Passwords are important - they identify us
We use passwords to try to ascertain identity. So what are their pros and cons, and what should you do about it?
Did you know they are being replaced? Check out my article on Passkeys top find out what that means for you.
With passwords, you share something private
The idea behind a password is that it's something only you and the other party (e.g. your bank) knows, so you can say "I'm Elliot", which is a start, but then follow up with something others don't know "and my password is LetMeIn".
So your passwords mustn't be lost
So the security of a password comes down to others not knowing it. There's a few weaknesses there - you may not keep your passwords securely, you may use passwords that others can easily guess, you may have your passwords taken from you, your notepad (why were they there?) or your computer. But you're not necessarily the weakest link - you're trusting every website you visit to keep your passwords safe, and that isn't always the case - good encryption can be difficult to implement. Even with all your measures in place, others can just keep trying passwords for you until they strike it lucky. Fraudsters and the nosey can automate this, and use a computer to just keep trying passwords night and day until they get in.
Passwords are easy to use, and they're easy to lose
The benefit of them is that they're easy to understand, but there are so many disadvantages:
- If you use the same password on more than one website, then the weakest website will eventually be hacked and fraudsters will have your password for all websites
- You have to remember them - and your memory is bad. So you simplify them, which makes them more guessable and easy to find through automation
- They are easily discovered and remembered by others
- You're relying on the counterparty, e.g. your bank, to store your password - the key to your identity - securely. The vast majority of password leaks are via badly built or guarded websites.
Passwords are easy to guess
Maybe you don't think KittKat15 will be guessed by someone else, but it will be by a computer, as the following graph by Hive Systems shows. This is for 2023. It gets worse every year as computers get faster. The conclusion from this is to use long sentences for your passwords (when you have to) or let your password manager make up long strings for you. Short phrases with a number and punctuation will be guessed within a few hours, if not instantly by a computer.
You can & should be protecting against this
There are mitigations to these things, and you should be doing all of them.
- You should change passwords regularly (to protect against others having found it).
- You should create new passwords for each website you visit (to protect against losing them all when the weakest is compromised).
- Use long, random strings or sentences (to make it harder to guess, and harder to automate).
- To protect against others guessing your password, use Multi-Factor Authentication (MFA or 2FA) features.
Multi-factor Authentication (MFA) or Two-Factor Authentication (2FA) helps to ensure that the person entering a password is you. It does this by trying to work out if you have something with you that only you would have - by sending a code to your phone, or by your phone or dongle creating a predictable, unguessable 6-digit number that you share. This extra factor, what you have, is in addition to what you know - your password. Intercepting an SMS is easy, so the second option is better when possible.
None of these options are perfect, and unfortunately that's why you need good habits around passwords.
Use a password manager to do all this for you
All of this is simplified by using a password manager, which you absolutely should be doing in 2023.
Anyway. That's where we are today, and why people started looking at something new. Passwords were good for a period, but not suitable where we are today, with so much at stake with our digital lives and the connectedness and processing power available. If you want to see what's next, we talked about Passkeys recently.
So what's a password manager?
In short, this is the software on your phone or computer that looks after all your passwords for you. It might be built into your browser, or into the operating system of your device. A few well known ones are Apple Keychain, Microsoft Hello, Google Password Manager, 1Password, LastPass, DashLane, PassBolt, and BitWarden.
In addition to helping you to store your passwords in a secure way, they will offer new, long and complex ones when you need them, and syncronise them to your devices. They also help to create a new password for each website, and will often let you store encrypted notes and recovery keys. Keychain also builds in support for verification codes for MFA, which is separate for Google and Microsoft, amongst others.
ps. Do not share your passwords
Your password is your identity, it is your fingerprint and your signature. Do not share it with anyone, family, authorities or nice old ladies who offer you chocolate. If people need access, log them in, share a guest account, or use the features provided to otherwise grant other people access using appropriate sharing tools. Just not by sharing your identity. There are so many reasons for this: do not share your password.
You can share accounts without sharing passwords and identities
When both you and your family want to share access to the gas bill, or netflix, you should not be sharing passwords. Identification is about working out who you are (and only you are you). You don't want to share an identity; you want identities to share accounts.
In other words - to share an account, you should keep separate logins where it is possible, but allow both those logins access to an account (e.g. energy supplier). Most modern websites have allowed this for a while, and may accomplish it in many ways. For example, when you allow a device to share Netflix, it can be added by putting in a one-time pin rather than using someone else's credentials; and your utility supplier will often allow multiple logins/identies to be added to one utility account.
Finally, for almost all websites and jurisdictions, when you use someone else's password, you are breaking contract at best, and often committing fraud.