According to a Security Magazine poll conducted this past May 2020 over 50% of users are likely using the same passwords for multiple applications, technologies, or services. In other words, it does not matter how strong your password is if you have devices with poorly built-in security that will give it away with minor resistance.
A better approach would be to have different passwords for different technologies or services. You can choose passwords based on the degree of importance of the data the password is linked to. In other words, passwords for a simple smart light switch application that is not saving any personal data, credit card, or other payment info might be simpler than a password for a banking application. As long as the passwords are different, one password is not a variation of the other, this password separation will prevent any potential breach of one technology or service from exposing all of your credentials. Unfortunately, the downside to this approach is convenience, it is very hard to remember a multitude of truly different passwords, and variations of the same password defeat the whole purpose of this approach.
Not to get too much into the complexity of password attacks but if someone has a password of yours, it is not much harder to try adding characters to that password to discover variations. You can find articles on the internet that say that just adding one extra special character or number to your password can make it X times stronger. This is not incorrect, but it assumes that the attacker does not know any part of the password or any other passwords of yours that include this syntax. Think of it like a puzzle, the more pieces of the puzzle you have in place, the more the puzzle starts to make sense. If I know that you have used admin123 in a password that was leaked from the internet along with your email address. I can now take that password that I know and also add some extra characters, such as admin123$$, and programmatically try other possibilities.
Password managers are available and have become very popular, however many of them store credentials in the cloud. Most claim to be using strong encryption, but it is difficult sometimes to know for sure how the data is protected in motion and at rest. In motion means when the data is traveling from the user device to the cloud storage repository and vice-versa. At rest refers to when the data is sitting in the storage repository in the cloud.
Alternatively, you could use a password management application or service that does not store credentials in the cloud. Those are not as common, but there are a few out there. One such application that is available for Android devices currently is BlackVault Password Manager. BlackVault offers you the peace of mind that the credentials are always with you. If someone steals your device, you will know because your device is missing.
As long as your device is secured with a strong password, or even better, biometric security which is available on most mobile devices today you do not have to worry about your credentials being stolen without your knowledge. Devices can be remotely wiped by the owner. It is important to mention that you must make sure to keep your device safe, and secure. Jailbreaking the phone and downloading applications from 3rd party sources that are not the built-in market place is not a good idea.
Side note, when downloading apps, watch the permissions that the app is requesting. For example, there is no reason for a calculator app to ask for access to your contacts list or your files and pictures.
The downside of applications like BlackVault is that the data is only available on the device where the application is installed. Because there is no cloud backup if the device is lost or something happens to it that renders it useless, all the information on it is lost. BlackVault does allow you to download all of your account credentials into a list that can be printed and safely stored outside the internet, you can also just upload that list to something like Google Drive. Then again, if you are going to do that, you might as well use a password manager that automatically leverages a cloud data repository.
So what do you do?
Usually, the right answer is not one, but a combination of things that together give you the desired effect or outcome.
In my opinion, the right approach to password management is two-fold.
1. Use Two Factor Authentication whenever possible
2. Create entirely different passwords and use a password manager for all the services or tech. where you cannot use two-factor authentication.
Two-factor authentication adds a third and dynamic credential to the sign-in process. This means that in addition to your username and password, you will be asked for a third piece of data to complete the authentication process. This can be a code, on an authentication app like Google authenticator, or it can be a time-sensitive text message sent from the service provider at the time of the sign-in. Which one is best, text message or authenticator app? Opinions vary, but they are both better than none.
Another benefit of two-factor authentication is that now you do not have to use different passwords. It is still recommended, but since you have two-factor authentication enabled, the uniqueness of the password is less important.
Cheers,
J.
Comments
Post a Comment