passwords
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
passwords [2019/08/08 19:21] – neil | passwords [2021/07/06 09:26] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
=====Passwords===== | =====Passwords===== | ||
+ | |||
====Key points: ==== | ====Key points: ==== | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
+ | * [[passwords# | ||
====Use a unique email address, and a unique password, for every site and service ==== | ====Use a unique email address, and a unique password, for every site and service ==== | ||
Line 48: | Line 58: | ||
====Use a strong password ==== | ====Use a strong password ==== | ||
+ | |||
+ | Every password you use needs to be hard to guess. Some guidance suggests taking a word and mixing in letters and symbols, but the [[https:// | ||
+ | |||
+ | For example: | ||
+ | |||
+ | snickdrawing-nesslerization-devilwood | ||
+ | | ||
+ | If you use a password manager, you do not need to remember the password, and you can probably cut-and-paste it into the site or service, meaning it does not matter how long it is, or if it contains a complicated spelling. | ||
+ | |||
+ | ====For mobile devices with a PIN, use a non-obvious PIN === | ||
+ | |||
+ | If you have a mobile device with a PIN rathe than a password, do not use an obvious PIN. | ||
+ | |||
+ | Avoid: | ||
+ | * your birthday | ||
+ | * your child' | ||
+ | * your wedding day | ||
+ | * number patterns (e.g 000000, 123456, 134679) | ||
====Use a password manager==== | ====Use a password manager==== | ||
- | A password manager is a piece of software which you use to store your passwords, and unique logins, so that you do not have to worry about remembering them. | + | A password manager is a piece of software which you use to store your passwords, and unique logins, so that you do not have to worry about remembering them. You store all your passwords in it, and secure it with one master password. |
+ | Â | ||
+ | When you need to log into a website or service, you unlock your password manager with your master password, and then either cut-and-paste your login from it, or else use a browser plugin so that your details are pasted in automatically. | ||
It may seem counterintuitive to write down all your passwords in one piece of software, but the [[https:// | It may seem counterintuitive to write down all your passwords in one piece of software, but the [[https:// | ||
- | There are a number of different options to choose from. | + | There are a number of different options to choose from, depending on what features you want:Â |
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
- | My preference | + | === If your password manager |
+ | Â | ||
+ | If you are going to store all your passwords in the [[cloud|cloud]], make sure that the security the provider is offering matches the risk. | ||
+ | Â | ||
+ | ===If you lose your master password, you will be locked out ===Â | ||
+ | Â | ||
+ | Be aware that, if you lose your master password, you are likely to be locked out of all your passwords. If you are concerned about that, you could store a copy of your master password somewhere secure, but you'd need to be very confident about the security of that storage location: if someone gets your master password, and access to your password manager, they could get all your passwords. | ||
====Do not change your passwords without reason ==== | ====Do not change your passwords without reason ==== | ||
- | Advice used to be to change your passwords frequently. | + | Advice used to be to that you should |
+ | Â | ||
+ | This is no longer considered good practice. | ||
+ | Â | ||
+ | >" | ||
====Change your password if you think it is compromised ==== | ====Change your password if you think it is compromised ==== | ||
- | Check your | + | If you think your password to an online account has been compromised, |
- | https:// | + | Sites should tell you if they have been compromised, |
- | ====PINs on devices==== | + | The website [[https:// |
+ | Â | ||
+ | This is trickier to do if you use an unique address for every account but, if you've done that and also used a unique password, the fact that one has been compromised does not expose you to much risk. | ||
+ | Â | ||
+ | ====Consider if biometric security is right for you====Â | ||
+ | Â | ||
+ | ===Fingerprint / face recognition / biometric unlock===Â | ||
+ | Â | ||
+ | Fingerprint or facial recognition unlocking can be convenient, fast, and not something which can be detected by just looking over your shoulder as you enter it into the phone. Â | ||
+ | Â | ||
+ | Before using facial recognition, | ||
- | ====Fingerprint / face recognition / biometric unlock==== | ||
In some jurisdictions, | In some jurisdictions, | ||
- | Convenient, fast, and not something which can be detected by just looking over your shoulder as you enter it into the phone. | + | Depending on the outcome of your [[threat_modelling|threat modelling]], |
- | ====Swipe patterns==== | + | ===You cannot change your face or fingerprints ===Â |
+ | Â | ||
+ | You should use a different username and password for every account or service you use. | ||
+ | Â | ||
+ | Clearly, you cannot do this for biometrics (well, not beyond 10, in the case of most people, when it comes to finger/ | ||
+ | Â | ||
+ | Moreover, you cannot realistically change your face, if an insecure storage of biometric credentials is compromised. | ||
+ | Â | ||
+ | Â | ||
+ | ===Disable them in higher-risk situations ===Â | ||
+ | Â | ||
+ | You might also decide to use these unlock mechanisms most of the time, but disable them for certain activities (e.g. for travelling across borders). | ||
+ | Â | ||
+ | If you have an iPhone with biometric unlock enabled, if you press your device' | ||
+ | Â | ||
+ | ===Swipe patterns=== | ||
Even with the Android swipe pattern unlock mechanism, it is pretty easy to watch someone do a basic pattern once and replicate it — so you need to go for something pretty complicated, | Even with the Android swipe pattern unlock mechanism, it is pretty easy to watch someone do a basic pattern once and replicate it — so you need to go for something pretty complicated, | ||
- | Obviously defeated | + | Swiping may also leave a greasy mark on your screen, which someone could use to determine the pattern you are using. |
+ | Â | ||
+ | In addition, a swipe pattern could be readily compromised if you are observed | ||
====Wherever possible, set up two-factor authentication ==== | ====Wherever possible, set up two-factor authentication ==== | ||
See [[two-factor_authentication|two-factor authentication]]. | See [[two-factor_authentication|two-factor authentication]]. | ||
+ | |||
+ | ====Limit the locations from which you can log in ==== | ||
+ | |||
+ | If you can feasibly do so, restrict logins so that you can only log in from certain networks or IP address ranges. | ||
+ | |||
+ | If, for example, you always connect via a [[virtual_private_networks|VPN]], | ||
+ | |||
+ | Someone who is not connected via the same network should not be able to log in, even if they know your username and password. If, however, the attacker is someone within your organisation, | ||
+ | |||
+ | If you do this, you need to accept that risk that, if you cannot connect to your VPN, or if your VPN endpoint' |
passwords.1565292077.txt.gz · Last modified: 2021/07/06 09:26 (external edit)