Columnists

Geek Speak… Password Managers

Issue 33.17

About 25% of the service calls I respond to include a problem with passwords. Either the client has forgotten one or more or it has gotten corrupted or might have been stolen and needs to be reset. The problem is, if you don’t know the password, you can’t get into the account to reset it.

Most banks, email clients and other secure institutions have two step resetting procedures that require you to have your cell phone number on file with them. You ask for a password reset, they text or call you and give you a code number and a web address. You go to the page suggested, type in the characters they send you, and you can then type in a new password. It is a somewhat complicated process, but is probably necessary to protect from other people using the same process to get your password changed to one they can use and you cannot.

Current standards for passwords have recently changed in ways most of us would not have predicted. The Wall Street Journal published an article recently that reported the following, “Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of …(an) 8 page primer  that advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and number – and to change them regularly.”

His suggestions, made mostly from common sense have been widely adopted by sites that desire security – even to the point of limiting the number of characters you can use to his suggestion that passwords should be from 6-12 characters long. Mister Burr now says that he got it mostly wrong.

After 15 years of experience and further investigation, he now says that long phrases make better passwords that are harder to hack or discover as long as they are not obvious to others but are easy to remember. Phrases like “wewenttoveniceitalyin2014” are better than “P0+@to3” (in place of potatoe) and are easier to remember. The main improvement is in the number of characters. Machines are usually what people use to try to crack your password and the higher the number of characters the more difficult it is for them to discover, regardless of numbers, capitals, symbols, etc. He also said that evidence suggests that you do not need to change your password every 90 days, but that you should use different passwords for different sites and it is good to change them if you have any indication that someone is trying to hack the site or has already done so.

That still leaves us with the difficulty of remembering all those different passwords. Some people keep a notebook in their drawer with all their passwords listed (including all the passwords that they had previously for a given site which can create much confusion). Others will put a document on their computer that has that information in it. Both can be stolen if someone is in your home or gets access to your computer.

This has given rise to password manager programs. Then you remember one good password and automatically setup or retrieve passwords for each site you enter.  I have tried one that got the best reviews from PC Magazine and found it easy to use and effective. It is called Lastpass, but there are many others that deserve your consideration. You can check the reviews at this link. https://www.pcmag.com/article2/0,2817,2407168,00.asp

Remember, it is good to use care in selecting and saving passwords, and remember to protect your data, documents, pictures and your computer, phone and tablet by always backing up anything important.

Shaun McCausland has worked in the computer industry for over 34 years, 27 years of it locally with Bits ‘N’ Bytes and Musicomp and currently works as a computer consultant. If you have questions you can reach him at 435-668-7118 or mccausland.shaun54@gmail.com .

Comments are closed.