Thinking outside the password box

There is a lot of conflicting advice about passwords all over the internet, often complicated by so-called cybersecurity agencies charged by governments to keep their citizens safe who put out mixed messages. Much of the advice is contradictory and even troubling in the sense that it will suggest three or four measures everyday users should take that are mutually exclusive or worse still not secure at all.

So, I asked a proper computer security expert, Adam Stewart, to give me the best advice to protect your data and logins.

“You will, no doubt, have seen advice on passwords, such as: set something complex, use three random words, use a password manager, don’t write them down, do write them down, use a different one for each site, use a special one for email, ‘…and mathematically I think you will find that…’, the list goes on,” he told Sciencebase, and I’ve had to agree, yes, the advice provides complicated mixed messages that many people will find very confusing.

“The problem is,” he adds, “no advice fits all situations. You may come up with a perfectly acceptable password approach for you, but it will not work with all websites and apps in all situations.”

So, I asked, how do we everyday users get around that problem?

“I would say a better approach is to “think outside the password box”. By that, he means we should all think about how we can protect our computers, tablets, and smartphones and the files and logins we keep on them.

Here are the three basic things you should do, according to Stewart:

For protection – if available enable two-factor authentication (2FA) or multi-factor authentication (MFA). Once enabled, this requires you to use a a second device such as your phone or tablet to confirm it’s you logging in.

For detection – many websites and apps these days have the ability to warn you when they are accessed and show from which device, enable this function if it is available, if you get an alert that somebody has logged in and it wasn’t you, change your password immediately.

For response – make sure you keep a backup of your files on an external hard drive or on another device, and/or in the cloud. But make sure that cloud site is secure with 2FA and a different password to any of your normal passwords.

We still have to fill in that password box though and Stewart suggests that we should all use a password manager if we can. A password manager can make strong passwords for you and you only need to remember the one strong password for the manager itself. A password of at least 16 characters is strongest just don’t make it “passwordpassword”.

Oh and one more related word of advice from Stewart, no tech giant will ever call you on the phone about your computer or phone or anything else. Microsoft, Google, Facebook, Twitter, Amazon etc,  will never call you, for any reason, those companies with their billions of users and customers, simply do not work like that. If you get a call claiming to be from any one of those corporations, just politely (or impolitely) decline their invitation to connect to their system and hang up.