The Biggest Mistake People Make Online

The threat from criminals online continues to grow. It’s not just “hackers” but actual criminal activity, backed by organized crime, and perhaps even some governments. They want your passwords, especially for bank and other financial accounts, so they can drain them for you, and they use some pretty tricky and often sophisticated means to get them, either from you, or from sites they break into.

First Defense

Thus it’s imperative that you have good passwords. What makes a password good? Long and complex, and unique. Long and complex makes it harder to crack; unique means that if a password is compromised, it can’t be used to get into other accounts too. (How many of you have the same login and password at more than one financial site?! Or, much worse, have the same login/password at financial sites and other sites that might be less protective of your information? Yikes, is that a financial disaster waiting to happen!)

How long? Eight characters is nowhere near enough. Security experts now recommend a bare minimum of 12 characters …but 16 is better. I have my password generator set to 20 …and then often add more to what it comes up with, especially if it’s for an important site, like my bank.

How complex? Not just upper and lower case, and a digit or two. The more other characters allowed the better, such as ! @ # $ % ^ & * ( ) | \ / = ~ { [ ] } . Yes, really.

Best Part: That’s Easy

Secure your passwordsThe problem is, such passwords are very hard to remember, and type. But software comes to the rescue: there is software that “remembers” all of your passwords so you don’t have to, and enters them when necessary — after checking to ensure that you’re really at your bank’s site, not one that just looks like your bank’s site with a quick glance.

Then, you only have to remember one password: the one to unlock the software that holds your passwords for you. The good news is, such programs are pretty easy to use: 80-year-olds who can use banking sites can certainly use this software easily; no mad tech skillz required.

Is that safe? Yes: your passwords are encrypted on your hard drive using the password you choose. If done right, they’re also backed up elsewhere, such as the software company’s servers. Even there, they’re well secured.

If you want more assurance than that, consider that Wired magazine notes that 73 percent of computer security professionals use password vault software, while only 24 percent of “non-experts” do.

Frankly, I’m surprised it’s that high. I use LastPass*, which is free for most uses (thus: no excuses!) If you want to have secure access to your passwords on your smartphone too, they ask for a mere $12/year for that. But again, on your computer, it’s completely free. A small price to pay for a wall around your bank accounts to protect you from organized crime.

Needless to say, I have no association with LastPass, and am not making anything by recommending them. I’m simply a satisfied user (and yes, I [used to** pay the $12/year!) There are others that are probably just as good (and others which probably aren’t as good). But use something.

Do not be frightened by the “but LastPass has been hacked!” scare tactic. They discovered hackers trying to get passwords in their systems, and not only announced it, but went on to say what they were doing about it. There have been no reports of any passwords being compromised. Not one. Even those worried about the theoretical danger could thwart the risk by simply changing their LastPass password, which re-encrypts all of their passwords. Whoopie.

The bottom line is, good passwords are important, and password vault software makes them practical.

Does This Risk Scare You?

Well, it should. The risk is real. Hoping for the best won’t work: that’s what the criminals want. The best defense is knowledge, and now you know an important component: how easy it is to have good passwords. Not doing it is the biggest mistake people make online.

*Update: The company that created LastPass sold out to the company that created LogMeIn …which then started raising the price, just like they did for LogMeIn. I have since switched to Bitwarden.

Additional Reading:

– – –

Bad link? Broken image? Other problem on this page? Use the Help button lower right, and thanks.

This page is an example of my style of “Thought-Provoking Entertainment”. This is True is an email newsletter that uses “weird news” as a vehicle to explore the human condition in an entertaining way. If that sounds good, click here to open a subscribe form.

To really support This is True, you’re invited to sign up for a subscription to the much-expanded “Premium” edition:

One Year Upgrade
Comments

(More upgrade options here.)

Q: Why would I want to pay more than the minimum rate?

A: To support the publication to help it thrive and stay online: this kind of support means less future need for price increases (and smaller increases when they do happen), which enables more people to upgrade. This option was requested by existing Premium subscribers.

 

27 Comments on “The Biggest Mistake People Make Online

  1. All very true — and yet i find it nothing short of shocking how many sites, including online stores that expect you to trust them with personally identifying information and credit card numbers, have password rules that force you to use weak passwords. I came across one recently that paid lip service to strength by requiring at least one each upper-case and lower-case letter and one number, but allowed a MAXIMUM of eight characters and no non-alphanumeric characters allowed. Hey, look, it’s 1988 all over again!

    Needless to say, I abandoned my cart and left.

    That’s not just incompetence, it’s a shocking level of incompetence. Wow. -rc

    Reply
  2. Password Safe, at passwordsafe.sourceforge.net for PC and Google Play Store for Android, is free on both PC and Android. It offers fields for a lot of other information that may be necessary, e.g. your answers to supplementary challenges (e.g.“Who was your favorite teacher in elementary school?”) Because it uses the same file format on both systems, SyncMe Wireless, which is free on Google Play Store, will automatically propagate any change you make on either system to the other. Nothing ever goes over the Internet except (obviously) login info when you use it. I’m not saying these are the best available because I haven’t tried many alternatives, but they work well for me.

    Take care that your master password is stored in only two places: your biological memory, and a piece of paper in your safety deposit box where your executor (and no one else) will find it.

    Reply
  3. However, Randall Munroe’s example is in the list. As are all the quotes from all the movies (I didn’t expect that; so much for NeverSayNeverAgain or even ItHasAPowerWhenItsThere).

    One thing that I do to keep the memorization down but the passwords unique is to prefix the password with the entity; eg, for a bank, it could be “Wachovia annoyinglargepassword!”, and for pepboys it becomes “Pepboys annoyinglargepassword!” this has another advantage that if you’re using Swype to memorize “annoyinglargepassword!” if someone steals your phone or breaks into Swype, they can see “annoyinglargepassword!” in the custom dictionary, but they won’t be able to see the other half. You still should change it, but that technique bought some time (unfortunately, you have to update the passwords everywhere!)…

    And since they’re separated with a space, it becomes Swype-the-name, then Swype-the-password, so it’s 2 motions no matter how long “annoyinglargepassword” gets (not so easy for the Apple users).

    Reply
  4. I use Universal Password Manager (UPM) which is free and will generate the passwords for you, if you wish. k4aVty0J is one it just generated. It is available for most systems — except iOS, which means it cannot sync with iPad or iPhone. But it does work with my Mac and the Android phone. I use Dropbox to keep the archive of passwords which of course need one master password to descramble.

    Just one word of caution. Avoid passwords which use the lower case l or or upper case I. Depending on the font used for the website it can be tricky. Cut and Paste usually works but some sites refuse to accept Command+V as a way of entering your password.

    Your example password is inadequate: 8 characters is simply not enough, and ideally it should also have some non-alphanumeric characters too. -rc

    Reply
  5. +1 for Lastpass, over 300 unique passwords in my vault with an average length of 25 chars.

    They’re not just keeping your passwords, they’re keeping them safe. The security check is a great tool to know the state of your vault, strength of passwords, which accounts are compromised. And 2 factor authentication makes it a very tough vault to crack.

    I’m also baffled sometimes by password restrictions on certain sites, like my bank only allowing a 10char password (thankfully with 2 factor auth).

    With two-factor authentication, hackers can’t get into accounts even if they have your login and password. The subject is explained here. -rc

    Reply
  6. Personally, I always recommend KeePass: it’s completely offline, available for all platforms and absolutely free.

    Besides the usual password to get in, it also supports key files and you can link it to your user account (on Windows) or a combination of three.

    Reply
  7. Possibly a stupid question:

    Years ago I started maintaining separate passwords for each site along with long & complicated ones for financially important sites. I saved them in a text file that is available on only one thumb drive that always stays at home. Is LastPass so much better than that?

    Thanks for this and thanks for This is True! I always enjoy it.

    Not a dumb question. And yes, LastPass (or something like it) is better. Thumb drives deteriorate over time. If you’ve been using the same one for “years,” you’re lucky it hasn’t lost data yet. If you lose it, you not only lose every password, but risk others finding it. LastPass would 1) keep you more secure, because the passwords are stored encrypted, 2) keep you backed up, so your passwords are available even if what they’re stored on crashes (or is stolen), and 3) be more convenient, since you don’t have to mount storage, open a file, find the password, copy it, go to your browser, paste it, and log in. Plus, 4) did you notice the missing step here? It’s critical: are you really on the right site? Is it really your bank and not a spoofed site? It’s easy to fool humans into thinking so; much harder to fool software. -rc

    Reply
  8. Of course, every advantage has its disadvantage, and the other way around. Using a password manager leads to some questions, like:

    – do you trust the developer?
    – do you trust the cloud provider where you put your password database?
    – how secure is your master password? For the ordinary user that will usually be a simple one in order to remember it. If someone discovers this, all your passwords will be known.

    Some voices even say, that it is better to write your passwords down on a piece of paper and hide it somewhere in your house in an inconspicuous place, like a book or some useless stuff in the attic (and a copy in a bank safe, of course). They state that burglars want your electronic equipment and money, not a book or something similar. And the other way around: hackers use the internet and most probably won’t burgle your house.

    And most people will not need their important (bank) passwords to be mobile (of course: there are always exceptions).

    I haven’t made a decision yet and continue to use Keepass, but I would urge everyone to use common sense and not to follow every electronic/mobile/internet fling that develops. ‘Easy to have’ does not equal ‘secure’. Think about your own need to have all passwords everywhere in the world.

    Trusting the developer is indeed important; a good track record is vital. And yes, a good master password is also needed — mine is longer than the recommended 16 characters and has a good mix of upper/lower case, digits, and special characters. It’s reasonably easy to remember and type, even though I typically only have to type it once a day. -rc

    Reply
  9. The non-alphanumeric characters don’t matter to password crackers. It’s the length of the password that really puts the crackers out of reach, because the number of permutations grows so much. Think about it: for a software program trying to brute force its way, what is the difference between letter ‘a’ and ‘%’? There isn’t and sophisticated password crackers do not use dictionary attacks, so the characters do not matter.

    The verysimplebutverylongpassword recommendation is the key to secure passwords that can withstand available computing power, even taking into account the resources of the three-lettered federal agencies.

    You’ll note that the first attribute that I discussed was “long and complex,” and long is the most important …which is why it came first. There is indeed no difference to software between “a” and “%” — they’re both just characters. The point is “complex”. Four characters that are all lower case (26 possibilities each) is so easy to crack, a human can do it if necessary; there are fewer than a half-million combinations. Eight letters of upper and lower case (52 possibilities in each) sounds a lot better: that gives you around 53 trillion combinations …but a computer can crack that number in a few minutes. Simply adding in the 10 digits kicks the number out to 218 trillion. Still not good enough: a reasonably fast computer checking 100 billion passwords/second can go through that list in just 37 minutes. But add in the possibility of special characters and the time it takes jumps to 18.6 hours. Even that doesn’t sound very impressive, but that’s a huge jump. But still, it shows the weakness of 8 characters. Jump it to 12 characters (again with special characters) and it now takes that same computer 1,740 centuries! Even if you use a supercomputer, that drops to 1,740 years. But take out special characters — just use the 26 lower case plus 25 upper case letters, plus the 10 digits — and you’re now vulnerable: the time to exhaustively check them all on a supercomputer drops to just 1.74 years. And that’s current technology; those times will certainly drop. Bottom line: length is critical, but complexity is also extremely important. (Timing source) -rc

    Reply
  10. I am surprised that no one (including some magazines that discuss password “safes”) has mentioned RoboForm. There was a free edition, don’t know if it still is because I use RoboForm everywhere and that costs 10 to 20 dollars per year. I use that because it syncs with everything I have. iPhone, iPad, PC and though I don’t use them, Android devices also.

    It does basically everything that has already been mentioned. It allows very long generated passwords with all the character in it. You can limit how many numeric digits you want and other characters as well.

    I have been using RoboForm since before it was RoboForm. Back in the ’90’s it was Gator or something like that. Was good then, it’s wonderful now.

    Yes, I have used a couple of the others mentioned, always went back to RoboForm.

    I used RoboForm for several years, but as I recall, at some point it wasn’t working right (switch from XP to Win 7?) and, to fix it, they were going to make me buy it again. That didn’t set well with me, so I switched. Companies spend a lot of money to acquire customers, then treat them badly. It’s why I left LogMeIn, too, more recently: there are other options, and they were treating me very badly indeed. -rc

    October 2015 Update: Figures! So who decides to buy Lastpass? LogMeIn! I’ve updated the text to say that I bailed to Bitwarden. -rc

    Reply
  11. +1 for Keepass.

    I need a Password Vault that is good for my private passwords, sharing them across a desktop, laptop, Android phone and tablet — all for free.

    But I also own and run an IT support company, and we use Keepass to store Customer passwords and other private/confidential information. Each customer is setup with their own Keepass database, which is shared to the support engineers responsible for that customer. To open a Keepass database, we use two factor authentication — a password, and also a ‘key file’, usually a Customer related document. Keepass includes a good password generator, that can be set for character set, complexity options and length — so we can automatically define the password parameters used by all engineers.

    I shudder when I think of the spreadsheets we used to use to store customer passwords back when I started over 20 years ago, and the low quality passwords we used to use.

    Reply
  12. I’ve been using RoboForm forever; never had a problem on my tablet or my PC. I tend to use song lyrics (typically, the nth line of the nth verse), poetry, or personal history NOT found on-line, but I’m leaning toward randomly generated passwords for places I can get to with my RoboForm. Oh, and I HATE sites that prescribe the characters to use; much prefer sites with decent password security heuristics.

    Reply
  13. The biggest mistake people make online: Not subscribing to This is True.

    That’s only the second-biggest mistake. 😉 -rc

    Reply
  14. There are other “online mistakes”, however. How about a Facebook Status along the lines of “I’ll be out of town, from my house at 124 Elm Street, here in Boring, OR, for the next 5 days”.

    On the Clip show, that brought that up, they caught the Perps. It turned out that the house was “burgled” by (among others) a Facebook Friend!!! [Or, at least FORMER friend. Isn’t that grounds for an “unfriend”?]

    A commenter on that show suggested a better Status: “I’m at home, cleaning my guns.”

    Reply
  15. Like Ronald (Deep River, Ontario, Canada), I too use sourceforge.net’s PasswordSafe product. Have been for many years. I personally prefer it over any other password manager since it was designed by renowned security technologist Bruce Schneier.

    What is bothersome for me though, is the prevalence of sites that do not allow you to PASTE your password from your clipboard into the password field on their web pages! This is a real problem!

    PayPal for example, allows you to paste your password when you login to their web site, but does NOT allow you to paste a new password into their “Change Your Password” web page! (WTF?!)

    Forgive my mini-rant, Randy, but there are far too many uneducated, ill-informed web page creators out there who think they know about security but really don’t.

    It’s incredibly frustrating.

    But yeah, using a good password manager is a must for anyone who is serious about security. It scares me when so many when otherwise intelligent people tell me they use the same completely insecure password for most all of their web sites.

    (sigh!) I guess there’s not much else we can do about it but to continue trying to educate the public about it.

    P.S.: Funny (but all too true!) YouTube video about password security: https://www.youtube.com/watch?v=opRMrEfAIiI

    Yes, the issue of not being able to paste passwords into some sites (which often screws up the ability of password vaults to work) is well covered in the third “Additional Reading” link — the inspiration for this page. -rc

    Reply
  16. I have loved Roboform for years. It does auto fill-in, creates new passwords, etc. It was originally free but now has an annual fee. At this point I have hundreds of passwords held under the one entry password. Is it really worth the effort to change just to save $1 a week?

    I sure hope it’s not that much! It was not a pain at all for me to switch to LastPass and, later, Bitwarden. More importantly, I’m happy with these solutions. Increased security, cheap, easy. What more does anyone want?! -rc

    Reply
  17. I’m not sure that using mixed case and digits and punctuation is necessary — it seems to me that it’s perfectly fine to use a monocase alphabetic password, if you’re willing to make it 40% longer to compensate for the reduced alphabet.

    Another useful constraint in selecting a password is “no substrings that match any dictionary word of four or more characters”. (Or, once again, extend the length appropriately; maybe treat each dictionary word as if it were only two letters, when counting the password length.)

    Reply
  18. https://xkpasswd.net/s/ — a password generator based on the XKCD concept. If you still don’t want to use a password storage app.

    Nice generator, but even if used, I still see a need for a secure place to store the results. -rc

    Reply
  19. While a strong password is important, there are things that are MUCH more important than the length of your password. Phishing scams are a much larger risk that most realize, and it doesn’t matter how long a password is if you are tricked into giving it away. Common password usage (which was mentioned above) is another security hole for many.

    Password “cracking” is more myth than reality. Most legitimate sites will block login or even suspend an account after a few wrong password attempts. Any cracking method that is trying to guess the password (the reason for a long and complex one) won’t work. Just make sure your password isn’t easy to guess (like “password” or “passw0rd”) or something people could figure out (pet name, street name, etc).

    Yes, the human factor is huge too — which I’ve covered in depth before. I can’t cover every point every time, which is why I have links to other reading for those who haven’t seen them before. -rc

    Reply
  20. I bought a password keeper device from a well-known gadget catalogue.

    I’m not being coy. My memory is really this bad.

    Then forgot the password for IT. Nothing I could do. I had to eventually destroy it and scatter its pieces in dumpsters around the state.

    So Here I go to find out if I can use it on Apple.

    And upgrade to Premium.

    First, you don’t need to buy password keepers from fancy catalogs; choose a well-known one that’s free (or, to support continued development, cheap). Most have Mac versions. Second, you should definitely write down the password for your password manager and keep it in a safe, safety deposit box, or other safe place. It’d be nice if your next of kin know about it, so they can help settle your affairs when the time comes (which I trust will be many years from now!) -rc

    Reply
  21. You have opened my eyes a lot with this blog Randy. Thanks, but in all the discussion, one point keeps jumping out at me — IF THE DATA IS NOT ON YOUR COMPUTER, it can not be stolen for nefarious purposes! I am somewhat of a computer “illiterate”, so I do NOT do ANY financial business on-line. Any passwords on my computer are there strictly to allow access to public sites i.e. F/B, and others that require them — so if my passwords get nabbed I don’t lose anything valuable. I have also set all my security protocols on my web browser as high as I can, and still get into sites that I normally visit — so far haven’t been hacked.

    Reply
  22. While not having your master password in the cloud helps, I still think that the security of your cloud-based service is important. Once hackers have your password vault, they can crack it offline to reveal all of your stored passwords. Now, I’d guess that Randy has a long and hard-to-guess master password but if your master password is weak, it is still relatively easy to steal all of your passwords.

    This is why I, like many of the other commenters use an offline tool and sync manually.

    Reply
  23. Speaking of “incompetence” and “shocking” in the same sentence, I moved my money away from Fidelity when I discovered you could translate your password’s characters into numbers using your phone’s keypad, and fidelity.com would happily accept the resulting number string as your password.

    Out of curiosity, I just tried it again, and sure enough, it still works. (The money is gone, but the account is still active.) Not sure what they would do with special characters, since that old password was alphanumeric, but still. Yikes!

    Wow. -rc

    Reply
  24. I use 1 Password. It will provide (you can set) up to 40 characters as a password without revealing your original password. I use a Mac. It also has a private page for the web that does not allow access to any history on what sites I have visited. The 1 Password is not free but it is highly recommended at $29.

    LastPass can be set to generate passwords up to 100 characters in length. Still free. -rc

    Reply
  25. A couple of points:

    1. Password safe has a mode that directly inserts characters into the keybuffer (rather than cut and paste.) I am, alas, a user of Lotus Notes, and its one of those apps that doesn’t allow pasting of passwords — but password safe will still suffice in ‘autotype’ mode.

    2. Trust is very important. (This was described above.) The ontogeny of a security product is important, as is the current keepers of the fork. Many reasonable security folk do like lastpass, but I don’t understand that. I’d probably require something like password safe or keepass. (“As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It’s true for cryptographic algorithms, security protocols, and security source code. For us, open source isn’t just a business model; it’s smart engineering practice. Bruce Schneier, Crypto-Gram 1999/09/15”)

    3. I consider offline storage to be important, for a couple of reasons. On the one hand, there are times when I need a password when I’m not on line. But more importantly, I want to be able to not depend upon someone Out There to Do The Right Thing. I do use a tool to synchronize my encrypted password blobs (including storing them on usb keys, my phone, etc, as well as automated OTA syncs).

    4. Munroe was almost right — the problem is that horse and battery and staple aren’t random. If you want to do it really right, use diceware or some equivalent word list and an analog source of randomness. (I used to set up VPN tunnels for a living, and carried around a penny, nickel, dime, and quarter to generated random hex strings, four bits at a time…)

    Reply
  26. I have a Yahoo account that I normally don’t use, though I sign in periodically to keep it active and check the “emergency backup mailbox”. They recently required me to change my password — and then rejected my first attempt at a new one, which was a randomly-generating string. The reason turned out to be that it contained the letter “K”, which is, according to my profile, also my complete first name.

    *Snort!* -rc

    Reply

Leave a Comment