Passwords:

How to Tame the !@#$%^&* Things!

NOTE: this document is meant to help fellow computer tutors and
trainers of the Community Living Campaign. You may want to adapt
parts of it as a handout, but I have written it in a more conversational
style to share amongst ourselves. — Rob McB

I think probably all of us get many questions about passwords–I know I do. More than
about any other topic. Below are notes I use when presenting on this, whether for a class or
one-on-one. They are only prep notes, not a class outline. For one thing, you can usually
expect a new “breaking story” in the news about a new security breach at a big company
on any given week that you might be presenting.

Security and Privacy

First, let’s make clear that security and privacy are not the same thing.

Security is protecting financial and related information that could cost you or cause serious
trouble if shared publicly. For example: bank accounts, credit cards, social security, and so
forth.

Privacy refers to information that may be embarrassing if shared, but not likely to lead to
fraud or damage like security issues above. For example comments in an online
discussion, posts on Facebook or Twitter, rash responses to offensive posts in the
Comments below a news article.

Big Security Fails

While you might have breaking news of yet another giant data breach to serve as a hook
for your class, you can’t go wrong by mentioning “The 18 biggest data breaches of the 21st
century”. The article is from 2018 but when you show that billions of accounts have been
compromised from Yahoo, Marriott, Equifax, JP Morgan Chase, Home Depot, Target,
Anthem, eBay, Sony and others including security firms, it perks people up.

Passwords
A strong password is perhaps the single best protection a person can use, although it’s
never a guarantee of security. On the other hand, forgetting or losing passwords is one of
the most common headaches plaguing our online experience. The loss of a single Bitcoin
(cryptocurrency) password cost account holders $190 million in February 2019. Yes, that’s
right, $190,000,000. Bitcoin and its imitators make security their main concern, and
consequently there are no ways for administrators or anyone else to reset a lost password.
All gone.

So yes, you want strong passwords for accounts that require security, but you also want
ways to recover them. More on that below. However, not all accounts require high security.
For example, an account to register your new printer with HP is not worth a moment of a
hacker’s time to break into, so high security is unnecessary. Take a minute to list all the
accounts you have with passwords and think about how many require great security. Most
of us will be surprised (shocked?) at how many accounts we accumulate (75?).

Making strong passwords is easy and familiar by now to most of us: use more characters
rather than less, and use a combination of upper and lower case letters, numbers, and
special characters. A great way to start checking password strength is to type your
password into the Password Meter at at www.passwordmeter.com.
But that test is not perfect; it rates the expletive in the title of these notes, !@#$%^&*, as
“Strong”. But it’s not, even though it is widely used. Neither is QWERTY or 1qaz2wsx. All of
those are common keyboard sequences, and those should be avoided as much as
common words or phrases like “mypassword” or “LetMeIn” (which are also among the most
common passwords).

Password managers
These apps can generate very strong passwords–typically something like “96Pg8V:!Tb2+”.
Password manager apps include LastPass, MyKi, LogMeOnce, Encryptr, and others (some
free, some not). A password like “96Pg8V:!Tb2+” is fine if you can always access the
password manager (which has it stored for automatic entry). Not so fine if you are
sometimes in situations where you can’t access the password manager.

So, strong passwords that are easy to remember require another approach, most
commonly a longish phrase with personal meaning that can incorporate numbers and
special characters. For example, CLC@1663MissionSt is long enough and complex
enough that it would take 93 trillion years for cracking software to break it. Plenty strong
enough for a bank account. You just want to be sure to not use the same password on
multiple accounts, so that if a password is stolen (via an inside job, etc.), that won’t affect
additional accounts.

Remembering and sharing passwords.

Remembering passwords is a worthy goal, but it’s impossible to meet in all circumstances–
concussion, anyone? So to avoid losing your version of $190 million, make sure to write
down your username and password for each account you don’t want to lose. In multiple
places, though not a sticky note on your computer.

Share your passwords! Yes, this contradicts the most common kernel of advice about
security, but think about it. If you’re in the hospital on pain meds but you need to pay your
bills, wouldn’t it be nice to have a family member or friend (or social worker or lawyer, etc.)
be able to help you out? In my experience of 30 years of computer help, I’ve not found
anyone who has lost money from a data breach, but many folks who have had serious
problems from forgetting passwords.

Your online legacy: the afterlife of accounts and passwords

Our Internet presence does not disappear when we pass on from the physical world. You
may not care, of course, but if you or your family do care, you’ll have to make plans ahead
of time. Don’t forget that your “digital assets” as they are known include photos and videos
as well as the accounts themselves. The easiest way to save and/or delete your digital
assets is to share a list of all your online accounts, usernames and passwords with the
same person(s) you trust with your will and last instructions. That’s because the Internet
companies have generally not allowed anyone to close an account except the account
holder. When my mother passed, Yahoo would not close her account even when I
presented them with her death certificate and my certification as her executor.

This has now become such a widespread issue that you can now incorporate the relevant
instructions in your will, either in the body of the will whenever you might redo it, or more
practically as a codicil (a kind of appendix). You can search law websites for appropriate
language. One good guide is the article “Assist your parents' to take control of their digital
legacy: Protect your parents' internet identity after they're gone” by the elder law firm Gray
& Feldman. Recently a few states have addressed the problem in part by passing a version
of the “Uniform Fiduciary Access to Digital Assets Act” which grants access to digital assets
to trustees, executors, administrators, agents under a power of attorney, and guardians.
However, such legal recourse is partial and cumbersome unless everyone involved is well
prepared.

Privacy, credit card fraud, and identity theft are, of course, related topics, but it’s best to
deal with them separately. KK has posted on Basecamp an excellent article, “Hands off my
data! 15 default privacy settings you should change right now” on privacy settings for
Facebook, Google, Amazon, Microsoft and Apple. (On Basecamp, go to Computers &
Access › Docs & Files › Online Safety & Security).