malling u3a computer group · passwords passwords are needed for virtually every app. or website we...

Malling U3A Computer Group

Password ManagersChris Daly – 30th April 2018

Passwords Passwords are needed for virtually every app.

or website we access via PC, Laptop orsmartphone.

Most importantly use a strong password. NEVER use the same password on more

than one App. or website. Don’t forget a password.

There is lots of advice on how to create thebest and strongest passwords.

Strong Passwords

Strong PasswordsAfter reviewing five million passwordsleaked in 2017, SplashData released a listof the most popular, and thereforedangerous, passwords currently being used.There have been some changes in whatconstitutes the worst-of-the-worstpasswords.“123456” and “password” remain as the toptwo most popular passwords, but “starwars”is a newcomer to the list..

Strong PasswordsSplashData’s top 25 worst passwords in 20171) 123456 2) password 3) 12345678 4)qwerty5) 12345 6)123456789 7) letmein 8) 12345679) football 10) iloveyou 11) admin 12) welcome13) monkey 14) login 15) abc123 16) starwars17) 123123 18) dragon 19) passw0rd 20) master21) hello 22) freedom 23) whatever24) qazwsx 25) trustno1.

Strong PasswordsAccording to the traditional advice - which is stillgood - a strong password should:Have 12 Characters, Minimum: There’s nominimum length everyone agrees on, but youshould generally go for at least 12 to 14characters in length. A longer password would beeven better.Include Numbers, Symbols, Capital Letters,and Lower-Case Letters: Use a mix of differenttypes of characters to make the password harderto crack.

Strong PasswordsNot a Dictionary Word or Combination ofDictionary Words: Stay away from obviousdictionary words and combinations of dictionarywords.

– Any word on its own is bad.– Any combination of a few words, especially if

they’re obvious, is also bad. For example,“house” is a terrible password. “Red house” isalso very bad.

Doesn’t Rely on Obvious Substitutions: Don’tuse common substitutions, either — for example,“H0use” isn’t strong just because you’ve replacedan o with a 0.

Strong PasswordsA good strong password could begenerated by randomly striking thekeyboard :-

– NBY%$((BNbuj856we54jko90 – (24characters)

How could you ever remember that ?You would have to do it for every passwordand then remember them all.

Strong PasswordsTry to mix it up – e.g.

– “BigHouse$123” fits many of therequirements.

– It’s 12 characters and includes upper-caseletters, lower-case letters, a symbol, andsome numbers.

But it’s fairly obvious.– It’s a dictionary phrase where each word is

capitalized properly.– There’s only a single symbol.– All the numbers are at the end, and they’re

in an easy order to guess.

Strong PasswordsThe most important thing to remember is that the wordsneed to be random.“cat in the hat” would be a terrible combination becauseit’s such a common phrase and the words make sensetogether.“my beautiful red house” would also be bad because thewords make grammatical and logical sense together.“correct horse battery staple” or “seashell glaringmolasses invisible” are random.The words don’t make sense together and aren’t ingrammatically correct order, which is good. It should alsobe much easier to remember than a traditional randompassword.

PasswordsHow many passwords do you have ?How do you remember them ?Have you got them all written down in alittle black book ?Is the little black book in a desk drawer ?Is it locked away in a safe ?How secure are those places ?

Password ManagersRemembering unique passwords for allthe different websites we use can bedifficult.Password managers can be very usefulfor this and other functions.

– Generating unique passwords– Storing them in encrypted form.– Testing their “strength”

Password ManagersDepending on the type of passwordmanager used

– The encrypted database is either storedlocally on the user's device or

– Stored remotely through an online file-hosting service.

Password managers typically require auser to generate and remember one"master" password to unlock and accessany information stored in their databases.

Password ManagersWhat does the NCSC (National CyberSecurity Centre, a part of GCHQ) thinkof Password managers.

“Yes. Password managers are a good thing.They give you huge advantages in a world

where there's far too many passwords foranyone to remember.” (24th Jan 2017 on NCSCwebsite blog)

Password ManagersFrom NCSC blog :-

They make it easy for you to use long, complex, uniquepasswords across different sites and services, with no memoryburdenThey are better than humans at spotting fake websites, so theycan help prevent you falling for phishing attacksThey can generate new passwords when you need them andautomatically paste them into the right placesThey can sync your passwords across all your devices, soyou’ll have them with you whether you’re on your laptop, phoneor tabletIf security is difficult, tedious, appears to add no value or getsin the way of the main task we're trying to do, then we tend tofind (insecure) ways around it. And then we end up lessprotected.

Password ManagersSome browsers (chrome, firefox etc) offerto store passwords.Do not use this systemThese are not Password Managers.

The two top free Password managers are– LastPass– 1password

Password ManagersInstalls as a browser plug-in or extension to handlepassword capture and replay.When you log in to a secure site, it offers to save credentials.When you return to that site, it offers to automatically fill inthose credentials.If you've saved multiple logins for the same site, thepassword manager offers you multiple account login options.Most also offer a browser toolbar menu of saved logins, soyou can go straight to a saved site and log in automatically.Some products detect password-change events and offer toupdate the existing record.They can fill forms.

Password ManagersBrowser Plug-in or extension (LastPass)

LastPass

LastPass – Get started


1. Click - then follow the instructions to set up LastPass

LastPass – Get startedAdd a new site automatically

LastPass – Get startedAdd a new site manually

LastPass – Add new site

LastPass – Get startedOffers to automatically fill in credentials

LastPass – Get startedMultiple logins for same site

LastPass – Get startedGenerate password

LastPass – Get startedForm Filling

Password LeaksPassword leaks are so dangerous because manypeople use the same password for multiplewebsites.If you register for a website with your emailaddress and provide the same password you usefor your email account, that email/passwordcombination may be present on a list somewhere.Crackers can then use this email/passwordcombination to gain access to your email account.

Password LeaksEven if you use a different password for youremail account, they may try the email or accountname and password combination on otherwebsites to gain access to your other accounts.For example, crackers recently compromised over11,000 gaming accounts.They didn’t use keyloggers or compromise thegame’s servers – they just tried logging in usingemail address and password combinations foundon lists of leaked passwords.Players who reused a password that had alreadybeen leaked were compromised.

Password LeaksIf you’re curious whether your email address appears onone of these leaked password lists, you can use a toolthat quickly checks for you.Head to the main Have I Been Pwned? page andsearch for a username or email address.The results tell you whether your username or emailaddress has ever appeared in a leaked database.Repeat this process to check multiple email addressesor usernames.You’ll see which leaked password dumps your emailaddress or username appears in, which in turn givesyou information about passwords that might havebeen compromised.

Password Leaks

Passwords Your email account is the centre of your

online security. Websites generally allow you to change

your password as long as you can click alink in an email.

If someone else gains access to youremail account, it can be game over foryour other accounts.

malling u3a computer group · passwords passwords are needed for virtually every app. or website we...

Documents