Posted inGeneral Hacking

Your Passwords Need Protection

November 14, 2022

After posting my blog Worst Author’s top 7 things to protect yourself on the internet I talked to several people and realized many people have more basic questions. Most of the people I talked to don't have a technical degree. They are simply uses of the technology.

Why do you need passwords?

Every website wants you to register. Many use that login to know you and market their products. How often have you registered on a website and you get emails from them with the greatest information or deal?

The second important reason to register is to protect your privacy. If you apply for a great job and anyone with your email can access the information, reject a job offer, and change your address, your privacy is at risk.

Real World

Let's put this into physical world terms - old school.

If the physical world was like the online world today your experience would be much more complex. You would go to your closest store down the street and have to register.  Before you could get to see any deals, any specials, or ask a question you must register and then log in. Now you go to the store next door for coffee and have to register to order anything. Now you go to the bookstore and must register with them. They all have an app they want you to download. That would suck. But we all accept it online.

This is a repeat. Passwords for websites are not bad. Protecting your privacy and not letting anyone access your account, credit cards, etc. is good.

The title 'Your Passwords Need Protection' is trying to make you think about why you need a password and why they need protection.

Password requirements are different on each site

Today every website and every app wants a unique password. They have requirements for the minimum password. Most websites today have an application (app) - there is an app for that.

Requirements from popular sites:

Facebook:

Passwords must contain at least one character from 3 of the following:

  • Lower case characters (a-z)
  • Upper case characters (A-Z)
  • Digits (0-9)
  • Special characters, including punctuation marks and symbols.
Twitter:
Use a strong password that you don’t use on other websites. Your password should be at least 10 characters long and use a mix of uppercase, lowercase, numbers, and symbols. Use passphrases, not passwords. Do not use common dictionary words or phrases - these are predictable and easy to compromise.
Apple:
Apple requires that you use a strong password for your Apple ID—eight or more characters, including upper and lowercase letters and at least one number. Never share your Apple ID password, verification codes, or account security details with anyone. Don't use your Apple ID password with other online accounts.
The list goes on. They are all different. The worst part is when special characters don't work on some sites but do work on others. Now your random password has to know what not to include.

Let's go into this a little deeper into why you need a password.

 

But how do you remember all those passwords? There are two options that people use. First, they ignore the request for a unique password and use the same password everywhere. This is not safe because if a bad person gets your password they have access to all your accounts. Second people create different passwords and then store them or write them down. This is where the real blog begins.

If you have a file with all your websites and passwords how secure is that file? Are you using your phone? Today your phone is a device I can take from you, hold up to your face to unlock, and then get all your passwords. Are the passwords on your computer? The device that uses your face, or uses a four-digit PIN? So you are protecting your (minimum 8 characters with punctuation) passwords with a four-digit PIN? If I get or guess your PIN I have access to everything.

The computer idea also includes your browser. There is no password to open your browser and start accessing your bank or stock broker account. Your stored password just gets populated. Very convenient and dangerous.

Your phone has a lock screen, using biometrics of your finger or face are hard to hack but easy to bypass. I just hold the phone up to your face and it unlocks. The apps all assume that if you opened the phone from the lock screen it is you doing your normal stuff. All the convenient apps that just go into your account are not secure.

What do you do? Today you don't have much choice. The websites will require you to register. They need your details. You will download those apps, register, and get the convenience. If you like most people rely on browser password storage or App password storage.

If you are required to log in you say you forgot your password and force a reset. This allows the browser or app to update and you are good again, for a while.

More sophisticated users are using two-factor authentication (2FA). This could be a text to your phone, or a special application (yes another app) that provides a changing number to log in. If it is a text to your phone - the phone that was taken from you - the bad guy will now change your password. If you use an app you can set up 2FA which will slow them down.

You can tell your phone (Apple or Android) to require a login password. This happens when you reboot, but you can do it anytime. This would require you to remember to do this and remember how to engage this function.

My recommendations:

  1. Don't use the same password everywhere. Use good passwords.
  2. Because you are using different passwords get an App to help. Yes, another app. I use KeePass on my phone and laptop. It requires a password to open the database. This password needs to be good.
  3. Let your browser store the information, but clear the information every X weeks. It will add some frustration but helps keep your information out of the bad guy's hands.
  4. Use guest logins, and buy with guest checkout. Especially websites you probably won't' visit often. They may complain about providing support. But you will have a receipt in your email. If they complain give them a bad review.
  5. Give feedback about the always different requirements for passwords. Eight or ten characters, which punctuation (special symbols) are allowed.

Remember the websites don't care if you are hacked. If you follow the website rules to make a password and are hacked at another site it is your problem.

Tags:
Last updated on November 23, 2022