Pragmatic password pointers

It’s 2019 and we’re still having a problem with passwords.

The Disney+ hack shows why you need to up your password gameWired UK
Although it can still be referred to as a ‘hack’, it wasn’t Disney’s servers that were compromised – but its customers.

“What hackers do is they have a huge list of previously stolen username and password combinations and they use hacking tools to automatically check those username and password combinations against the target website,” says Andrew Martin, CEO of DynaRisk, a cybersecurity company. “They throw hundreds of millions of account details at them, and they see they see what sticks.”

Here’s some essential digital literacy advice that should be a compulsory part of every school’s curriculum. And every company’s induction programme.

The ultimate guide to passwords in 2019Fleetsmith
Putting to rest some of the most persistent falsehoods about passwords and what it takes to come up with strong passwords and practice good password security in 2019.

The main points:

  • How long should my password be? 10 characters long, minimum, but make it as long as possible. Length is the most important factor to strength.
  • Does my password need special characters to be strong? Nope.
  • Does my password need numbers to be strong? Nope.
  • What about switching numbers for letters(1337 speak)? This does nothing.
  • How often should I change my password? Only change it if you think it’s been compromised. Never force users to rotate passwords, this actually lowers security.
  • Can I use the same password on multiple sites? Absolutely not. Every service should have its own unique password so that you don’t have to change all of them when (not if) they get breached.
  • How can I remember my password? Don’t try to remember your passwords, use a password manager. If you don’t want to, write it down. If you have to make a long, memorable password, use the diceware method. But never reuse a password.
  • What about two-factor authentication? Always turn on 2FA if it’s an option. Use the strongest 2FA method you can. A text message is weaker than an authenticator app is weaker than hardware-based authentication. Never give a service your phone number if you can help it.
  • What about password recovery questions? Don’t give honest answers to these. For maximum security, generate a secondary random password for each question and store it in your password manager.

Via Khoi Vinh, who goes on to examine the poor user experience of passwords across platforms and products that almost encourages carelessness.

Passwords are a design problemSubtraction.com
Create six different accounts at six different web sites and you’ll very likely encounter six different approaches to encouraging and enforcing password strength and security, some egregiously lax and others excessively restrictive. That inconsistency alone undermines much of the vigilance that otherwise responsible users might bring to password creation.

Author: Terry Madeley

I enjoy reading about art and design, culture, data, education, technology and the web. I'm confused by a lot of it, to be honest.

3 thoughts on “Pragmatic password pointers”

  1. I must admit my pet hate to be sites that place length restrictions on passwords. Mos of mine are between 20 and 40 characters. Why do some sites restrict to 20? It makes me wonder whether the passwords are stored in plain text in a 20-character field in a database.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s