12 User-ID / Password Management
Websites where you have an account typically require a minimum of 2 pieces of information for you to log into your account: a user-ID (user identification) and a password.
Your user-ID is often your email address, other times it is the account number or card number associated with the account.
Your password is something you create, and should be something difficult for others to guess, so it should not be based on any information someone could find out about you on Facebook, LinkedIn, or other social media websites. For example, your birthday, your spouse’s name, your pet’s name, your favourite sports team, etc. would all be POOR choices for a password.
Hacked User-IDs & Passwords Databases
There are many publicly accessible databases on the web listing user-IDs and passwords that have been hacked. Hackers may publish these databases for a variety of reasons, some of which include:
- to illustrate how weak the security was on the company’s computer systems that was hacked;
- a ransom was demanded to keep the hack secret, and it wasn’t paid;
- the database was on the dark web, and it was moved to the public web so that users would be aware that their login credentials have been compromised.
There is a service called “Have I Been Pwned?” which allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
The creators of this web site use the word “pwnd”, which is used by people who play video games. When one player completely annihilates another, the loser is said to have been PWND (i.e., owned, beaten, defeated).
For Apple devices, there is a new feature built into iOS 14 (and later versions) that monitors your passwords and notifies you if they are too weak, if you are reusing them, or if they show up in known data leaks. To access this feature, go to “Settings” then “Passwords”, then “Security Recommendations”.
Dangers of Password Reuse
“Bad actors” and hackers look at the email addresses and passwords that have been dumped online after being stolen from one website and then check to see whether the same credentials will work on another website. This obviously is a security issue if your reused user-ID and password are being used at a financial institution or any website where you have a credit card on file.
Also, in a disturbing example of what else can happen, “bad actors” reused hacked login credentials to gain access to a family’s webcam (which had a built-in intercom) in their 3 year old daughter’s bedroom, and played the soundtrack from a porn film over intercom.
Weak Passwords
Any of the following can contribute to having a weak password, i.e. one that is easily guessed or can be easily cracked using password cracking software:
- Too short. Any password less than 8 characters is generally considered too short.
- Default Password. Some devices (e.g. wireless routers, webcams) come with a factory default password that is the same on every device shipped from the factory. On wireless routers, it was common to see the word “admin” used for both the user-ID and password. This password is meant to be changed by the person who buys the device, but very often it is not, so the factory default password would allow access.
- Common. Words in the dictionary, proper names, words based on the username.
- Hacked User-IDs & Passwords Databases. Analyzing hacked databases yields commonly used passwords. The United Kingdom’s National Cyber Security Centre compiled a list of the most commonly used passwords in 2019, from 100 million passwords leaked in data breaches that year.
| Rank | Password |
|---|---|
| 1 | 123456 |
| 2 | 123456789 |
| 3 | qwerty |
| 4 | password |
| 5 | 1111111 |
| 6 | 12345678 |
| 7 | abc123 |
| 8 | 1234567 |
| 9 | password1 |
| 10 | 12345 |
The number 1 in the above list, “123456” was used as a password approximately 2.5 million times.
Choosing Strong Passwords
To ensure a strong password, consider the following:
- length (the longer the better);
- a mix of letters (upper and lower case), numbers, and symbols,
- no ties to your personal information,
- no repeating letters or numbers, and
- (ideally) no dictionary words.
You can use the “How Secure Is My Password” tool at security.org to check the strength of your passwords.
Using a Password Manager
Managing passwords is a dilemma. Web security professionals will encourage you to have a different password for every web site you log into; however, how do you remember all these different passwords without writing them all down (which would also not be recommended unless this information was encrypted or hidden).
Password managers are meant to solve this problem. You only need to remember one password (the one to access the password manager), and the password manager takes care of creating unique and complex passwords that would be difficult to crack, and filling in the appropriate password for all the websites that you have accounts with.
The one caution about using a password manager is that if someone gains access to your password manager app, then they have access to all of your login credentials for every website the password manager is used for.
Not Using a Password Manager
If you are uncomfortable using a password manager, perhaps because all your passwords will be accessible through it, and you are not prepared to create unique passwords for all the different websites you log into, then consider having at least a few different passwords, rather than using the same password on every web site. At a minimum, have different passwords for:
- Email. Access to your email account is arguably the most important password you have, and this should be a strong password, and this password should not be used anywhere else. The reason for this is that your email account is potentially very powerful, as most other websites give you the option to reset a forgotten password by emailing yourself a link that can be used to change the password and access the account. So if someone gains control of your email account, then potentially they have the ability to reset passwords and take control of all your other accounts.
- Financial Transactions. For any web site you use that involves your money (i.e. your bank), you want a strong password to keep bad actors out. Also, if you have a credit card on file with a particular merchant’s website (i.e. your money is involved), ensure you have an appropriately strong password.
- Everything Else. For all those other web sites that deliver your news and other services that you don’t pay for, then a hacked password (while inconvenient) at least won’t end up costing you any money. If you are going to reuse passwords, do it where it could cause the least damage.
Browsers – Saved Passwords
Most modern web browsers (Chrome, Firefox, Safari, Edge, etc.) allow the browser to remember passwords. If you want to see if your computer’s browser is saving passwords and which passwords it has saved, typically you would go into the browser menu (three dots or three lines near the top right corner of the browser window, and then either look for a “Passwords” menu choice or a “Settings” menu choice (and then look for the “Passwords” choice). If you need assistance locating the passwords menu choice for your specific browser, just search the Internet for “how to view passwords in …” and put your browser name after the word “in”.
If you are looking on your smartphone or tablet, typically the “Passwords” are in the operating system “Settings” rather than in the browser.
Try it now, look at the saved passwords on your device. Since you can look at your passwords, then someone who has stolen your computer (or obtained remote access to it) could potentially do the same.
You will want to weigh the risks of someone accessing your browser passwords versus the convenience of using browser passwords when deciding if you want to use this feature.
Also, take into consideration whether your device has been set up to ask you for a password or passcode after a certain period of inactivity. If you are using saved passwords in your browser, your device should definitely have this auto-lock feature turned on.
Biometrics
Biometrics such as fingerprint recognition and facial recognition are now available as options to unlock later model smartphones and other devices.
Some apps on your smartphone offer the ability to log into the app (e.g. a bank) by using biometrics (e.g. your fingerprint). Be aware of what is happening here, you are not actually logging into your bank using your fingerprint, what you are doing is using your fingerprint to authorize the smartphone to send your bank password to the bank app, which will then log into your bank account. So if you have a weak password on your bank account, using biometrics doesn’t make that password any stronger.
Two Factor Authentication
With two factor authentication you need to authenticate two things to be able to log into an account, your username and password is one of these authentications, the second authentication factor is typically a single use 4 to 6 digit code. This code typically could be sent to you either by:
- A text message sent to your mobile phone;
- An automated voice phone call to either your landline or your mobile phone;
- An email to your email address on file.
Note, each time you log in you will get a unique 4 to 6 digit code, so you need to always use the most recent code that is sent to you. Additionally, these codes usually expire after a short period of time, so if you step away from your device before you finish logging in, you will likely need to request a new code when you return to your device.
Media Attributions
- https://haveibeenpwned.com/ by Troy Hunt has been designated to the public domain
- “Solutions for Society Biometrics – Creative Commons | Flickr” by NEC Corporation of America is licensed under a CC BY 2.0 licence.
- “2 factor authentication login screen of Commons app” by Misaochan is licensed under a CC BY-SA 4.0 licence.