Each week, I can guarantee that I will see several customers who are having issues with passwords on their computers. It seems to be one of the biggest frustrations of computer usage nowadays and in response to a reader’s letter in the summer edition of The Bugle, I thought I’d discuss this topic in some detail.
Most websites and online services now require users to create a password-protected account. Users are then usually advised to choose passwords that are random, strong and unique to the website, i.e. not be re-used for other website accounts. However, in reality most users choose to use the same 5 or 6 weak passwords and often still struggle to remember which passwords are used with which account.
So what makes a good password? Ideally, it is one that a computer (or person) has most difficulty guessing but also one that you can remember. A strong password is a long password, preferably at least 10 or 12 characters in length. Common advice is to use a random mix of numerals, letters or complex characters. However, this doesn’t actually deter a computer from guessing your password but it will make it much more difficult for you to remember it and type it correctly. A more memorable suggestion could be to use a phrase such as, “Todayisthe8thofJuly” or random words for example, “HouseChairPrinter23”. Obviously, this needs to be adapted to the constraints of the website, for example where you are required to use add a numeral, capital letter or limit it to 8 characters.
In an ideal word, a different password should be used on every website. In reality, for most of us this is unmanageable and usually doesn’t happen. Recognising this, Microsoft’s recent advice is to use the same password on all your low-risk sites and save two or three unique passwords for the sites containing higher risk banking or personal information. This makes them more likely to be remembered and if one of your low-risk websites gets hacked then it won’t be the end of the world. You’ll still have to change the password for that website but your important passwords won’t be compromised.
Having chosen your passwords, you still have the problem of remembering them and which one is used with which account or device. To help, you have potentially three options:- write them down, store them on your computer or store them on someone else’s computer.
Unfortunately none of these are guaranteed to be secure. Many banks will tell their customers to not write down passwords. Many other services will tell customers not to store passwords on their computer and logic would dictate that storing passwords on someone else’s computer, say using an online password manager, could also be risky.
I stand by my advice that if you can’t remember your details, then write them down in an unidentifiable book. Treat this book with respect like other important forms of security, such as keys, wallets or bank account details and store it in a sensible place, away from your computer. No more forgotten or lost passwords and useful for storing account reset information like those memorable details. Remember that a book cannot be hacked and in the unfortunate event that someone breaks into your house, they’ll be more likely looking for money, jewellery or laptops/iPods rather than a book. Also, it seems Microsoft agree, - “Despite violating long-standing password guidance, writing passwords down is, if properly done, increasingly accepted...”
If you don’t like the idea of writing passwords down, some may recommend an online Password Manager as the answer. These automatically generate and fill-in passwords on websites, freeing users from having to remember them. This sounds good in theory, but there is a potential big issue. Quite simply all your eggs will be in one basket and if there is a security breech you will have to reset all your on-line passwords. Last month the University of California, Berkeley, published a technical report entitled, “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers”. After testing 5 popular password managers, they raised a few concerns. The researchers found security risks in all the programs that they tested. They called their report a wake-up call for the developers of these programs and also expressed their opinion that many computer magazines had often over-rated the security advantages of modern password managers.
I hope this article has helped clear up a few issues.
© Peter Johnston, ByteSupport Ltd 2014.