- John Bell
Tech Sense: Passwords
Another Safe New Year
Another January, and it's time to change all of your passwords again. Remember to use a different password for each website and make sure your passwords are at least 12 characters long with a mix of numbers, upper- and lowercase letters, and symbols. The technique described in this column a couple of years ago is fine for generating secure passwords for most websites. This technique requires us to create rules for creating passwords. Your rules should be different than the ones I use, but I will show an example;
Pick a phrase you will remember—I will use "It makes my peas taste funny" from an old nursery rhyme.
Create a rule to pick letters from this phrase—Rule: Pick the last letter of each word—“tsysey”
Create a rule to uppercase letters:—Rule: Uppercase every third letter—“tsYseY”
Pick a number at least 2 digits long that changes each year—Rule: Years since the attack on Pearl Harbor: 2017-1941 = 76
Rule: If special characters are allowed, then use the digits selected above or "7” and “6": &^
Rule: Use the first 3 characters and the last character of the website name—yahoo.com then use "yaho"
Combine these to make your new password: tsYseY76&^yaho
Of course, you can mix and match rules as you please to make sure your passwords are unique.
If you used Yahoo email any time in the past decade or so, you should change your passwords right away—and not just on Yahoo but on every site on which you may have used the same password as you did on Yahoo. To make matters worse, you should also change your password recovery answers on every site. The reason for this is that Yahoo allowed the password recovery answers to be stolen. Unfortunately, your banks and other websites probably use the same questions and answers like, "What road did you live on when you were growing up?" "What is your father's middle name?" and "Who was your best friend in high school?" Of course, the answer you give are probably the same for every site, so because Yahoo was compromised it is likely that any site you use that asks the same types of questions has been compromised as well including your bank.
As demonstrated above, the idea of using so called "security questions" for password security is not a very good one, but many sites stupidly insist on using them. There are two parts to this problem. The first is that questions are often well-known answers to close family and friends, which means they might as well be public knowledge. This is how Sarah Palin's email was hacked when she was running for vice president, although she did publish all of the answers in an autobiographical book. The second issue is that the answers tend to be the same no matter who asks the question. The approach I have taken to dealing with this issue is I use fake answers. So for that banking site, my first pet's name may be "bank snoopy," or the street I grew up on may be "bank lane." It is not a perfect solution, but it is better than providing real information, and it changes with every site.
Two Factor Authentication (2FA)
So what do "smart" organizations do that want to protect their customers and make account access and password recovery easy and secure? They use two factor authentication. One form of two factor authentication uses your cell phone to send a text message. When the message arrives, you enter the 6-digit number into the web page confirming that the holder of the cell phone is the person attempting to login. Of course, this is more secure if your cell phone is locked and requires a pin or unlock-code to read the text message.
The Google Authenticator is an example of another type of two factor authentication. This is an application on your phone that generates a number that you must enter into the login screen as you login to a supported web application. The number is different each time you log in, and the number generator in the phone application is synchronized with the number generator on the web application. This is a good way to protect all of your Google applications.
U2F, the Open Two Factor Solution
U2F is another two factor solution that has started to gain good footing because it is open hardware and software. Originally developed by Yubico and Google, these devices plug into the USB port of your computer and work with the Chrome browser. To log in to a supported site, you enter your user name and password and then press the single button on the U2F USB key. This sends a one-use code to the web browser to verify that you are the user. These devices work with the Google suite of applications and can be purchased from Amazon for prices ranging from $9 to $40 dollars.
Biometrics and Other forms of 2FA
There are, of course, other forms of two factor authentication including biometrics like face and fingerprint scanners. Fingerprint scanners have been available on laptops for a while and are now appearing on mobile phones. Laptops and phones now usually have cameras that can be used to identify a person using facial recognition. Voice recognition is also starting to be used as another authentication factor, again employing microphones built into phones and laptops. However, voice recognition is now also being used for non-display computing devices like the Amazon Dot and Echo.
There are also simpler but effective two factor authentication means such as "bingo cards." An example of this (called "Perfect Paper Passwords") can be found on Steve Gibson's GRC site: https://www.grc.com/ppp.htm.
The bottom line here is, if secure access to a site is important, then use two factor authentication. Most banking sites have some form of two factor support available (and shame on banks like SunTrust that do not). Google has it as a built-in option for most of its applications including Gmail and Google Drive. Find out if the applications that are important to you make it available and, if so, use it.