Just came up with my father again.
He blames me that mother forgot her phone’s and Google password because I recommended against it being a word.
I mentioned encryption, “not necessary unless you’re doing something illegal”.
When mentioning lack of privacy with targeted advertisements, he said that he actually really likes them, because he bought a couple of things he wanted for years.
I don’t really have good arguments.
I’m going to be real. I was part way through an explanation before I deleted it. What you are dealing with sounds like a situation where you simply won’t win by using logic. To continue to labor under the presumption that a good and logical reasoning will have an effect is just going to stress you out and achieve nothing.
IT nerds help me out here, but I’ve been under the impression that the best defense against brute force attacks is a very long password, and the idea of sprinkling in special characters or numbers is outdated. Something like “iwenttothestoreandboughtabirthdaycake” is a more secure password than “$6jds_*WghP6”.
edit: Also the mantra to never write down any passwords is more of a workplace piece of advice. I personally think, and this would probably be helpful for older people, that writing down passwords in a notebook which is kept secure in their home is pretty safe. Short of a home invasion, that notebook is safe, and having it can encourage them to diversify their passwords on different accounts. So, if you are going to keep at the issue, taking an angle of using something they are more comfortable with like a paper notebook is going to be accepted more easily than trying to sell them on a password manager or something.
https://xkcd.com/936/
It doesn’t even have to be that long. 12-16 characters and it’ll be infeasible to brute-force for the foreseeable future. But unless you’re talking a high-value target like government, military, or executive suite at a company, no one bothers to brute-force anyway because there’s easier ways to gain access.
The biggest issue with password security is reuse and sharing. The most secure password in the world doesn’t mean a damn thing if you use the same email/password combination across a hundred different websites, because all it takes is for just one of them to suffer a leak and now your credentials are in a dump with millions of others that can be bought for a song and a dance.
This is why it’s imperative to use 2FA for your most important accounts, because it can mean the difference between an attacker getting access and hitting an error page and trying the next poor fucker’s credentials instead.
But also, no one wants to try to remember a hundred different unique passwords so it’s also a good idea to use a password manager. Chrome and Firefox both have them built-in (note that Firefox stores passwords unencrypted on disk unless you set a master password!), but there’s also services like OnePass or Bitwarden that have stronger guarantees.
While being aware that leaking passwords and reusing them is a major risk, I was just asking about the construction of the password as it relates to being attacked directly.
Absolutely. I recommended the notebook approach only because I think people of a certain mindset would be more open to it than a password manager, even if it isn’t as elegant of a solution. At the end of the day it still diversifies passwords. I’m vividly picturing my mom throwing a fit any time a doctor or other office wants her to fill out a form on a tablet instead of paper.
Is there something that would perhaps also work on Android? Also, how do you move the passwords from password manager into the fields? My problem with clipboard is that anything can read it. Of course, that means there has to be something to exfiltrate the data, but 1 problem is better than 2.
Password managers on Android (and frankly all platforms) actually try to avoid using the clipboard. They prefer the auto-fill service, which is intended for applications just like this. Unfortunately this isn’t working in all cases, but you can also set your password manager as a keyboard (temporarily), so it can directly input a selected username/password without anyone else seeing it.
Examples where I know this is the case are open source keepass options (Keepass2Android, KeepassDX). But I’d assume bitwarden and the like also work this way.
Most of those password managers are also available on android, and automatically clear the clipboard after 30 seconds.
But that’s a bit like plugging a leak when the tanks empty. If they managed to get a tool onto your device to read the clipboard, what else is there to get? They’ll almost certainly have a key logger installed as well, if not a full backdoor.
And that’s assuming they’ll even go through the effort of installing anything and not just using ransomware to brick your device.
The first thing about security is knowing who you’re defending against, and you’re not defending against targeted attacks by nation states (if you as an individual are, you’ve already lost). Your main adversary is spray-and-pray “script kiddies”, maybe the occasional private actor.
Clearing the clipboard also makes it less likely that you’ll accidentally paste your password in a text box somewhere when you meant to tap “Copy” and missed.
As far as I know, the thing is that randomly chosen words will be more secure because there’s simply too many words. However, sentences will be more predictable. And a single word will give quick access to someone with a sufficient wordlist.
Honestly, I don’t remember what exactly my recommendation was, just that I recommended against something quite simple (common word), and that she shouldn’t tell me or anyone else what it is.
Edit: but I am not a professional, so don’t use me for advice.
The difference for random Vs chosen sentences is when brute forcing a password (short of a few common or predictable sentences) the attack works by trying out combinations of different words randomly (if they’re even that advanced in the first place instead of using characters). That means any sentences you come up with, based on 3 things in the room, are so unpredictable that it doesn’t matter that they aren’t truly random.
You can also change the space characters. Use - then _ then + and repeat:
Instead of
iwentshoppingformilklastsaturdayuse can usei-went_shopping+for-milk_last+saturday. The amount of variables are just too high for it to truly matter.Now all you need to deal with is the banking login being so poorly designed it only allows a max of 8 characters or BS like that, in which case you’ve lost before you even started.
And once I came across even better limitation. “Only English characters and numbers are permitted. Passwords are case-insensitive.”
OK, the last one wasn’t actually mentioned, but I just found out the case didn’t matter either.
Yikes, you just know those are stored in a file called
passwords-donotsteal.txt…The fourth largest bank in America, Wells Fargo, has cases insensitive passwords