The perfect password
The days of securing your online
accounts with short, easily guessable
passwords are long gone, but what
constitutes the perfect password? Is
it using random characters, the
password length, or a combination of
both? Let’s start with characters. Typing
nick as your password is clearly weaker
than l3G because nick is easily
guessable, particularly if it’s
your ÀUVW name.
But guess what? A longer – but
memorable – passphrase such as
ILoveTheFourthOfJuly is potentially
stronger than l3G because while the
passphrase might be guessable, it’s
more resistant to brute-force attacks,
which just run through every possible
combination of characters to try to
arrive at the correct password. Shorter
passwords are therefore easier (and
quicker) to crack, as there are far
fewer possible combinations.
That said, passphrases are vulnerable
as they tend to be reused – if not by
you, by others. If a password is exposed
because a site’s usernames and
passwords are compromised, those
passwords can be used before
employing the brute-force method,
rendering the password useless for
everyone – not just those who
originally used it.
That’s why password managers are
essential. They enable you to generate
long, random passwords that are
impossible to remember or guess, and
tie up brute-force attacks for months or
even years. By that point, the site in
question should be aware it’s under
attack, and take counter-measures.
It’s different for your password
manager’s master password; you must
remember that. The trick is to use a
system to create a long alphanumeric
password (with symbols) that only
you can remember. For example,
!Eye’Luv#The$4h%OF^July. Pair it
with 2FA and a cryptic password
reminder (in case you need a subtle
prompt), and your passwords will be
as secure as they can be.and paste it into the new password
fields, before updating your password.
If you’re lucky, your password
manager detects the change and offers
to update your password automatically.
If not, log out and back in, pasting the
new password over the old one in the
login box. In most cases, your password
manager detects the change and offers
to update it; if not, open your password
vault, click Edit next to the account,
and paste in the new password.
Most password managers record
your password history – this will be of
use going forward should your
password change not be registered,
and you’re forced to revert to the
earlier password to log back in. As
you go through your accounts, you’ll
probably come across some that are
effectively dormant or no longer
required. Rather than update a
password you no longer use, consider
deleting the account completely.
If you’ve been using a password
manager for months, most of your
logins will have been recorded. Now is
the time to use the manager to identify
and update weak and compromised
passwords. 1Password offers its
WatchTower reports in its Windows
app, as well as online; LastPass and
Bitwarden must log on to their vaults
through the web. If you’re using
LastPass, you should choose Security
Challenge on the left – click Show MyScore, re-enter your master password,
then go through the results. LastPass’s
Chrome extension even supports
updating your passwords in batches to
save time. And if you’re using
Bitwarden Premium, you’ll find a
selection of reports highlighting
problems under Tools.Emergency actions
The above is all well and good, but
what happens if you get locked out of
an account? If you receive such a
warning by email, don’t rush to click
any links in it, as they might redirect
you to a facsimile of the genuine
website, capturing any details you
enter to hack your account. Most
browsers and good security suites
spot obvious scams a mile off, but
check manually anyway.
Visit the site in question by typing its
address into your browser. Verify the
address is genuine by checking the URL
in your browser’s address bar, and by
clicking the lock next to it. If you’ve
been redirected, this indicates your
PC’s security may have been
compromised – read up on previous
articles on how to disinfect your PC. If
you have access to a second PC you
trust and know is clean, use it to secure
your accounts before investigating the
possible infection on your main PC.
If you’re happy the site is genuine,
log in, change your password, and look
for options to add 2FA. If you find
yourself locked out, start by trying a
simple password reset – most services
offer this. Enter your account email
address, and an email will wing its way
to that account. If you’re happy the
request is genuine, this is the one time
you do click the link in the email, but
double-check you’re on the right
site. Again, after updating your
password, enable 2FA if it’s offered.
If you haven’t requested a password
reset, this might indicate that someone
has got access to your email account.
All web-based accounts worth their salt
support 2FA, so if you have enabled
this, you should be fine; otherwise
update your password, and activate it.
If you’ve been locked out of your
email account, you’re relying on one of
two things: that you set up a secondary
email you can use as a recovery address
to reset your password, or that you can
prove who you are using other means.
Google, Microsoft, Apple, and otherCheck a site is genuine before you log in.52 |^ |^ May 2019