Passwords

Let’s see. Experts say everyone should have a unique password for every website.

Which you should change on a regular basis.

PG just counted the number of passwords he has for websites beginning with the letter “A”.

There were 104 Letter A sites.

No, PG is not going to count the number of passwords for sites beginning with something other than the letter “A”.

Why not just memorize a unique password (and sometimes a unique user ID as well) for each site PG visits?

Of course, there are 26 letters in the alphabet. If website names began with the other letters of the alphabet were also that numerous (they’re not, but this is PG’s hypothetical), that would mean that PG had to remember 2,704 different passwords, containing both letters and numbers, with various minimum character counts required by more than one site.

Mrs. PG asks him to go to the grocery store to pick up a few things, she usually provides PG with a written shopping list.

PG is almost always happy to help, but if Mrs. PG gave him a grocery list that contained 2,704 different items to pick up, even if she gave him a list, he might have to draw a line. Or put his foot down. Or something else.

If Mrs. PG asked PG to memorize a grocery list containing 2,704 items to pick up (including every flavor of yogurt and every type of soup), PG’s mind would turn to mush.

Fortunately for PG, although he’s not aware of any grocery list software, he has used a password manager for a very long time.

The Best Password Managers to Secure Your Digital Life

From Wired:

PASSWORD MANAGERS ARE the vegetables of the internet. We know they’re good for us, but most of us are happier snacking on the password equivalent of junk food. For seven years running, that’s been “123456” and “password”—the two most commonly used passwords on the web. The problem is, most of us don’t know what makes a good password and aren’t able to remember hundreds of them anyway.

The safest (if craziest) way to store your passwords is to memorize them all. (Make sure they are long, strong, and secure!) Just kidding. That might work for Memory Grand Master Ed Cooke, but most of us are not capable of such fantastic feats. We need to offload that work to password managers, which offer secure vaults that can stand in for our memory.

A password manager offers convenience and, more importantly, helps you create better passwords, which makes your online existence less vulnerable to password-based attacks. 

. . . .

Why Not Use Your Browser?

Most web browsers offer at least a rudimentary password manager. (This is where your passwords are stored when Google Chrome or Mozilla Firefox ask if you’d like to save a password.) This is better than reusing the same password everywhere, but browser-based password managers are limited. In recent years Google has improved the password manager built into Chrome, and it’s better than the rest, but it’s still not as full-featured, or widely-supported as a dedicated password manager like those below.

The reason security experts recommend you use a dedicated password manager comes down to focus. Web browsers have other priorities that haven’t left much time for improving their password manager. For instance, most of them won’t generate strong passwords for you, leaving you right back at “123456.” Dedicated password managers have a singular goal and have been adding helpful features for years. Ideally, this leads to better security.

WIRED readers have also asked about Apple’s MacOS password manager, which syncs through iCloud and has some nice integrations with Apple’s Safari web browser. There’s nothing wrong with Apple’s system. In fact, I have used Keychain Access on Macs in the past, and it works great. It doesn’t have some of the nice extras you get with dedicated services, but it handles securing your passwords and syncing them between Apple devices. The main problem is that if you have any non-Apple devices, you won’t be able to sync your passwords to them, since Apple doesn’t make apps for other platforms. All in on Apple? Then this is a viable, free, built-in option worth considering.

Apple Passkeys and the “Death of the Password”

A concerted effort to get rid of the password began roughly two days after the password was invented. Passwords are a pain—you’ll get no argument here—but we don’t see them going away in the foreseeable future. The latest effort to get rid of the password comes from the FIDO Alliance, an industry group aimed at standardizing authentication methods online. 

It’s still early days, but Apple has implemented the FIDO protocols in what the company calls passkeys. Passkeys are a lot like passwords but are generated and managed by your device. You don’t need to do anything. Apple will store them in iCloud’s Keychain so they’re synced across devices, and they work in Apple’s Safari web browser. Passkeys are now available in iOS 16 and macOS Ventura, but there are some limitations. Websites and services need to support the FIDO Alliance’s protocols, which, at the moment, most don’t. We expect that to change rapidly though. Since Apple is using the work of the FIDO Alliance behind the scenes, passkeys will eventually also function with Google, Microsoft, Meta, and Amazon’s systems.

You might be wondering if passkeys are different from passwords. They really aren’t. They’re generated key pairs instead of passwords. If you are familiar with GPG keys, they’re somewhat similar in that there’s a public and private key; the site has a public key and verifies your identity by requesting the private key from your device. While passkeys aren’t a radical departure, they’re still an improvement by virtue of being pre-installed for people who aren’t going to read this article and immediately sign up to use one of the services below. If millions of people suddenly stop using 12345678 as a password, that’s a win for security. 

Should you use them? If you’re all in on Apple devices, then jump in wherever they’re supported. Support outside the Apple ecosystem will come with time. Dashlane, one of our picks below, has already announced it will support passkeys so you can manage both legacy passwords and passkeys in a single service. Expect other existing services to follow suit. 

If you use a variety of devices, you might want to hold off on adopting passkeys. While there is a workaround for other devices, it involves QR codes and looks a bit cumbersome. We expect Android, Windows, and other platforms to begin rolling out their own support for FIDO Alliance protocols in the future, at which point we’ll start testing and figure out the best way to navigate the passwordless future.

Link to the rest at Wired

The OP continues by discussing a variety of different password managers (some free) that you can utilize to store (and usually create) a password that nobody else is likely to guess or use. You’re a unique human, you need several thousand unique passwords. Get used to it.

(Digression: PG wants to get a t-shirt that says FIDO Alliance.)

2 thoughts on “Passwords”

  1. Belt & suspenders, buddy — belt & suspenders.

    In addition to my password manager, I have a master text file (long-password-protected) with all the passwords (and some tips on usage & accounts where appropriate) for all my access sites. Sometimes I have to do research there for complex sites (“which link?”) or for more-than-one-account situations, and it’s a rescue if ever I have a problem with the password manager itself.

    I use LastPass, which is an excellent password manager. I started with inadequate passwords at the dawn of internet time and am gradually replacing them as I’m prodded to but the problem with proactively changing them isn’t just the quantity, it’s the time it takes on the target sites to go through the process there which must be an order of magnitude longer than it takes to change them on the password manager itself.

    Reply
  2. Trusting Wired on computer security is just about as reasonable as trusting Bernie Madoff with your investment portfolio.

    The key problem with passwords is that people think of them as single units — as words. So long as one doesn’t use particularly obvious sources (the Bible and Shakespeare are out) or sources directly connected to the user, passphrases (preserving capitalization, or not; substituting “special characters” for spaces, or not; partial leetspeech to add numerals and complexity — even mixing languages, or not) are vastly more secure and virtually never too short to be easily cracked… nor too long for an “authorized person” to recover. Like your executor getting into your password file so she can keep the mortgage payments current in probate (how I wish that was a hypothetical example).

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.