A Realistic View of Passwords

Pick a card, any card. Don’t show it to me, memorize it and associate it with a phone number you use regularly. Now pick another card. Memorize that one and associate it with another phone number. Now work your way through entire pack, repeating the process without writing anything down, do you think you could manage that? If you are memory world champion, it’s pretty straight forward, for the rest of us it gets a bit more complicated. Yet, that is what we are all asked to do on a regular basis.

Let me rephrase it slightly, so instead of pick a card, try, pick an online service or website, associate a unique password with it (that includes a mixture of numbers and maybe symbols) and memorize it. Now do this 30–50 times, because believe it or not, we probably have at least 30 different online services that we use. If you do not think so, try making a list. Here is a few to get you started:
• online banking or money related (bank, PayPal)
• utility supplier (gas, electricity, water, internet, telephone)
• government related (tax, licenses)
• online services (email, social media, AppleID, Microsoft or Google account)
• online stores (food retailers, clothing or department stores, Amazon)
• digital services (Netflix)
• fast food delivery account
• taxi or delivery services

So, asking everyone to create unique passwords and not write them down, as well as change them on a regular basis, is, let’s face it, completely unrealistic. Which is why people only use small set of passwords (sometimes just one) and write them down, because that is the logical thing to do. Password managers are the answer in many cases, but they are not for everyone. There are quite a few mainstream password managers with free usage tiers, including LastPass, Dashlane, F Secure KEY and RoboForm, to name a few, but many find they need the premium paid for features, but are not willing to pay the subscription, so revert back to using a small set of passwords.

Any small set of passwords though leads to password reuse, which is a major problem in today’s online world, allowing the criminals to use credential stuffing automatic scripts or bots, so maybe writing down passwords in a physical notebook is a lesser evil, if it means you have unique passwords for every account. There is always really bad handwriting as an obfuscation technique, coupled with 2–3 extra characters that are unnecessary at the end of the password in case your notebook falls into the wrong hands. Still, the risk of that is minimal compared to reusing bad passwords and storing them online.

Also, many data breaches of online systems have come about not just because bad passwords are being used, of which there are many top 100 lists compiled like SplashData’s worst passwords list, but due to password reuse (ie same email and password combination). Even a good strong password is of little use if the service behind the account is compromised and all the credentials are stolen en masse and that password has been reused. Two-step authorization can greatly help, so long as the second step (like a one-time code sent to an email address) does not use the same password, which would make it pointless. Two-step authorization or two-factor authentication (2FA) as it is also known, is more secure with mobile authentication apps like Google Authenticator, though there are others by Microsoft or LassPass. So not only does someone need to know your login credentials, but also needs to have access to your mobile. There are also physical token devices like YubiKey which you just plug into your laptop or computer and press the button, if you don’t like the idea of using your mobile.

You can gain some protection from the effects of a data breach by signing up for the free ‘notify me’ feature at https://haveibeenpwned.com to be emailed if one your accounts is compromised, saving you need to regularly check yourself. If you are alerted, then probably best to update the password for that particular service, just make sure you do not follow any links to get there, but instead manually visit the online service from a bookmark or by typing the address.

Even the word ‘password’ needs to be reconsidered, instead think passphrases, string three unrelated words together and throw in a number or two, with some capital letters. Maybe add in some special characters like !”#$%&’()*@?+-: if the system supports them. Passphrases are easier to remember and more importantly easier to create unique combinations for new or updated passwords. If you get stuck, just play a quick game of ‘I spy with my little eye, something beginning with?’ to pick the first two words, then pick an animal or a colour.

Biometrics are often hailed as the answer to password, but remember, you cannot change your fingerprints or face easily if the system is compromised, there is no ‘update password’ option. So, a realistic view of passwords is the best we can work with for now, because despite what you hear in the news, they are not going away any time soon.