How can we best combine the need for an unhackable password with the ability to remember it? The experts offer some advice.
Password security will be the leading problem in the technology world in 2024. So says cybersecurity expert David Shipley, CEO and co-founder of Beauceron Security Inc., which is based in Fredericton., N.B.
“When it comes to passwords, we need to make them as secure, but also as usable as possible,” says Shipley, who clearly finds this problem challenging. “Those two things are counter-influencing magnetic poles.”
It’s a problem at least as old as computers. As Shipley says, we need passwords to keep our data secure, but we also need to be able to remember them to make the convenience of computing appealing.
And, Shipley says, the advice from the U.S. National Institute of Standards and Technology to come up with passwords that are complicated, use uppercase and lowercase letters, numbers and special characters has kind of backfired.
“What happened was — and the researchers who created [the protocol] acknowledged this a few years back — that people couldn’t remember these passwords, so they just started using the same password and adding a couple of different characters at the end. The problem [with that solution] is that even an old laptop running easily accessible hacking software can crack those passwords relatively easily.”
‘I’m a small fish’
The other serious part of the problem, says Terry Cutler, CEO of Cyology Labs and founder of the free cybersecurity app called Fraudster, is that lay people tell themselves they’re unimportant in the larger scheme of things and that hackers would have no use for them.
“A lot of folks, especially seniors, believe that ‘Hey, I’m a small fish; no one’s going to want to hack me,” Cutler says. “So they feel they’re not a target, but they don’t realize that because they don’t have the time, money or resources to deal with cybersecurity, it makes them a No. 1 target.”
Shipley agrees, and adds that criminal hackers are, by nature, highly intelligent, but also lazy, so they’ll go for targets of opportunity.
“That’s why they’re criminals and not productive members of society,” he says.
Too many passwords
The average person, Cutler adds, has about 50 different passwords rolling around in their head — everything from pins for an ATM machine, to alarm codes for their house and email passwords. And those passwords become increasingly hard to remember, especially as people are asked to change them frequently.
“They end up using passwords such as George123 that can be broken in moments,” Cutler says. “And they don’t realize that when they become part of a phishing attack, or if they get hacked, or if a database they’re registered on gets hacked [this even happened with Revenue Canada], they become susceptible to all kinds of other phishing attacks and frauds.”
He says we might receive an email that says, “Hey, [your name]: You don’t know me, but your password is this” — and it’s your real password. The hackers might then tell their victims that they have installed spyware on their computers and they have them on video and it scares them into fulfilling the hackers’ nefarious demands.
The password puzzle
Many of us have received those emails and immediately changed our passwords, which is the right thing to do, Cutler says, but how do we come up with one that’s hack-proof?
His advice is to make sure the password is between 16 and 25 characters that has a mixture of capital and lower-case letters. So he advises to come up with a simple phrase, such as: “I had a great day at work 2024!” and remove the spaces and capitalize each word.
“That password alone will take 10 years to break,” he says. “But since we’re here to up our game, if you replace all the letter Os with a zero and replace all the letter As with the @ sign, that password will take 39 years to break.”
For clarity, that password would be: IH@dAGre@tD@y@tW0rk2024!
But since we’re trying to be really proactive here, he also suggests enabling two-step verification where we receive an email or a text message with a code to enter to show it’s really us. That system is effective, Cutler says, but it’s also important to activate port protection with your mobile phone provider. Port protection restricts the ability to move your number to a different provider.
Cutler knows of a case where hackers got access to an old ignored Hotmail account which included all of the victim’s passwords and with that information, they were able to “port” the victim’s phone number and plan from Rogers to Bell, thereby eliminating her access to her phone, and allowing them to get all of the two-step verification texts that were being sent to her number. In the end, they managed to log into her bank account, drain it and also make some purchases on Amazon and eBay.
Many providers will have port protection, but it’s worth checking to make sure yours is activated. There is a small convenience price to pay for port protection, which is that if you decide to change carriers, you will have to go to your new carrier in person to make that change.
Packaging your passwords
Whenever there’s a problem to be solved, entrepreneurs come up with a product that does just that and that’s why we’ve seen plenty of password-keeping apps on the market. Cutler makes the point that the password manager is only as good as the company that sells it. If that company gets hacked, all of your passwords are in that one place and they are no longer secure either.
But these are handy apps and some are better than others. Shipley calls the Apple iCloud Keychain a “good, elegant password manager solution,” because when you sign up for a new service, it will offer you a randomly generated password. If it notices your passwords have been breached, it will give you a warning that your chosen password isn’t a strong one, and should be changed.
And for non-Mac users, Shipley suggests the Canadian company — 1Password — or Dashlane. These apps sync passwords across all of your devices. The likelihood of these apps getting hacked is lower than the likelihood of a person with poor passwords getting hacked, so it’s a decent risk to take.
Shipley also agrees with multi-factor authentication and suggests Google Authenticator and Microsoft Authenticator are both good apps for this purpose. “Multifactor authentication can cut down your risk of digital lock-picking or brute-force hacking by 99.9 per cent, according to Microsoft, and that was from a survey of billions of different attacks,” Shipley says. “It’s not perfect, but I like those odds much better than [those of] bad password hygiene.”
Keepass is the app that Kris Constable, global security expert and founder of PrivaSecTech, likes because it’s opensource. While lay people wouldn’t see this, he says there are no hidden back doors or secret things happening “under the hood” in this technology so it’s his preference. Constable does say Keepass requires some training to use while Apple is much more user-friendly.
Passkeys for the future
Constable says there’s a new security trend of randomly assigned passwords.
“You’ve probably seen it in email sometimes, you’ll log into a site and instead of a password, they send you an email with a six-digit code and you use it,” Constable says.
That’s the intro version of a passkey. Now there’s a physical fob available from Google, and each time you use it, there’s a new randomly assigned password.
“If your password is compromised, you care now, but in the future, it will all be randomly assigned and you won’t,” he says. Until the fobs are standard issue, we have the above advice to stay as organized and safe as we possibly can.