Your Passwords are Not Secure Enough

Posted on by B.D. Murphy

Today every website wants you to register, log in and have a unique password. What this has created is everyone is using a program or their browser to store their passwords. This makes your passwords less secure if I only need to hack your browser.

Why do you need passwords?

Every website wants you to have a login and password to:

  • Know who you are to focus on selling their product to you.
  • Protect your privacy.

You must register and provide a login and password. The websites use that login to know who you are and market their products to you. How often have you registered on a website, and you get emails from them with the greatest information or deal? That is their number one reason to know you. You don’t get the best deals if you don’t have an account.

The second important reason to register is to protect your privacy. If you apply for a great job and anyone with your email can access the information, reject a job offer, and change your address, your privacy is at risk.

How would this requirement to register at every store work for you in the real world?

You can go to your favorite store down the street and have to register before you will get to see any deals, any specials, or ask a question. You must register and then log in to do anything. Now you go to the store next door for coffee and have to register to order anything. Now you go to the bookstore and must register with them. They all have an app they want you to download. That would suck. But we all accept it online.

Passwords for websites are not bad. Protecting your privacy and not letting anyone access your account, credit cards, etc. is a good thing.

The title ‘Your Passwords Need Protection’ is trying to make you think about why you need a password and why they need protection.

Password requirements are different on each site

Today every website wants a unique password. They have requirements for the minimum password. Most websites today also have an application (app) – there is an app for that.

Here are some password requirements for popular web sites:

Facebook:

Passwords must contain at least one character from 3 of the following:

  • Lowercase characters (a-z)
  • Upper case characters (A-Z)
  • Digits (0-9)
  • Special characters, including punctuation marks and symbols.

Twitter:

Use a strong password that you don’t use on other websites. Your password should be at least 10 characters long and use a mix of uppercase, lowercase, numbers, and symbols. Use passphrases, not passwords. Do not use common dictionary words or phrases – these are predictable and easy to compromise.

Apple:

Apple requires that you use a strong password for your Apple ID—eight or more characters, including upper and lowercase letters and at least one number. Never share your Apple ID password, verification codes, or account security details with anyone. Don’t use your Apple ID password with other online accounts.

The list goes on. They are all different. The worst part is when special characters don’t work on some sites but do work on others. Now your random password has to know what not to include.

How do you remember all those unique passwords?

Every password needs to be different to protect you. If someone figures out one password they can’t get to any other information. Your bank account is still safe.

How do we manage or remember all the passwords?

There are two options that people use. First, they ignore the request for a unique password and use the same password everywhere. This is not safe because if a bad person (bad actor) gets your password they have access to all your accounts. Second people create different passwords and then put them somewhere a bad actor can access. This is where the real blog begins.

If you have a file with all your websites and passwords how secure is that file?

Is your browser storing passwords? Mine is storing passwords which means all someone needs is the login I use on my browser and they will have all my passwords. It is very convenient and very dangerous. How strong is the account password for your browser account?

Are you using your phone? Today your phone is a device I can take from you, then hold it up to your face to unlock it and get all your passwords.

Are the passwords on your computer? The device that uses your face, or uses a four-digit PIN? So, you are protecting your (minimum 8 characters with punctuation) passwords with a four-digit PIN? If I get or guess your PIN, I have access to everything.

What do you do? Today you don’t have much choice. The websites will require you to register. They need your details. You will download those apps, register, and get the convenience. If you are like most people rely on browser password storage or App password storage.

If you are required to log in, you say you forgot your password and force a reset. This allows the browser or app to update, and you are good again, for a while.

More sophisticated users are using multi-factor authentication (MFA). This could be a text to your phone, or a special application (yes another app) that provides a changing number to log in. If it is a text to your phone – the phone that was taken from you – the bad guy will now change your password. If you use an app you can set up 2FA which will slow them down.

You can tell your phone (Apple or Android) to require a login password. This happens when you reboot, but you can do it anytime. This would require you to remember to do this and remember how to engage this function.

My recommendations:

  1. Don’t use the same password everywhere. Use good passwords.
  2. Because you are using different passwords get an App to help. Yes, another app. I use KeePass on my phone and laptop. It requires a password to open the database. This password needs to be good.
  3. Let your browser store the information but clear the information every few weeks. It will add some frustration but helps keep your information out of the bad guy’s hands.
  4. Use guest logins, and purchase with guest checkout. Especially websites you probably won’t’ visit often. They may complain about providing support. But you will have a receipt in your email. If they complain, give them a bad review.
  5. Give feedback about the always different requirements for passwords. Eight or ten characters, which punctuation (special symbols) are allowed.

Remember the websites don’t care if you are hacked. If you follow the website rules to make a password and are hacked at another site, it is your problem.