Another (maybe easier) way to Password

Today I googled, “how many passwords does the average user have?” and the top answer that appeared stated that a research study conducted by NordPass reports that an average person has approximately 100 passwords.

This sounds like a lot to remember, not gonna lie, but to go a step further depending on devices you’re using and how your various accounts are setup for login, you are also probably using a combination of pins, patterns, biometric authentication (fingerprints, facial recognition, etc.), the more common two factor authentication, and then of course the good old trusty password and if you’re lucky your using some form of password management to keep track of all those passwords.

If you’re overwhelmed, that’s okay, we know there is a lot to remember when logging in to all your various accounts. However, there is a new login technique that became available this year called the passkey which is promising to solve phishing and prevent password reuse.

Now you’re probably asking what is a passkey, well according to Hoffman-Andrews article on What the !#@% is a Passkey? from the Electronic Frontier Foundation website eff.org.

The passkey is approximately 100-1400 bytes of random data, generated on your device (like your phone, laptop, or security key) for the purpose of logging in on a specific website. Once the passkey is generated, your browser registers it with the website and it gets stored somewhere safe (for instance, your password manager). From then on, you can use that passkey to log in to that website without entering a password. When you go to a website’s login page, you’ll have the option to “Sign in with a passkey.” If you choose that option, you’ll get a confirmation prompt from your password manager and will be logged in after confirmation. For all this to work, there needs to be passkey support on the website, your browser, your password manager, and usually also your operating system.

Pros

  • The fact that each account has its own passkey helps prevent phishing and won’t let you log into a fake scam site.
  • Using a passkey, you can usually skip the traditional two-factor authentication as it counts using your devices unlock pin, facial recognition, or fingerprint as the other factor of authentication.
  • If you’re always forgetting your password and having to reset it often, you’re going to be forced to use a password manager, so the issue of forgetting your password has been solved.
  • Never have to come up with a new password as passkeys are generated and then stored.

Cons

  • Not all websites support passkeys yet.
  • Syncing between Apple, Windows, and Android is tricky.
  • Still must set up multiple passkeys for each account.
  • If somehow you lose your device, and the password manager is unlocked/opened your accounts are vulnerable.
  • Passkeys are device specific so you would need to have passkeys stored on all devices your access accounts with.
  • The solution for this is to backup passkeys on your password manager using the cloud and then copy the file to the different devices, use a USB device, or passkeys can be stored in high-security chips that are built into newer devices.

To conclude, passkeys still have room for improvement, when it comes to website support and the ability to sync between platforms. However, for most purposes, using passkeys will represent a significant improvement in security helping to protect you for phishing.

“Your password” e-mail scam

My wife received this e-mail.

~~~~~~~~~~
I do know, xxx, is your password. You don’t know me and you’re probably thinking why you’re getting this e mail, right? In fact, I actually setup a malware on the adult vids (porn material) web site and guess what, you visited this website to experience fun (you know what I mean). While
you were watching videos, your browser started out operating as a RDP (Remote Desktop) that has a key logger which provided me accessibility to your display screen and web camera. Immediately after that, my software obtained your complete contacts from your Messenger, FB, and email. What exactly did I do?

I created a double-screen video. 1st part displays the video you were watching (you’ve got a
good taste ; )), and 2nd part displays the recording of your web camera. What should you do?Well, I believe, $2900 is a reasonable price tag for our little secret. You will make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).

BTC Address: xxxXXXxxxxxXXXXxxxxXXXXxxxxXXXXXxxxxxXXXx

(It is cAsE sensitive, so copy and paste it)

Important:You now have one day in order to make the payment. (I have a special pixel in this e mail, and now I know that you have read this email message). If I do not receive the BitCoins, I will send your video recording to all of your contacts including members of your family, co-workers, and many others. Nonetheless, if I do get paid, I’ll destroy the video immidiately. If you really want evidence,
reply with “Yes!” and I definitely will send out your video recording to your 9 contacts. It is a non-negotiable offer, therefore please do not waste my personal time and yours by replying to this email message.
~~~~~~~~

Just so we’re clear the password is a password that she has used. After some research it seems that a lot of people have received this e-mail.

If you receive a similar e-mail, don’t be fooled. The password is from a data breach. There is no video, even if you visited a porn site. DO NOT SEND BITCOIN. If you are still using this password please change it. They have your e-mail address and password. They can get into sites that use this password. So start changing them now. But again there is no video and they do not have control of your computer. DO NOT SEND THEM ANY MONEY.

How do I create a secure password?

Choosing a secure and rememberable password.

Today we’re going to talk about creating a secure password that is also rememberable. Passwords are your first line of defense against the bad guys.

Before we get started with creating a secure password let’s talk about some things you shouldn’t do when creating a secure password.

  1. Do not use “password” or “123456”. Believe it or not these and variations of them (pass1234, password1, etc…) are still some of the most popular passwords around. They are also some of the most insecure passwords in use. Why? Because the bad guys know they are so popular.Do not use “god”, Jesus”, “LetMeIn” or cuss words. See number
  2. Do not use words found in the dictionary. All password cracking programs have words from the dictionary in them, including slang and cuss words.
  3. Avoid using keyboard patterns like qwerty. If your not familiar with qwerty it’s the first six letters from the left on the top row of the keyboard. Password crackers have become wise to this tactic.
  4. Unless you have the memory of an elephant or a good password manager (See number 4 below.) you should probably avoid randomly generated passwords. While they are very secure, most people cannot remember them and will end up writing them down or putting them in a text document which is very insecure.
  5. Do not use the same password everywhere. (Help with this is coming. See number 4 below.)

Now for something more helpful.

  1. Replace letters with numbers or symbols or even other letters. Pat could become P@+ or dogs could become d0gz.
  2. Always use numbers and/or symbols as well as letters in your password.
  3. String multiple words or number sets together to create stronger passphrases. They should not be related but should be remember-able. For example, if your favorite sport is baseball and you love pizza. And for some reason 315 always sticks in your head. Try P1sz@B@$e8all315.
  4. Use a password manager. You just have to remember one password to get into the program. All of your other passwords are safely encrypted inside a database. There are some very good ones available for free. KeePass is my favorite. It runs in Windows and Linux, plus it runs on most smartphones. So you have access to your passwords anywhere.