Kitz Forum
Computer Software => Security => Topic started by: jelv on January 31, 2020, 10:19:50 AM
-
https://www.which.co.uk/news/2020/01/how-secure-is-my-password-which-computing-editor-explains-the-dos-and-donts/?utm_medium=Email
For once, some sensible advice from Which.
-
Aye - credit where it's due.
-
thumbs up from me for this tidbit.
I did wonder if they would advise regurly changing passwords, and surprisingly they do not.
Should I change my passwords periodically and if so, how often?
No. That used to be the advice, but we now know that people tend to cycle increasingly weak passwords if they’re forced to change them regularly. Best practice now is to have a strong password and only change it if you think it’s been compromised in some way.
-
I agree with some of what they say.
But they don’t really address a specific issue which is, the more passwords you have, the harder they’ll be to remember. One solution to this is... avoid creating password protected services in the first place.
If an online merchant from whom you are purchasing won’t let you check out as ‘guest’, buy from a different merchant.
If BBC won’t let you use iPlayer without an account, don’t use iPlayer.
And don’t subscribe to Which?, as that’ll mean yet another password. ::)
-
I find the create strong password function in newer releases of Safari very valuable - it means that the cost of maintaining many strong passwords is reduced greatly.
-
But they don’t really address a specific issue which is, the more passwords you have, the harder they’ll be to remember.
I have well over 200 different passwords - some only used once or twice. But remembering them is not an issue - because I don't try to! As Which recommend I use a password manager (Keepass (https://keepass.info/)) so I only have to remember one password.
-
I have well over 200 different passwords - some only used once or twice. But remembering them is not an issue - because I don't try to! As Which recommend I use a password manager (Keepass (https://keepass.info/)) so I only have to remember one password.
Problems with password managers include
A) That they are a single point of failure if compromised. For example, I do use Apple’s iCloud keychain, which is super easy and really really secure. But if my iCloud account were ever compromised, every single one of these accounts would effectively be hacked, in one foul swoop.
B) That the really really good machine-generated passwords it generates are impossible to remember. So if I want to log in to such an account but I don’t have my iPhone or other signed in iCloud device to hand, I’m stuffed.
So yes, password managers help to cope with masses of passwords. But a better solution is still to simply avoid using services that require password protected accounts. I use string passwords for banking, mail, etc. But for an occasional purchase from an online retailer, I just check out as guest - or if they won’t let me, I find a different retailer.
-
I hear 7lm. The convenience of having stored delivery addresses and stored credit card info is so great for me that I couldn’t live without it. I hate all the hassle of filling the firms in and so for example amazon is my ideal with 1-click ordering and zero grief. I always create an account at every shop I use. I give bogus personal details for all the unnecessary things though, stuff that they have no right demanding. For example the password-reset questions have bogus ridiculous answers to them. The answers are unpredictable and are stored by me in case ever needed for actual password recoveries. It’s far more secure to always give bogus personal info though anyway. People have been ripped off and their identities stolen by evil family members; I seem to recall a woman whose evil sister had taken out bank loans or mortgages in her sister’s name.
-
I agree with some of what they say.
But they don’t really address a specific issue which is, the more passwords you have, the harder they’ll be to remember. One solution to this is... avoid creating password protected services in the first place.
If an online merchant from whom you are purchasing won’t let you check out as ‘guest’, buy from a different merchant.
If BBC won’t let you use iPlayer without an account, don’t use iPlayer.
And don’t subscribe to Which?, as that’ll mean yet another password. ::)
The idea is you dont remember them all, if they easy enough to remember, then they may well be too weak, use a password manager.
-
The idea is you dont remember them all, if they easy enough to remember, then they may well be too weak, use a password manager.
You did notice reply #6 above?
-
I noticed that when completing the dreaded tax return, login via HMRC’s Government Gateway nags me to set and remember (but keep secret) up a ‘recovery word’, to help regain access to my account if I forget my password.
So far I have ignored the nagging. Their logic fascinates me. They are acknowledging that people have imperfect memories and may forget passwords, and that’s fair enough. Yet they are dealing with this fact, that people may forget things, by asking them to remember an additional thing. :D
-
You did notice reply #6 above?
never said was perfect, but for sure the lesser evil.
note though I dont use "online" password managers.
Those memorable phrases are probably a weak link, e.g. mothers maiden name is commonly used, all family members will know the answer to that one, so would possibly be able to get access to accounts.