Passwords - yes, again

 

Image from Pixabay

It's National Check Your Passwords Day today (in the Netherlands). This is an initiative of tech website Tweakers and the Public Prosecution Service, and the intranet editors asked me to dedicate an extra blog to this day. I am always open to special requests, which I then give substance to in my own way.

First let’s take a look at the website of initiative. It states the following: As an internet user you are confronted with many websites that require you to create a user account and choose a password. Many people find it difficult to come up with and remember all those different passwords. Unfortunately, this means that many Dutch people do not handle their passwords securely, for example by choosing passwords that are easy to guess, or by reusing passwords. Through the National Check your Passwords Day, we want to make people aware of this and explain that coming up with and remembering good passwords does not have to be difficult.

The password tips page, to my surprise, only contains four tips. Let's take a look at those tips. Number 1: Use a password of at least eight characters. Well, eight characters is an echo from the past, I’m afraid. Today, twelve is considered a safe minimum. Maybe they are afraid that passwords that long would be too difficult to remember? There’s an app for that; see below.

Tip #2: Never set a single word as your password. Agreed, because then your password would be in the dictionary and hackers are very good at automatically checking captured password files against a dictionary. So a password like bungalow doesn’t stand a chance. It’s just as bad as bung@l0w, by the way, because that trick is also in the hacker dictionaries.

The third tip is: use at least one word and a number combination that only you know. So something like bungalow2022? This will at least make the password longer, and length is really the most important factor. Unfortunately, the recommended number combination tends to be a year, birthday or the pin code of your bank card, which does not really make the password stronger and may even introduce a risk (yes, I mean that pin code).

But luckily they state in tip #4: don't use dates of birth, addresses or anything else that is easy to guess. I totally agree with that. This tip is mainly intended to avert targeted attacks. If an attacker has his eye on you instead of just anyone, he will use everything he can find about you for his attack. All personal information, even if it is far fetched, is therefore taboo for use as (part of) a password.

After the numbered tips on the website, there are still a few extra tips. Like you shouldn't write your password on a post-it note. And about security questions - there still exist sites that require you to provide your first pet/school teacher/ sweetheart's name, or similar questions - they tell you not to choose questions that others know the answer to. Let me express this a little stronger: Lie! What is your place of birth? Banana. What was your first school teacher's name? Government. Of course you have to save those lies somewhere, otherwise they are of no use.

And that brings me to the promised solution to remember all those secrets: the password manager - an app that remembers your passwords and other secret information for you, while you only have to remember the password of that app. According to research commissioned by Tweakers, only 7% of the Dutch use such an app. That’s a very low percentage. So here's a call to the other 93%: download a password manager now and start using it. See which one suits you best; the website lists only three, but there are many more (pssst: my favorite is Bitwarden). And an extra tip: password managers are also great at coming up with strong passwords.

This is a Security (b)log special. That's why there is no news from the big bad world this week.