I hate passwords. You hate passwords. We all hate passwords. So what? We still have to use them, so we might as well make the best of them.Sure, we know that most passwords can be broken now with tools such as Hashcat. We've been told for ages now that "Passwords are useless, outdated and a security risk." And, yes security breeches like Heartbleed just underline how vulnerable passwords really are. Never mind, of course, that way too many of you are still using "password," "123456," and "abc123" not just as a password for one site, but for all your sites.
Here's the truth. Biometrics, EMV smart chips, two-factor authentication, and Fast IDentity Online (FIDO), which you'll soon see in Windows 10, are all great, but they won't displace passwords any time this decade.
Since we're going to be stuck with passwords for at least another five years -- and frankly it won't surprise me if we're still using then in fifty years -- we might as well make the best of it. Here's how.
First, a note to every business on the Internet. Would you please (Please!) tell us what your password policy is before we enter a password. There is nothing so annoying as a site that fails to tell you its password rules up front. It's only after you enter the password do they show the error message that insists that password must have a number and mixed-case and be between 14 and 19 characters and include a food emoji! Enough already!
This is awful user design and I can't think of a single site off the top of my head that doesn't make it. So, to every web designer out there, would you pretty please with sugar on top tell us what your passwords rules are.
OK, now that I've got that out of my system, let's get on with what you can do with passwords.
You're going to hate this, but you can't keep using the same blasted password for every site. So, what can you do, besides the classic dummy mistake of putting all your passwords on the yellow sticky note on your display? Easy, use a password management program.
Some Web browsers, such as Firefox and Google Chrome, include password managers. I prefer to use standalone managers.
If you want to keep your passwords on your device, I recommend the following programs. First, for Windows PCs, Macs, Android, and iOS there's Silber Systems' RoboForm. It works well and I know people who've used it for almost a decade and it's never failed them.
Would you prefer a password manager as part of a security suite? In that case, I like Kaspersky Password Manager. I can also finally say good things again about Norton Security, specifically the latest version Norton Security 2015. It no longer comes in a confusing mis-mash of editions and it runs, dare I say it, reasonably quickly. Its one problem is that the password management feature is only available on the Windows software. The Mac version doesn't include it.
My personal favorite, though, is LastPass. Yes, it does store your passwords on the cloud, rather than a local PC. On the other hand, I can run LastPass on pretty much any operating system out there. Besides the usual Mac and Windows, I can run it on Linux, Solaris, BSD as well as both mainstream mobile operating systems, Android and iOS, and less common ones, Firefox OS, Windows Phone, and even Windows Surface RT. When you use as many devices and operating systems as I do, having a one-size fits all program is a blessing.
So what passwords should you use? Well, besides forgetting about "abcdefgh" and the like, the easiest way to get secure passwords that won't fry your brain cells is to use passphrases instead of passwords.
Instead of working your nerves into a frenzy trying to memorize what the cat wrote when he jumped on the keyboard, "dfu9sdf8," use an easy-to-remember but nonsensical phrase instead. For example, "FatCats$Trot...", "Steelers?Win!Cowboys?Lose!" or "Volt!Amp!Tesla!Edison?" are easy to recall and no one's likely to stumble over them.
Besides, if you use a password manager, you don't have to remember it. The program will take care of that for you. Or, if you do want to keep them in mind, but have a memory like a sieve, you can always write a hint, like "moving felines," "the one about football," or "electric chant" that will trigger your brain cells, but will be meaningless to anyone else.
Finally, many popular web sites now support two-factor authentication. These include Facebook, Google, and Twitter. Operating systems, such as Red Hat Enterprise Linux 7.1 and Windows 10 are also adding two-factor authentication. While the exact details vary on how two-factor authentication is implemented, the idea is always to back up your user ID and password with another method of authentication. Typically, in 2015 that's with a phone call or text message.
Is this perfect? No. But, in a world that's going to insist on us using passwords, when you use these methods, you and your data will be much safer.