Passwords: An update
It’s a topic you’ve seen here before. Time and again. Of course, it’s still pertinent since we keep using them. Passwords are a bane of the tech world. Unless you can invent a simple way to authenticate yourself with any service, they’re going to stick around for a while. That doesn’t mean we need to despise them, though. In the past, we have discussed the problems on both ends, from policies that lead to creating awful passwords, to people insisting on using “love”, “*dogname*”, and “!23456”.
Grab your favorite password and…throw it in the trash (sadly, even “CorrectHorseBatteryStaple“). Because we’re back.
Like the question of eggs being healthy or your worst nightmare, passwords see a wide variety of advice as the years go on. Some of it is due to a long period of terrible advice (which we discussed before, and, I’ll admit, my own suggestions evolved, too). Thankfully, this is changing…slowly. The other part is based upon processing speed increases; it’s easier than ever to parse billions of possibilities (using databases of common passwords from leaks combined with dictionary analysis). So what’s the current solution?
It’s lurking in plain sight, on all your devices. The best password is one you never create. Every modern platform supports strong password suggestions. Then, they save these passwords in a secured database, so you don’t have to put a note in your drawer (it’s ok, you’re not alone). Depending on the system, there might be a master password, or, it can combine with biometrics. Make this be your big, strong password, then never use it. Rely on the fingerprint scanner, FaceID, or other verification system.
On iOS (that’s iPhone and iPad), the next version will have automatic strong (Apple calls them complex) password creation and storing. That means, when a site asks to create a password, your phone already filled in a really good one. Then it saves it so you never even bother thinking of something. To log back in, your phone just asks for verification through TouchID or FaceID (depending on device). This is new; auto-fill now has security, too. Yes, you still have to create a unique username. Sorry, MarioKartKing is taken.
There’s another side of this revisit: Updating your password. I know, I know, I spoke strongly against this practice in the past. My position is unchanged. If you change your password, make it for a good reason. A brilliant website called haveIbeenpwned.com checks your e-mail address or usernames to see if they were included in any breaches. If so, it shows which and to what degree. Then, you know it’s time to update those passwords (and anywhere else you shared those credentials). That password auto-suggest is looking mighty nice right now.
Here’s the bottom line: With password managers so prevalent and easy to use, there’s no excuse to still create your own passwords. It’s putting you (and the data within) at unnecessary risk. It also saves time. When I read of a breach on a service I use, I just go in, update that password, and get back to my life. Since it won’t be shared with any other system, I don’t care what someone does with the information. Granted, if passwords were stored in a way someone could access them, I’d be questioning the utility of said service, given their poor security practices.
Bottom line of the bottom line: Complex, random strings of characters, stored in a quality password manager, is the best way to ensure your personal (or corporate) information remains only in the hands you want.
Resources (A non-exhaustive list of password managers)
OS Based:
SmartLock for Passwords (Android/Chrome)
iCloud Keychain (Apple devices)
3rd Party:
Firefox Sync
LastPass
1Password
