Please stop using ‘12345’ as your password

Every year SplashData surveys the most common passwords and you know that the results are scary. I think it’s even scarier how they do it: they chart the passwords as revealed by leaked accounts and hacked systems, by all the many, many security breaches that are reported every year. There is always enough data to make the survey statistically significant, which means even if you haven’t had your password cracked, you probably use one of these and you are going to be hacked.

Here’s the top ten for 2014 from the most common to the least:

123456
password
12345
12345678
qwerty
123456789
1234
baseball
dragon
football

Dragon? What’s going on there? Anyway, the list continues so if you’re feeling smug, stop now. Unless your passwords are things like 17e£**jjli99Nn like my bank account’s one.

Despite the scary list, by the way, SplashData does try to reassure you a bit, though. A bit:

“The bad news from my research is that this year’s most commonly used passwords are pretty consistent with prior years,” Burnett said. “The good news is that it appears that more people are moving away from using these passwords. In 2014, the top 25 passwords represented about 2.2% of passwords exposed. While still frightening, that’s the lowest percentage of people using the most common passwords I have seen in recent studies.”

“123456” Maintains the Top Spot on SplashData’s Annual “Worst Passwords” List

Read the full piece and then make me personally very happy by getting and using an app like 1Password. If I’ve met you, I’ve told you about this. I’m not as evangelical about this specific app as I am about, say, OmniFocus for To Do tasks, but I am telling you that you must get an app like it. Must. Seriously.

PS. I was kidding about my bank account password. You knew that. But I had to say it. I really, really had to say it.

The password is dead – ish

There’s a new move to get rid of the password. I think I’d rather miss them but it is a bit 11th Century, isn’t it? Halt! Who goes there? Are you fr1n3d or f03?

We have already reduced them a lot with apps like 1Password – you just remember one password, it remembers all the rest securely and also creates very strong new ones when you want – and then there are tools like Touch ID on iPhones. I don’t have an iPhone with this but I’ve used them and it is nothing short of spookily handy to be able to pick a phone up and have it already know it’s you.

Still, back to the news. Passwords are under threat and it’s about time too:

Passwords are a pain. They’re incredibly important for the security of our data, and yet they’re hard to remember and keep track of. Plus, it seems like we constantly have to change them as the result of some new hack or security breach. But the password’s days may be numbered: the FIDO Alliance—a non-profit composed of heavyweights like Microsoft, Google, VISA, MasterCard, PayPal, and more—has published its final specification for a system to kill the password, hopefully for good.
The specification is a bit technical, but what it boils down to is fewer passwords, hopefully. FIDO offers two options: a password-less login method, and a two-factor login method. In the former case, when you register with a new service, app, or site that uses FIDO’s technology, you choose how you want to authenticate that account (just as you would currently specify a username and password). But instead of a password, that method can be a PIN or a biometric factor—such as a fingerprint, a spoken passphrase, or facial recognition.

The Death Of The Password Starts Today (Maybe) – Dan Moran, Popular Science (10 December 2014)

Read the full piece. And while we wait for all this to happen, get yourself secure with 1Password. I’ve used 1Password 17 times this morning.

Keep 1Password 4 around after you upgrade

I’m waiting to hear back from the makers Agilebits and will update this as I can. But my copy of 1Password 5 is lacking five passwords – that I know of. It happens that I created five this week as part of a particular job so I both know they were in 1Password 4 and I needed them today for that work.

Not a sign of them in 1Password 5 or, where I first went for them, the mini 1Password in my Mac’s menu bar.

But they are all still there in 1Password 4.

Now, Agilebits doesn’t recommend you having two versions of 1Password and if they tell me that’s my problem, I’ll believe them. Except, I’d dragged 1Password 4 to the wastebasket.

It is fluke that I hadn’t emptied it. And if I had, I’d have lost those passwords.

With the previous Dropbox bug that Agilebits had eventually copped to, that makes nine passwords I’ve lost – that I’ve found out about.

More when Agilebits responds.

An English professor on the dying art of the password

First passwords went from the “Open Sesame!” kind of literature to stuff we type to log on to things, then they went from actual words to incoherent symbols in an attempt to be more secure, now they don’t seem to even be all that secure.

News this week that Russian hackers have stolen 1.2 billion passwords makes me want to throw up my hands in resignation and change all my passwords back to “password.”

As a professional wordsmith (English professor and writer), it saddens me that these “words” we’re supposed to “pass” when we log onto our email and bank accounts even remotely share the same categorical denomination as the words that actually embody value for humanity: Words like “April is the cruelest month” or “The answer is blowin’ in the wind.” Today’s passwords aren’t words. I demand a new term for them.

The Lost Art of Passwords: What We Lost When Hackers Conquered the Internet – Randy Malamud, Salon (9 August 2014)

As a professional wordsmith, I twitch at the ugly repetition of the word ‘lost’ in that headline but I don’t write an article about it. And I just use 1Password to get around most of Randy’s problems. Still, Malamud’s full piece is part entertaining rant and part collection of password gems such as my new favourite from the Marx Brothers:

Did I say this already? Buy 1Password right now

I definitely urged this in the latest edition of The Blank Screen email newsletter – do sign up for your free copy – and if I’ve met you on the street in the last few days I’ve undoubtedly pressed you on the issue. But I don’t think I’ve said it here and I must.

Buy 1Password for iOS now.

As in now. Please rush.

Well, you can take a little bit of time because it’s on sale and will be for at least a short while: it’s not one of those instant on, instant off sales. And as ever with things I recommend on sale, it is more than worth its full price so if you miss the discount, shrug it off.

So you know, the sale price goes thisaway: 1Password for iPhone is briefly £6.99 UK or $9.99 US (instead of £9.99 UK or $17.99 US). Check the maker’s website, though, because there are many options if you’re using more than one device: 1Password official site.

It’s a password manager – creates great passwords for you and then, this is the key part, both remembers them all and pops them into websites for you – and it’s also especially good at holding all your credit card details and, again, popping them into websites when you say Go. It’s also very cross-platform: I use it daily on Mac, iPhone and iPad but there is also a PC, Windows and Android version. They all play nicely, too, so if you’re a PC user with an iPhone or a Mac user with an Android phone, you’re fine. Possibly schizophrenic, but fine.

If you are on a PC or Android, my reason to urge you to buy 1Password is solely that it is so very good. Indispensable. I went from wondering why anyone would want such a thing to having it on my iPhone’s front screen and using it literally every day. Literally literally: there’s a thing I have to do every single day and I do it through 1Password because it’s so much quicker.

But.

If you’re on an iOS device, there is an extra delightful urgency to all this. Buy 1Password for iPhone or iPad on sale today and you will get the next version for free. The next version will be a significant upgrade but it won’t cost existing users anything and you will be an existing user.

I am an existing user, I am a now very long-standing existing user, and I’m excited by this – I don’t use the word lightly, I actually am excited – because of what’s coming in the next version.

The next 1Password will be the first or at most among the very first apps to use Apple’s new Extensions feature that lets one app use another. I told you that I do this thing every day: it’s using a website that I have to log in to and on my iPhone, I have to remember to go to it via 1Password in order to have the password app pop my details in. If I’ve just gone there via Safari, I either nip back and forth to 1Password, copying out my secure details and pasting them in to Safari – or I quit it all and start the job again in 1Password.

From the next version and Apple’s iOS 8, I will be able to just call up 1Password right from within Safari and have it do my doings for me. If I have the new 1Password, iOS 8 and a newer iPhone than I currently have, I’ll be able to tap my thumb in order to get it to enter secure details for me.

I’d say that if I were you, I’d buy 1Password now. But if I really were you, you’d already have it.

Passwords. My mind to your mind…

I’m afraid I tend to miss most news stories about passwords because I’ve long relied on 1Password and it’s given me no trouble. But I see that passwords are a concern for most people and I do recognise how feeble it is that our 21st-century lives are held together by words we incant. Or at least type. This may not last, though.

We do already have the Touch ID home button on Apple’s iPhones where it is your thumb print, verified, that unlocks the phone. Samsung has a similar thing, though that is a bit of a redundant sentence as if Apple does it, so does Samsung. A bit.

But there’s more this time:

…what if you could prove your identity without doing anything at all? That’s the idea behind Biocatch, a startup that’s observing people’s online behaviors and creating a unique signature for each account holder.
“Essentially, it’s a way to authenticate your mind by observing what you do and how you do it,” says Uri Rivner, Biocatch’s co-founder and vice president of cyber strategy.

To create its biometric “cognitive signature,” BioCatch analyzes as many as 450 physical parameters that describe a customers’ interaction with a computer, web browser, and mobile device.

For example, on a mobile device, it can use sensors like the accelerometer and gyroscope to measure whether someone has a hand tremor or, say, the level of pressure an individual typically applies when clicking a button. On a computer, it measures a person’s hand-eye coordination in using a mouse and precise ticks in how it’s dragged, as well as other browser habits like whether a person always opens new tabs or uses the keyboard to scroll or always corrects typos with a backspace.

No one of these factors by itself will identify any given individual, but by piling on hundreds of tests, within a few seconds of using the account, its algorithms can issue a score on the likelihood that the person logging on is the account holder (or one of several account users).

Forget Passwords: This Startup Wants to Authenticate Your Mind – Jessica Leber, Fast Company (24 July 2014)

You can do some serious damage in a few seconds. I’m just saying. Read more.

 

 

Create strong passwords

Lifehacker has an interesting article called Four Methods to Create a Secure Password You’ll Actually Use and I’d like you to read it, but I’m also amused how old-fashioned the whole idea seems to me.

Because I use 1Password. I can barely remember any of my very many passwords, not because they are all very strong ones but because I don’t need to. They’re all in 1Password and right there, securely, when I need them.

But if you don’t use 1Password or any equivalents, check out Lifehacker’s article because you need stronger passwords than you’ve got now. You do.

Is this safe? Using passwords as positive reinforcement

I honestly thought that this was just me – and I thought I couldn’t tell you because writing it here would mean I was putting online a Very Big Clue to one of my key passwords. That last bit may yet be true and I may yet regret it if I’m not circumspect enough, but it isn’t just me and it is useful. Just be wary of this: take it as a thought experiment rather than a recommendation. But:

You can set a password that helps you mentally

My example. A couple of years ago now, I had an important project on and it was many things from exciting to fun but with a dollop of queasiness in the middle because it was so big. Literally big: not as in important, though it was, but physically heavy and prolonged lifting. The kind of thing that you think you’ll start tomorrow, it’ll be fine.

I changed one of the passwords I use every day to be approximately a word from this project. I wasn’t entirely daft, I didn’t use a single plain word, I dressed it up with 3s instead of Es, that kind of thing. But during the life of that project, I reckon I typed that password six or seven hundred times. And each time, every single each time, it kept the project in my head.

The project is long done now and I’ve changed the password, I don’t have anything on at the moment that particularly makes me want to do this password trick again. But friend-of-the-site Daniel Hardy just sent me a link to this article on Medium, How a Password Changed My Life. Its writer, Mauricio Estrella was going through a divorce and not going through it all that well, when he gets into work in a hurry and his computer won’t let him on until he’s changed his password.

I was furious that morning. Tuesday, 9:40 a.m. – It was so hot that my torso was already sweaty even though I just got to work. I was late. I was still wearing my helmet. I think I forgot breakfast. Something tastes like cigarette in my mouth. I need to get shit done before my 10 a.m. meeting and all I have in front of me is a huge waste of my time.

So there it was… This input field with a pulsating cursor, waiting for me to type a password that I’ll have to re-enter for the next 30 days. Many times during the day. Then, letting all the frustration go, I remembered a tip I heard from my former boss.

I’m gonna use a password to change my life.

It was obvious that I couldn’t focus on getting things done with my current lifestyle and mood. Of course, there were clear indicators of what I needed to do – or what I had to achieve – in order to regain control of my life, but we often don’t pay attention to these clues.

My password became the indicator. My password reminded me that I shouldn’t let myself be victim of my recent break up, and that I’m strong enough to do something about it.

My password became: “Forgive@h3r”

How a Password Changed My Life – Mauricio Estrella, Medium (15 May 2014)

Now, he doesn’t and I don’t want to get into the details of his divorce. It’s true what you’re thinking, there are two sides to this, but I think divorce is such an overwhelming thing that when you’re going through it, the sheer scale means you can only handle there being one side. Your side. So whether his ex would agree or not, for him “forgive her” was central to his coping and recovery.

In my mind, I wrote “Forgive her” everyday, for one month.

That simple action changed the way I looked at my ex wife. That constant reminder that I should forgive her, led me to accept the way things happened at the end of my marriage, and embrace a new way of dealing with the depression that I was drowning into.

He’s okay now and one hopes his ex is too. But having used this password as positive reinforcement, he now uses other passwords to do similar things. He used it to stop smoking (“I shit you not”) and to motivate himself into things.

Read the full piece over on Medium for exactly what he did and exactly what his passwords were for them.

 

Tips For Crafting A Strong Password That Really Pops

From Clickhole, The Onion’s version of those Buzzfeed sites that we keep getting friends sending us links about. I realise I’m sending you a link to this site which is a parody of people sending links, but.

Crafting a smart, snappy password that engages the reader right from the first character is tricky, especially if you’re unfamiliar with the form. And make no mistake: The best way to start writing truly great passwords is through years of diligent practice. You’re not going to sit down at a keyboard and just produce an all-time classic password like “let$g3titstart3d” on your first day.

Still, anyone can benefit from these tried-and-true tips as he or she stares down the blank input field and prepares to compose a strong, succinct password.

1. Avoid clichés: These include “password,” “123,” and “letmein.” Such trite expressions have no place in a serious password, unless the author makes it very clear they are intended ironically.

2. Keep it short and sweet: Say what you have to say as concisely as possible. It’s nearly always correct to abandon the strained clunkiness of something like “90sbulls4everJordan23” in favor of the classy simplicity of “23.”

Tips For Crafting A Strong Password That Really Pops – Clickhole (27 June 2014)

There is much more.

Windows sees big 1Password update

If you think that headline is contorted, it is. It was just about the best I could think of without making ‘1Password’ be the first word. I can’t begin a sentence with a number like that. Usually I will spell out the number or I will recast the whole sentence to avoid it.

There was no spelling out this time: 1Password is the name of the product I’m recommending.

Well, I’ve often – even regularly – recommended 1Password on iOS and Macs. I’ve recommended it on Android at least once. But I confess I haven’t paid any attention to the Windows version. That’s because I just assumed that if it weren’t identical to the Mac one then it was because it had some extra features I’d see on the Mac someday.

But it turns out that Mac came first. Because today, Agile Bits announced 1Password 4 for Windows.

Sorry, Windows users, I just thought you had all this already. But you do now:

After months of beta testing, a small lake’s worth of coffee, and a possibly illegal number of pizzas, 1Password 4 for Windows is here.

This is a huge release for us, as it brings many of our latest features to Windows and a cleaner, more intuitive interface. Windows users can enjoy Favorites, Multiple Vaults, Wi-Fi Sync, and Security Audit, as well as our new, free 1Password Watchtower service that warns you when a Login’s site has been compromised and helps you decide when it’s safe to update your passwords.

All together, this release includes 374 new features, improvements, and fixes spread over 85 betas. You can comb through the full beta release notes, learn more in our documentation, or check out our feature overview down below the gallery.

1Password 4 for Windows is here – David Chartier, Agile Bits blog (17 June 2014)

That gallery and more is in the original piece over on the 1Password makers’ blog.