Harold Pollack, author of the personal finance index card, offers up an index card approach to computer security:
I have an issue with this. It's not that any of it is wrong per se, just that it's too complicated. Like it or not, the vast majority of computer users either can't or won't follow all these rules. They probably don't even understand most of them. As with so many things, you're stuck with a dilemma: should you write something that's correct but that no one will read, or something that's EZ to read but not entirely accurate?
It's a problem. For example, here's my version of Harold's card:
- Never click on a link in an email. Period.
- Get OneDrive (Microsoft) or iCloud (Apple). They will automatically keep your data backed up in the cloud.
- Use Avira password manager. It's free and simple. And never share your passwords with anyone. Not your mother, not your husband, not your best friend. Not anyone. Ever.
- Write down your username and password for all your important sites (i.e., the ones you use most often) on a small sheet of paper. Fold it up and put it in your wallet.
- Never buy anything from somebody who calls you on the phone. No exceptions.
- If anything even remotely suspicious pops up, press No or Cancel. Then call a computer buddy who knows about this stuff and ask for advice.
This is not the way I do things. If you're computer literate, it's probably not the way you do things either. But it's about a thousand percent better than most people's security, and it's easy enough that they might actually do it. Maybe.
Well, I wouldn't keep anything in my wallet.
Though you might try writing it on the wall in urine, or similar, so it can only be seen with a black light.
Start making more money weekly. This is valuable part time work for everyone. The best part ,work from the comfort of your house and get paid from $10k-$20k each week . Start today and have your first cash at the end of this week. Visit this article
for more details.. https://createmaxwealth.blogspot.com
My landlord objected to the latter...
But you're right about keeping passwords in your wallet.
I saw what you did there.
He won't even know it's there.
And if you move just do the whole wall, so it all reflects evenly.
This landlord will know it's there. Please ask for a reference.
You are a landlord who customarily enters peoples' residences when they are not there and searches around with a black light?
edit, oh, I am thick.
I dunno. If my wallet were stolen, I would know about it pretty quick and probably be able to react before they could do much damage.
One trick I like to use it to have an extension on all my passwords that is always the same but that I never write down. Then if I have to look up a password, I just remember to always add the extension that is not written down. This would presumably make my written down passwords useless to a thief.
The ideal place to keep a password list is, of course, a bank safety deposit box.
UGH. No. I had the darndest time getting access to my parent's safety deposit box when my dad was seriously ill this past summer. My mom was on the bank records so she could have accessed it but she had let her driver's license expire because she does not drive anymore and she would have had to go in person to the DMV at age 92 to get an official ID card after digging out her birth certificate and change of name paperwork from the 1950s. Oh heck no thought we were toast. Then finally I realized she had a passport that was recently expired, so I downloaded the form for her to renew that and once it finally arrived in September we could go to the bank emply out the box and close out the account at that bank.
So think twice about the safety deposit box or make sure you have enough family members allowed to get to the box so it's not as much a hassle as we had.
Pretty bizarre scenario there. I just go with a box in my own name and keep my ID's up to date - no prob.
I am constantly annoyed with sites that insist your password include special characters and a mix of upper and lower case letters.
You know what makes a password good? If it's long.
Instead of hard-to-type and hard-to-remember
4gnO3(I(Y&8t*
Do something like this:
silver9gold9iron9water9gold
The latter is 28 characters long and easy to remember (and write down somewhere). Better, in my opinion, than those which take a common expression, like "Mary had a little lamb", and use only the 1st letters (Mhall) which strikes me as unnecessarily complex.
A 28 letter password is very hard to crack with brute strength. Yes, there are password cracking rules that can be tried in an attempt to match your password's structure, e.g.
word number word number word number word number word
And it does reduce the number of possibilities, making it easier to dictionary/brute-strength crack, but nobody is doing that, certainly not for the average person's account. Also, the number of rules a cracker would have to try is enormous. Just make your structure more complicated than
word number same-word
somewhat related
https://www.relativity.com/blog/passwords-101-how-theyre-hacked-and-why-longer-is-better/
Lately, I’ve received dozens of text messages informing me that my Amazon, Apple, Visa, etc., account has been compromised and locked with a link that indicated it will lead me to information about what to do. I’ve had times when I thought it was possible and even contacted my vendor to make sure everything was ok. Of course I’ve never clicked the link. Of course all were scams.
I have to believe that those scams are working on a lot of people.
I've received maybe a thousand notifications that my Pay Pal account has been locked. I don't have a Pay Pal account. Lately, it seems everybody and his dog wants to give me a gift card.
ahhh. but you'll need a special character too 😉
Of course you should not use the same password for different sites, and I had tried using a system similar to yours--only to get fouled up by different password requirements on different sites, or changing requirements on a given site. Some sites require frequent updates and can not be similar to past passwords--so system gets dumped.
Except for those sites that don't allow special characters. Places need to put their rules on the login page so that there is some hope you can remember the password.
Time to trot out that old XKCD password strength strip again I see.
but the bastards insist that you use special characters...
I know I know, groan.
For most people who already use Gmail it is easiest to just use the free Google stuff like Drive, Docs. etc. And Google is good about nagging you to make things more secure. Even the password manager in Chrome is OK for most people if you use its suggested long random passwords. Chromebooks are more secure too, and if one fails for some reason you don't lose everything because it is all in the cloud. Make sure your main Google password is long and not something obvious. The biggest dangers most people face are phishing emails and malicious links. Gmail's filters are by far the best at detecting those. I rarely see anything but legit emails in my Inbox.
Completely, 100% agree, Kevin's list is far superior. (Sorry, Harold. You still rock.)
But the thing is, the people writing these (and probably all of us reading this) remember life before personal computers were common, put aside smart phones. Kids These Days mostly learn personal opsec by messing with each other growing up. These lists are of us oldersters.
In my experience being older then every other employee young people are terrible about security. Short, guessable passwords, click on every link, open every social media message, etc. They just aren't afraid of this stuff like most oldsters. They look at being hacked as a normal part of life.
Many of them probably don't have big bank or investment or credit card accounts to worry about.
Use Avira password manager. It's free and simple. Never share your passwords with anyone. Not your mother, not your husband, not your best friend. Not anyone. Ever.
I assume nobody in Kevin’s family has ever gotten memory or consciousness illnesses before. But this is terrible advice. *One* person in your life should know your passwords, because when you’re suddenly unable to function on your own, they’re going to need access to your bank, utility bills, etc to carry on until the courts declare you invalid or you can convince service providers to not immediately shut off the power or whatever. I ran into this with my mom and it was a godsend that she trusted me with some of her passwords.
I agree with this unless you want to make life miserable for the loved ones you leave behind who end up having to clean up after you.
I was going to say this but you already have. I'm dealing with caring for my elderly parents as they have finally reached the tipping point where they cannot manage on their own, they had to move into assisted living and my si8bling and I are taking over finances. It's highly messy but less than it could have been because my parents were obsessive about writing down passwords and keeping paper records for better or worse.
You absolutely must determine people you trust who will have access to your accounts if you get sick or die and provide them with the passwords and info.
On this subject, it’s also a good idea to have all of your important documents in a place available to your loved ones. Power of attorney documents should be in place. If your loved one is a veteran who receives a pension there is an added benefit called “Aid and Attendance” that provides additional money for caregivers. Getting it is a very complex procedure and it’s best to know about it now and have the documents you will need to apply, such as military discharge documents, available.
Funny that you mention this; a 72 year old neighbor and friend of mine had a very minor stroke a few weeks back and it knocked out his ability to get into his (android) phone, a major pain given how much stuff is done on phone apps these days, not to mention text messaging etc.
In trying to help him recover his access to things he said to me at one point “I wish I could remember my password”, meaning he uses one and only one password for everything.
A disaster waiting to happen if you ask me.
Yes, if you can't trust your spouse with a password, you probably can't trust them with much else either.
You're of course missing that the two sentences are mutually contradictory. Not sure that I want to enable some company to loot my bank accounts.
For most people the biggest danger of passwords is losing one and then not being able to have access to your documents, photos, etc. It is unlikely that Tom Cruise will drop in through a skylight to get your book to rob you of a few hundred dollars in your checking account.
You should use a password manager. For those of us with iPhones and iPads Apple does this for free and it is built in and works well.
Still, I suggest writing the really important ones in a small booklet and keeping that secure. If you can trust a relative tell them about this so that in case you have a stroke or similar you can still access your documents.
I also suggest using some sort of backup. iCloud or Google is OK. I use Backblaze. It keeps a copy of everything on all your disks. Even if your house is flooded or burns down you still have your photos, etc.
Google Drive for storage. Bitwarden + small fee works on your computer, tablet, and phone for passwords, and will generate strong new passwords when you need them. And too bad if it's too complicated, learn how 2FA works--lots of sites require them. Soon, they'll all require 2FA so keep your phone charged to be able to quickly ack your logins.
2FA is a terrible idea. Who wants to be locked out of their accounts because their phone is lost or broken? Besides, the security is terrible. For less than $10 you can intercept anyone's SMS messages. What if two people need to share an account? Do you have to go to one of those business services so both of you get all the text messages?
2FA doesn't improve security, and it makes things less robust and harder to use.
2FA just sends to your phone or email a code that you enter as you're trying to login to a site that you've already authenticated to with a password, so someone that intercepted the 2nd factor authorization sent via SMS wouldn't be able to use it without also having your user name and password. 2FA increases security for the obvious reason that only you have your phone (or email account, presumably) to get the 2nd factor code, which also only applies for the session you're using to log on. Not sure what you mean about it being "less robust." And harder to use is better, especially for certain uses (online banking, e.g.). Anyway, it's going to be ubiquitous, so get used to it.
2FA is a disaster for people who don't use a cell phone.
"Fold it up and put it in your wallet." NOPE NOPE NOPE. I ran an Enterprise IT reseller and support co....DO NOT Fold it up and put it in your wallet. Put it with your Will and other end-of-life-documents in a secure space (eg. safe) so those that carry out your Will have access. By all means use password manager, Google, 1Password, etc. Lastpass used to be my goto until they were hacked.
Yes, use a password manager so you don't reuse passwords and the ones generated will be random. Make them long too. Then the only password you need to remember is for your password manager, and it is a good idea to write it down and hide it somewhere you can access even when traveling. If in your wallet just leave off some critical chunk of it that is easy for you to remember once you see the rest of it.
Yes, give access to an unregulated stranger to all of your money.
I don't get the part about putting a copy of your passwords in your wallet at all. What problem does that solve?
Most passwords should be in a password manager so you don't have to remember them, but you can't lose track of the password that lets you into the password manager! I have been told that more than 50% of IT work is helping people get into accounts because they forgot the password.
I am not familiar with the Avira password service, but I tend to be skeptical about such cloud-based solutions given the data breaches with other password services. Since I'm a bit of a geek, I recommend the open-source program KeePass, which doesn't look as fancy as the commercial ones, but it's powerful and gives you complete control of the encrypted data file it uses. I've been using it for roughly 20 years and have never had any security issues.
Agree 100%. Been using Keepass for about a decade. Don't understand why people would want their passwords on the cloud.
Auto-sync of credentials across multiple devices.
...which is also possible with KeePass.
No, they like giving there money to organized crime.
The problem with KeePass and other apps not in the cloud is that your local computers and storage are vastly more risky places to store stuff. Fire, flood, hurricane, theft, or simple and frequent equipment breakdowns are common. My office building was hit by lightning that took out piles of computers and power supplies. A huge tree fell on my house that would have demolished any computer under it.
Oh, I sync my data file alright, to not only give me a backup but also access across devices. The difference is that I control the file, which is an insignificant target compared to an entire online store of passwords.
How is KeePass better than Bitwarden?
My coworker got an email about computer security, containing grammar and spelling errors. She reported it as spam. Turns out, our IT department just sucks at writing.
I have an exception to your 'don't share your password with anyone, ever' rule. Share your password to your password vault with SOMEONE. Otherwise, when you die, no one will be able to get in to ANY of your accounts. This was a real problem when my sister died suddenly in 2014. In fact, her FaceBook is still active.
ETA - and I see that LOTS of folks have already addressed this.
For a long time, in the last century, I had a list of 'Doctors' and their 'phone #s' in my physical phone book which were really accounts and pin numbers. Of course, now I neither have a physical phone book nor very many of those kinds of accounts, so I use a password vault whose password is a fairly long sentence string I keep hidden in a paragraph in a text doc in Google Docs.
Does anyone alive *never* re-use a password? seriously?
Yes. Don't do it.
I use the same password for free commenting services. Anything with money involved, no.
Most of the things that require passwords will not kill you if someone else gets in. Password security is for money things and other really personal data.
I truly always use my password manager to generate a unique password for every single application I use. Never a repeat.
Most of the passwords one has are relatively harmless if lost. For a while, it seemed half the internet required a password just to look at anything beyond a home page. There's no reason to waste brain space with a unique, complex password.
any reasonably effective set of rules for computer security is going to be as complicated as that set. and your own list is, in my opinion, worse that complicate, it's not at all practical for people to adhere to.
Never click on a link in an email. Period.
-No way. I get valid links in email for work constantly. If I refused to ever click on them I couldn't function in my job. It's complicated but in reality you have to use judgement.
Get OneDrive (Microsoft) or iCloud (Apple). They will automatically keep your data backed up in the cloud.
-onedrive is not a very dependable backup and susceptible to lots of attacks like ransomeware. better than nothing, but still pretty bad
Use Avira password manager. It's free and simple. And never share your passwords with anyone. Not your mother, not your husband, not your best friend. Not anyone. Ever.
- again, no one will do this. people share passwords all the time, and this advice has to include caveats about WHAT passwords you should and should not share. it's more complex, but it's also realistic when accounting for real world behavior.
Write down your username and password for all your important sites (i.e., the ones you use most often) on a small sheet of paper. Fold it up and put it in your wallet.
- DO NOT KEEP PASSWORDS IN YOUR WALLET. I agree you should write them down somewhere, but that somewhere shouldn't be on your person. Hide it somewhere secure and take it out only when needed.
If anything even remotely suspicious pops up, press No or Cancel. Then call a computer buddy who knows about this stuff and ask for advice.
- the average person has no idea what should be considered "suspicious". and pray for the sanity of the computer buddies of the world who have to field calls from their friends and family every time one of them thinks something is suspicious. this is, again, totally unrealistic for the vast majority of people who don't have a truly computer security savvy resource at their beck and call.
Just a reminder--Windows will now encrypt your hard drive. But that is not the case in older systems.
Hard drive fails? Just boot to a stick and copy the files over to a portable drive. Works most (not all) of the time. Great if your hard drive failed and you don't have a current backup. But a bit of a pain if they are encrypted.
IF not encrypted, then can be a big problem if you just throw away your "dead" PC.
So create a recovery USB drive and save it in a safe space.
That is why storing everything in the cloud is vastly safer for most people, as long as they use decent security practices. Moved my father to a Chromebook and cut my IT support time down by 99% and he stopped losing all his stuff when his computer crashed.
Re-password re-use. I use the same password for sites I don't care about that force me to create a login. I want to grab tool X or read review Y. I don't much care if someone else can do the same in my name. So I use the same throwaway password that's already been leaked zillions of times.
Re password sharing: Why shouldn't my wife and I share passwords? As many have pointed out, what happens if I get hit by a truck? Or more prosaically, what if she needs to pay our medical bills and needs to look at our records. Sure, theoretically our insurer and providers let us see each others info, if we've filled out forms in triplicate and those forms have expired...as they do every 30 seconds or so. Much easier for her to log in as me or vice versa, using our shared password manager. Why is this a safety issue?
The Future: Within the decade passwords will be anachronisms for the nascent portion of the digital age. Even now, Google, Microsoft, Apple, and others are working to get rid of the password -- https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html
The problem you fail to see is that even if you do everything right, your password will be stolen. Every other company has been hacked and had their database of user passwords accessed.
Authenticate at the device, not at a centralized point. Imagine how much harder it is to harvest millions of accounts if there is no centralized point of authentication using a database of passwords.
https://fidoalliance.org/passkeys/
For Now: The traditional 2FA -- as in text/email/phone call -- security system is significantly weaker than using a dedicated authentication tool like the Android built-in Google Authenticator or Microsoft Authenticator for your phone. Search YouTube to see how it works. If you're a high-risk individual, your only real option is to use a separate authentication device.
Yes, but passkeys introduce another failure point. If they require a physical object like your phone, PC or a specialized device, then that device can be lost. They are also much less convenient since they cannot be used by two people at two different locations.
Passkeys/authentication tools do not limit you to a single device to use for authentication.
Corporations are supposed to store passwords encrypted. Companies that don't should be heavily fined.
"If anything even remotely suspicious pops up, press No or Cancel. Then call a computer buddy who knows about this stuff and ask for advice."
This is of course how Russian intelligence successfully hacked Podesta. He got a suspicious looking email supposedly from his IT specialist. He called him up and the idiot told it was from him and go ahead and click on the link. It was in fact spyware from the Russians.
Do you mean I shouldn’t click on Eve’s link?
yes
"Like it or not, the vast majority of computer users either can't or won't follow all these rules."
The simple and universal rule for "the vast majority of computer users" that is being followed by the rest:
Don’t ignore things I know I shouldn't ignore.
I will definitely follow that guy's instructions exactly as much as I have my retirement savings automated.
I don't trust free corporate security solutions. You can't be a business without a way to make money. If you're lucky, it's ads, but those are super obnoxious and annoying. If you're not lucky, your data is being harvested and sold. And even if none of that is true, it remains a question how they make money and how many corners they are willing to cut to increase profits.
I use KeePass on all my devices. It produces a data file with military grade encryption, which I then store on Google Drive for all the devices to use. So there is never any unencrypted data exposed to anyone but me. It is free and open source, so anyone who wants can look at it and see if there is anything suspicious going on.
By no means should you ever use a password storage service. LastPass just showed you why. Part of why my data is safe is that it isn't worth the effort of breaking military grade encryption just to get one nabob's data. But millions of people in LastPass? That is a tempting target, especially when, as seems the case, they decided to skimp on security to increase margins.
I'm particularly irked by the universal recommendation to choose only complicate, preferably random character, passwords and then remember them, don't write them down. The era of dictionary attacks is so far behind it isn't even in the rear view mirror anymore. All attacks these days are some form of brute force, and the best protection from that is length. A couple stanzas from a pop song is more secure than 10 random characters.
Here's a good article on the most likely ways to lose your password. Note that #1 is by far the greatest danger. No matter how secure your password storage is it doesn't matter if you enter it into a fake site. https://blog.1password.com/how-do-hackers-steal-passwords/
Google provides more free storage than Apple. I sync all my photos to Google Photos and sync my laptop to Google Drive.