Best practice to prepare your kids and yourself to manage passwords and other secrets in the family.
I came across an infographic the other day that explained how to talk to your kids about the dangers of the Internet. Taking that a little further, I’ve thought about what you should do in the family to protect yourself and your loved ones from annoyances that could have been avoided with a little more care. Before I begin, I must make it clear that I’m not a security expert. What follows is based on everyday experience rather than expert advice. If you take just one piece of advice from here, you’d be better off than you were before reading this post. Let’s look at the issues one by one.
If you use passwords for websites and services that you can memorise, you’re reckless – unless, of course, you have photographic memory. Unfortunately, with today’s computing capacities, you don’t need to be anyone special for your passwords to be worth cracking. All you need to know is that passwords shorter than ten characters are totally outdated. Even passwords with 20 characters protect you only if the people who want your data don’t want to spend too much time on cracking your account. It’s not just about the length of passwords any more. To make your password safe, you should use a variety of characters (and two-step verification – see below).
What does this mean in practice?
- creating your own password (this can be memorised)
- if you want to create your own password, start with linking two or three words together. You can play with different languages or use nonsensical words. For example: brown apple flower
- add capitals and lowercase letters, numbers and special characters (space is also a special character). For example: browN:Apple flower
- then add a character that’s not normally used in writing, and you’re done: For example: browN:$Apple flower
Using a password generator (these passwords can’t be memorised): there are software solutions that help generate random series of characters.
Now you have at least one password that appears safe; let’s call it the Master password. This should be the one you actually memorise. If you have one such password, you don’t need to remember the rest. You’ll use the Master password to encrypt all your other passwords.
Use password manager software to store your passwords
A good password manager software program today must meet at least the following requirements:
- it encrypts data locally. This means that no service provider should have your Master password – once something’s stored online, it may be cracked.
- it stores the data in the cloud. This doesn’t contradict the point above because your data are already encrypted with a Master password. This means that your passwords are backed up and their storage is location independent.
- it should be usable on more than one device. In addition to your computer, your cell phone is used for many things.
- it should support sharing passwords within a safe group. This is useful for families as well as companies.
- it shouldn’t be expensive.
I’m going to show you two solutions, one free, one paid.
– the Keepass software is free, and it stores data locally on the computer. But if you upload the encrypted password data on Google Drive, you’ll be able to access the passwords on your cell phone. A drawback of this software is that you can only share passwords with your family members by using different password database files for yourself and for your family. Another drawback is the overly simplistic mobile interface, making it a bit difficult to use. But it’s safe and free of charge. You can make it work with the browsers on your computer, but setting that up requires some computer expertise.
– 1Password is a monthly subscription-based service, but it meets all the requirements of a password management solution. A particularly likeable special feature is that 1Password works with your cell phone’s browser, so it automatically fills out the login information on the selected websites. (That is, if it has the Master password.)
That’s the theory. And then you have the practice.
In spite of the well-thought out principle above, humans are LAZY. Even I don’t store all the passwords for all services and websites. How do I decide when to be lazy and when security-conscious? This depends on the kind of data stored about us and which of those I find sensitive:
- scenario 1: I want to try a service: I’m just looking, so I don’t give out my real email-address but an anonymous one registered for this purpose. This has a short but suitably complex, tried and tested password. If I decide to use the service for real, I’ll re-register with my real email-address and a safe password. This solution involves NO password storage.
- scenario 2: I order something from a shop I don’t use often: I don’t register but check out as a guest (doesn’t save bank card data). I’ll survive having to type in my personal information twice a year. This solution involves NO password storage.
- scenario 3: I often order something from the shop but it doesn’t reveal much about me, and the store doesn’t save bank card data: I register with my real email-address but use the short password that was mentioned above. In this case, identity theft is not a real risk at the shop, since you give out your address in many places anyway. This solution involves NO password storage.
- scenario 4: I often order something from a shop and it’s important that it remains a secret; or the shop stores bank card data: This DOES involve password generation and password storage.
- scenario 5: using an online service: This DOES involve password generation and password storage.
- Facebook: This DOES involve password generation and password storage. But I create my password so that it can be memorised if I want it to.
- Email: This DOES involve password generation and password storage. But I create my password so that it can be memorised if I want it to.
Logging in with Facebook or Google
Recently, many websites and services have started to allow you to log in with your Facebook or Google account. To me, this convenient scenario equals those above that were marked as involving password generation and password storage. But it’s important to know what you allow the websites/services access to. Let me give you an example that made me think twice about this the other day. I wanted to use a function of the IFTTT service that sends a notification to your phone if you get a certain email. But for this not only was I asked to authorise Google login, but IFTTT wanted access to the actual email. I didn’t want this, so I had to find another solution. I’d like to stress here that you really need to think hard when a website/app/service asks for access to your most valuable user data, that is, your email and Facebook profile.
Always, always lock everything
To sum up what you’ve learnt here so far: you need to remember one password, and then you’ll be able to see all of your other passwords on your computer and cell phone. And if you need to give access to it to a family member, you can do that, too.
Unfortunately, every chain is only as strong as its weakest link. Your weakest links include the computer (maybe more than one), cell phone, tablet. If any of these get into the wrong hands, your passwords may be revealed.
- Most devices think that if you enter the Master password then it’s you using the device. This is all fine but only if the password database automatically closes after, say, three minutes, or once the device is locked. A typical workplace scenario is that you pop out for a coffee for just two minutes and you leave the computer unlocked. DON’T do this! Learn that two-character keyboard shortcut that locks the computer and use it whenever you get up and leave. You should get used to using it; it’s not a problem if you “automatically” use it even at home.
- Likewise, lock you phone when you put it away. Try to avoid using your fingerprint instead of a password on your cell phone. In my opinion, a fingerprint is enough to protect your phone data, but not for your precious passwords. Just think about a night out when you don’t remember everything the next day – you shouldn’t give anyone a chance to abuse the situation and your fingerprint. (My suggestion is that if you do use your fingerprint to unlock your phone, the alternative shouldn’t be a pin code but a suitably strong password you came up with.
- So you have to type in the Master password on the phone. When you do this, cover up the phone screen with your other hand. Modern cameras can see the screen from a distance of several metres.
To sum up what’s been discussed so far, you can say that only you have access to your stored passwords. All in all, you must remember two passwords: the Master password, and a password that allows you to unlock your phone or computer without your fingerprint.
The 12+1 commandments
Interestingly enough, kids are faster than adults to understand the issues described above. They don’t have bad habits set in yet. In summary, here are the steps to follow:
1) Have a Master password, the “boss” of everything.
2) Have a password for devices you use your fingerprint to log in.
3) Always lock the devices, just like you lock the door when you leave home.
4) In addition to your regular email-address (which contains your name), have at least one extra email-address. You can forward the messages you get here to your real email address.
5) Use a password manager software where you can save all your secret information. Only you can see it.
6) Learn your Facebook and email password by heart.
7) In addition to Facebook and your email, there is other important personal data that should be protected. The best way to protect it is the so-called two-step verification. This means that, for example, you get a text message/generate code within an app to verify your identity when you log in. This means that if an unauthorised person learns your password somehow, he/she won’t be able to log in with it because you get notification on your phone, and because you use your phone to verify your identity.
8) Check for the privacy settings for every service you use. If there’s something you don’t understand, look it up online or ask someone in the know, but don’t just leave it at that.
There are a few other things I’d recommend doing:
9) Use a virus scanner.
10) Install updates.
11) Don’t click on any email attachment if you don’t know the person who sent it or if you’re unsure whether you know him/her.
12) Use your browser’s HTTPS setting. Today, any website worth visiting must be able to handle it.
12+1) If any of your passwords has potentially been exposed, take the time to change it, even if it’s the Master password.
As an afterword to those who made it to this point, or to those who doubt that this is all useful, I’d like to recommend some scary-amusing lesson on the topic: watch episode “Shut Up and Dance” in the third season of the series Black Mirror. https://en.wikipedia.org/wiki/Shut_Up_and_Dance_(Black_Mirror)