Why you don't need 27 different passwords

From Wendy Zamora of MalwareBytes

Passwords. The bane of modern existence. To celebrate this nuisance,
the holiday gods have given us World Password Day, where thousands of
people come together online and pledge to improve their password habits.
How many of those pledges do you think stick? According to the 2017
Verizon Data Breach Investigation Report, not many. A little over 50
percent of all breaches in the last year leveraged either stolen or
weak passwords.

While May 4th is also Star Wars Day (May the 4th Be with You)...while
we all wouldn't mind having a lovable droid guard our passwords as
loyally as R2D2 guarded the blueprints for the Death Star, the reality
is we've got to do the guarding ourselves. And that has become
burdensome enough to send Yoda himself over to the Dark Side.

Current state of affairs

According to a poll by Intel Security, the average person has 27
discrete online logins. From social media accounts to banking to online shopping to utilities, credentials-which usually include a username and password-are required for each. And if people are practicing good password hygiene, they're engaging in the following recommended practices:

DO: Use a different password for each account.

DO: Use a long password. In fact, the longer, the better.

DO: Use special characters, numbers, and capital letters.

DO: Change your passwords every couple of months.

DO NOT: Write down your password, whether that's on a piece of paper or
stored electronically.

DO NOT: Share passwords via text, email, or chat.

DO NOT: Use easily identifiable information, such as a birthday or a

child's name.

DO NOT: Use an incredibly generic password such as 12345. (That's the combination an idiot would use on his luggage.)

All of this, for 27 different logins, is simply unmanageable. In fact,
the Intel study found that 37 percent of its respondents forgot a
password at least once a week. And people are so sick of juggling dozens
of different passwords, that 20 percent said they would give up ESPN if
it meant never having to remember another one. Six percent said they'd
give up pizza. PIZZA.

This level of discontent and security fatigue means that very likely, most users are falling back on bad habits: writing passwords down in a notebook
or a Google sheet, for example, or using the same password across multiple logins. (A study by the National Institute of Standards and Technology confirms this: 91% of its respondents admitted to reusing passwords.)

So this is why we say: stop it. Stop the bad habits, yes, but stop the
"good" ones, too. Having 27 different passwords that are lengthy and full
of characters and numbers and need to be changed every few months and
can't be written down-you'd need the memory of an eidetic elephant to keep
up. Online services will only multiply, so what should you do?

It's very simple. Get a password manager.

Password manager 101

For those who might not be familiar, password managers assist in
generating, storing, and retrieving passwords from an encrypted database.
They typically require that users create and remember one master password
to rule them all. One master password to find them. One master password to bring them all, and in the darkness bind them.

One master password to stand at the precipice and shout gallantly, "YOU
SHALL NOT PASS!"

Sorry, it couldn't be helped. As we were saying. Generally, most password managers work the same way. You'll be asked to create a strong master
password during setup (and here's where you'll use those password best practices, such as generating a long passphrase with numbers and capitals
that steers away from guessable personal info). From there, you'll add
your other credentials to the password manager either manually or through tools that can automatically find and upload passwords for you.

While most password managers have similar setups, they secure passwords
in different ways. Web-based password managers store your passwords
encrypted in the cloud. Some are built into browsers, such as Safari,
Firefox, and Chrome.

Others may store your passwords locally in an encrypted file on your
computer, tablet, or phone.

In addition, some password managers have features that help you audit
your credentials, allowing you to weed out duplicate login info and
remove sites you don't use, or alerting you to breaches that have happened
to the companies you log into. Many have customizations that allow
increased security, such as regional lockout and two-factor authentication (which we highly recommend taking advantage of).

But aren't I just asking to be hacked by storing everything in one place?

While some folks might be wary of using a single point of access for all
their sites, remember that password managers still use your individual passwords to log in to your accounts. Those passwords are locked in an encrypted database, which is way more secure than a post-it on your
office desk or a faulty memory.

Ask yourself this: is it safer to store all your money in one bank, or to
hide it in piles underneath several mattresses?

As for fear of password managers being breached-sure, it's possible. In
fact, it's already happened, as was the case in 2015 when LastPass was breached. However, even though cybercriminals got their hands on some
email addresses, they were unable to crack master passwords. This is
because master passwords are protected with military-grade security,
hidden behind thousands of rounds of hashing, or algorithms that convert strings of text into longer strings of text.

So far, no reputable password manager has leaked consumer master
passwords (that we know of).

So which password manager should I use?

The following password managers come highly recommended by our staff and
tech reviewers from The New York Times, Lifehacker, and PCMag:

1Password
LastPass
Dashlane
Sticky Password

If you don't trust third-party apps with all of your personal information,
you can try an open-source password manager such as KeePassX, though it requires a fair bit of technical know-how to set up.

I am absolutely opposed to a password manager. What else can I do?

While we stand by our recommendation to use password managers, we
understand the urge to reject placing all your trust in the hands of
another company. So here are a few alternate methods for choosing more
secure passwords than the random hodgepodge you're likely working with
now.

Split up your online services into major groups, such as bills, entertainment, shopping, and social media. Assign a single password to
each group according to a theme. For example, you could choose movies as
your theme and assign quotes from one movie to one group, or character
names from a second movie to the second group. Rotate these passwords
every 90 days by incrementally adding a number or changing a character.
This requires a lot more effort but is still preferable to using the
same password across all accounts or having to reset forgotten passwords
every week.

Choose one semi-difficult password for all accounts but insert a
naming convention in the middle of the password to denote which account
you are signing into. For example, if your password is L3tme1npleaz,
your Gmail password could be L3tme1nGMAILpleaz. Your Amazon password
could be L3tme1nAMAZONpleaz, and so on and so forth.

When possible, choose a service that has two-factor authentication
over one that does not. More than 150 applications currently implement two-factor authentication. You can check them out here.

Passwords don't have to rule your life. You can lock them up behind a
password manager and worry about remembering a single, slightly complex
phrase instead of 27. You can relax knowing how well guarded your
passwords are. And you can go ahead and burn that secret list of
passwords you keep in your address book even though you're not supposed
to.

Do you have a favorite password manager? Or a method for creating and remembering unique passwords? Let us know in the comments below.
--- SBBSecho 3.20-Win32
* Origin: The Thunderbolt BBS - Little Rock, Arkansas (454:1/33)