October 4, 2020

Passwords.

There’s a video on Youtube of a married couple demonstrating email to the BBC viewing public. The video was shot in 1984 and the couple was using one of the many 8-bit computers available on the market at the time. They connected to a local online service to retrieve their email, and as plain as day, when prompted for their password, they typed “1234”. At the 80s wore on, folks realized there was a certain amount of importance to their online account passwords, so they upgraded from “1234” to “password”. In the mid 1990s they may have been using “Password”, and geeks were probably using things like “P@ssw0rd”.

Our online presence, and more importantly, our dependence on online services has come a long way in the ensuing 25 years and our entire lives are now online. Our passwords need to evolve accordingly. 

A trick I’ve used for years is having a complicated “password base” and then appending different characters to that base depending on the application. For example, for Yahoo I may have the password “P@ssw0rd!Yaho” while for Google I’d use “P@ssw0rd!Goog”. It’s not the most secure approach, because if someone figures out your methods they can probably start getting into your other accounts. However, it’s a solid step in the right direction, the goal being have a different password for every online account.

I now know only one password. It’s a complicated password composed of random alphanumeric characters and symbols, and it’s quite long at 24 characters. What does this password do?  It unlocks my Password Manager account.

With many users now using primarily mobile devices for their computing needs, both iOS (Apple) and Android (Google) users have a mostly secure of maintaining their passwords and that’s the built in password manager. There are also plenty of third party options available: 1Password, Bitwarden, LastPass, etc. All of these passwords work on the same prinicple: you unlock the “password vault” with the one password you need to know, and then the password manager creates passwords for each of your accounts and automatically fills in the incredibly complex password it has stored when it needs to be called upon.

My experience with this is mainly around the functionality built into iOS. With Apple’s integrated ecosystem, my passwords are in sync across my iPhone, iPads, and my Mac. Depending on the device, I unlock the vault with my Apple ID password, FaceID or TouchID. Then, when I’m prompted for a password, the device says “Hey! I have the credentials for this account!” and offers to populate the data for you. You don’t need to know the password, Apple is handling that for you.

1Password, Bitwarden, and the other third party offerings basically do the same thing, and even include the biometric protection of FaceID and TouchID. You just need to take the extra step of selecting your third party password manager as the default handler on your iPhone and/or iPad. The advantage to the third party management software is that you can get plugins for anything: Firefox, Google Chrome, Windows, Linux, it doesn’t matter. Now your passwords are synchronized across multiple devices and multiple operating systems. For those not all in on one platform (like Apple devices only or something), this approach makes sense.

Google and Apple also go one step further in that they let you know when you’ve used the same password across multiple accounts and they also monitor when that password may have been compromised. In these instances, they give you rather easy to understand options to change the affected accounts so that your information stay safe. 

If you’re still using passwords like “baseball0517” to protect your online data, you really need to get to current times and start using a password manager, even if it’s the one that’s built into your operating system. One password for all accounts is pretty much the same as going on vacation with the front door unlocked and a sign on the front lawn that says “Come in and browse!”.

Over the next couple of weeks I’m probably going to write up some tutorials on managing passwords safely and share these on Medium. I’m a big advocate of online safety, so if you have any questions about this sort of thing, feel free to reach out in the comments on this blog post.

In the meanwhile, here’s some starter information from Apple and Google. Some of the third party password managers I’ve used in the past are 1Password, Bitwarden, and Dashlane, with Bitwarden being my favorite right now.

Happy security!

For the dorks in the crowd, here’s the “E-mail” video from 1984: