least one number and at least one special character. Even if you change it every two or three months, it’s the only one you need to remember.

We can help you evaluate password managers and help you with the installation process. We think passwords have to become extinct as other security measures take hold, but for now, passwords are deeply ingrained in our online lives. Call us – 973-433-6676 – or email us for password manager help.