The Club PUBlication 01/30/2023

​Tending to your online security is a hassle. But if you make one small improvement, you can declare victory.
By SHIRA OVIDE • Washington Post
​• Star Tribune illustration

The whole system of online passwords is dumb and unsafe.

Demanding that you create a unique, complicated password on hundreds of digital accounts is error-prone and annoying. Most of the advice you hear about passwords — including from technology journalists — is unrealistic, scolding and sometimes outdated.

Here are some tips for upgrading your password practices, including if you are dealing with a recent breach of a password vault called LastPass. Tending to your online security is a hassle. But if you make one small improvement, you can declare victory.

Also, keep this his long-term mission in mind: Passwords must die.

There is hope. Just in the past few months, more websites and apps have started to let you ditch your password. Instead your phone, fingerprint or face are proof that you are you.

Technologists have been promising a passwordless future for a long time. This won't happen soon. But internet security is broken beyond repair. We need to move past the password.

In the meantime, you are a security star if you take just one of these steps:
​
Use longer password phrases
To create the best password, try to make it at least 16 characters. The more characters, the more time hackers need to guess your password.

Security experts recommend using memorable phrases as passwords, with a twist. If you like nursery rhymes, try the password, "L1ttleMi$sMuffetSatOnATuffet," with a number and symbol replacing a couple of letters. Or mush together four words into nonsense like "TumblerElbowMerino- Woodpecker."

Not every online account lets you set up passphrases like that, because of requirements derived from obsolete government security guidelines.

You know you are not supposed to create easy-to-guess passwords like "RedSox04" or reuse your passwords on multiple sites. But no human can invent and remember hundreds of complex passwords.

Try to prioritize by creating strong passwords or passphrases for your most important accounts such as email, financial accounts and password managers.
​
Try two-step authentication
Needing a password plus a second step to log into an account — such as a code that is texted to you — protects you much better than logging in with just a password.

If you can manage it, add two-step authentication to your essential accounts like email, social media and your bank accounts.

This is common online security advice that most people don't take. Don't blame yourself. It takes work and not all online accounts let you use two-step authentication.

Using a dedicated app for one-time codes like Authy, Microsoft Authenticator or Google Authenticator is more secure than receiving codes by text. But don't get too hung up on those details.

Use a password manager
(Note; I have been using 1Password for several years and highly recommend it)
Services such as 1Password and Dashlane generate strong passwords on each of your accounts, store them in a digital lock box and fill them in automatically when you are on websites and apps.

You create a single password to your password vault, and these services save the rest.
​
Password managers aren't foolproof. But they are a smart investment in your online security.

Of course, password managers aren't necessarily cheap. Dashlane, for example, costs about $65 a year. But it's easy to use and worth the peace of mind. Plus, there's a little delight in typing in passwords and credit card numbers automatically.

A caveat about LastPass
LastPass, one of the better-known password-management services, recently disclosed that hackers stole copies of usernames and passwords.

LastPass told customers that they are probably safe because essential information including passwords was scrambled. That makes it harder for crooks to make sense of what they stole.

But Chester Wisniewski, an internet security researcher with the firm Sophos, said he has alarmed about years of red flags with LastPass. He recommended that users consider switching to an alternative.

Wisniewski said he feels confident in password managers 1Password, Bitwarden and Dashlane.

However, Wisniewski also said that LastPass might still be a good option for you. An alternative like using your child's name as your password is far less secure.

Desired future: No passwords
Here's where things start to get promising.

Some companies, including Microsoft, Best Buy and PayPal, have started to give you the option of accessing your account with no password.

This isn't totally novel. Some apps let you log in with just with your fingerprint or face scan — but it mostly works on your phone. You still have a password somewhere.
​
Now imagine you use your phone or another device, finger or face scan as the sole way you log in everywhere.
For example, you can delete your password from a Microsoft account and ask to log in without a password. Then when you tap on Skype on an Android phone or use Outlook email on your computer, you will be prompted to confirm a two-digit number you can see in the Microsoft Authenticator app on your phone. (Just unlock the Authenticator app with your fingerprint.) That's it.
Microsoft said nearly half a million people have removed the password from their accounts and opted to log in without a password.
This password-less system, which the technology industry is calling "passkeys," is now baked into Android phones, iPhones, personal computers and major web browsers.
It's worth rooting for passkeys to kill the password system for good, although this will take many years.
Hackers also can't steal passwords or trick you into giving them away if there are no passwords at all.
Even better, it's simpler to access your accounts with just your device, finger or face.
If your accounts give you the option of the password-less log in called passkeys, try it.
Everyone can benefit from a small security improvement or two, and it's never too late to start.