Are you keeping &#8216;Cyber Aware&#8217;?

I certainly do not save my more sensitive passwords on browsers. Instead I rely on handwritten records on paper.

John Ward says:

I do the same, Derek, and I encrypt some of them, but in some cases I can no longer remember which codes I used to encrypt them.

Em says:

Rather than write down or encrypt a password (which someone other than you could find or potentially un-encrypt), I prefer to use a non-obvious hint.

If your password is “TitanicIceberg1912”, a simple hint could be Smith, or (in references to the movie) Winslet or Celine.

But it is better to think of a hint somewhat more remote and write that down. E.g. Smith could become “EJS” or “Rose” (Winslet’s character) or [De Dion-]”Bouton”.

-1

John Ward says:

But with my addled brain, Em, it would have to be memorable and a bit more obvious than that! Some passwords hardly get used from one year to the next so if there’s a problem I just set up a new password. I use very few sites where there are any financial transactions and those I use so frequently I don’t need to make a note of the password or remember its decryption code.

DerekP says:

During my life in the Before, when I was a volunteer computer buddy in the local library, lost passwords were a recurring problem that I helped with.

I think folk need to use whatever works for them. I have found that simple paper records work well for many, but not for those who will easily loose them.

For a lot of us, anything that depends on remembering clever and sometimes complicated tricks can be doomed to failure.

If at all possible, folk need to avoid using the same password everywhere and also they should periodically change or renew their passwords. Those of us with work accounts are usually forced to do that, e.g. every few months.

Ideally, passwords should also be easy for the user to get right, but hard for others to guess.

Many sites related to non-sensitive activities will often issue password resent emails to registered email addresses. Those are very helpful, unless you have lost access to the email account in question. So it is very import to have robust and durable email passwords.

One of the most common pitfalls that I’ve seen occurs with Android phones (or other devices). Here a Google/gmail account needs to be created to operate the device. Then years later, that password is needed in a different context, but the user has long since forgotten it. The original device (with the saved password on it) continues to function, but does not help the user recover their password for use elsewhere.

These days, loss of access to emails is not necessarily a trivial matter. If important personal data is handled by email, then loss of access can make it hard or impossible to recover that data.

Stephen Wood says:

I am very surprised at this advice. Saving passwords to the browser always is a no no. Can someone elaborate on this Which advice to convince me that it secure!
Thanks

Kate Bevan says:

Hi Em, I’ve had precisely this chat with Kate, the author of this piece – she and I liaise a lot. You’re absolutely right that saving passwords in a browser’s password manager is not as secure as using something like LastPass or Dashlane (I am a LastPass fan, for the record). Her point, though, and I absolutely agree with her on this, that saving passwords in the browser is a big improvement on just re-using the same password for every site.

The aim of this campaign from the NCSC is to help people think about simple steps they can take to improve their security, and for many people, using a browser’s password manager is a big improvement on what they’re doing now.

You are of course right to identify some of the potential risks of saving passwords in Chrome, but I’m sure you’ve heard the saying “don’t let perfect be the enemy of good”. It’s often the case that changing an old, insecure habit is what’s needed, and when you consider the risks of the imperfect solution chosen now (storing passwords in the browser) vs the really insecure old habit (reusing a small number of passwords across multiple sites), it’s clear that the changed habit has already improved their security.

I would absolutely urge everyone to consider switching to a password manager, but if that’s too daunting, then using a browser password manager is still a big improvement. If you couple that with implementing 2FA wherever possible, you’ve gone a long way to protecting your accounts.

Kate Bevan says:

Actually, the advice now is not to change passwords regularly, @derekp. There’s been a lot of research done on that and it’s found that people tend to cycle through increasingly insecure passwords because they can’t remember which one they’re using now. These days you only need to change a password if you think it’s been compromised. T

he NCSC has some useful guidance on that here https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry – these days the advice is to pick a strong password, either via the three words method Kate discusses above, or get a password manager to generate a strong one for you, and protect your account with 2FA.

And don’t get me started on companies that still force password resets … ! That’s usually because they’ve got some legacy software somewhere in the IT estate that requires it, but I think you’ll see it less and less these days.

alfa says:

All software is hackable so how safe are password managers? I will continue to keep my passwords in a box file on my desk.

I used to work for a company that forced monthly password resets and I had 3 to change every month so they went:
memorable wordjan
memorable wordfeb

A password could not be reused within 12 months and all three could be the same…🙄

Em says:

Hi Kate1 (and Kate2), Appreciate the response. We often see a Convo lead piece that doesn’t sound quite right or isn’t clear, so it is good when we can have a dialogue.

Whilst a browser password cache is better than nothing, the key message of point 3 should be Use a different password for each account. That message is lost under the headline Save your passwords in a browser:.

I actually go one step further and set up a different userid or user name for each account, so even if my password is in the wild, it is very difficult to associate that with any other account of mine. For most accounts, you would need to have a domain to do that, so you can register using a different email address. That way, I also know which accounts are not to be trusted with my details, as soon as I start to receive phishing emails. Here’s a short list of household names: adobe.com, Villeroy & Boch, BMW, Ebac, Groupon, … .

Em says:

Kate says: That’s usually because they’ve got some legacy software somewhere in the IT estate that requires it …

I’m not aware of any legacy software that forces password resets. The granddaddy of security software is IBM RACF (1976), still the de facto security software for mainframes. RACF could require passwords to be changed at any interval between 1 and 99 days, or 0 days, meaning never.

Zero (0) days was used, because it would be very dangerous for a computer operator or administrator to lose access, because the previous shift had been forced to update the password! Of course, we also checked the security logs every day to check who was using these highly-privileged log on IDs. Computer terminals didn’t “move around” in those days.

Before RACF, passwords were hard-coded. If changed at all, it was an administrative hassle to manually update them and securely send individual typewritten memos to each employee, informing them of their new password. There was no email or instant messaging in those days.

In the 1980s, computer threats were internal to the office. Employees were in the habit of sharing their userids and password with work colleagues. If a system was accessed – payroll or accounts payable were favourite targets – use of a shared password meant there was limited accountability and auditability.

As a result, passwords were where possible set to expire every 30 days or so. Anyone guilty of using another employee’s userid and password would eventually get caught out entering the expired password. They could then be traced to their computer terminal and verified against their physical presence in the building – clocking in and out was also common in those days.

So anyone that tells you today that expiring passwords every 30 days is “best practice”:

1) doesn’t know the history or rationale behind this legacy thinking and, more importantly

2) doesn’t deserve to be in charge of computer security, as they are not capable of thinking for themselves or identifying appropriate strategies to deal with new threats.

As Kate says: don’t get me started!!!

Em says:

As a short aside to IBM RACF – 1976 technology remember – it has always implemented “trap door” password encryption. This means that nowhere within RACF is your password stored in clear, i.e. no one can find out or tell you your real password. And password encryption only works one way – it cannot be de-encrypted.

How can that work?

You new or changed password is first encrypted and then stored in RACF. When you sign in, your password is again encrypted and compared with the original encrypted password. If the encrypted passwords match, you are good to go.

What does this mean for consumers?

Any website or software that can retrieve and reveal your original password, whether by email, clicking the “eye” icon, or whatever, has a serious security flaw and you must treat it with strong suspicion. Certainly, never save your credit card or other financial details there. If you can recover your own password, so can anyone else.

Em says:

Em (that’s mE) says: Any website or software that can retrieve and reveal your original password … has a serious security flaw and you must treat it with strong suspicion.

QED: All current Internet password managers, including Chrome, Dashlane and LastPass have a fundamental and insurmountable security flaw, whatever they might claim.

Whether passwords are internally stored in an encrypted form or not, password managers MUST be able to regenerate your password in clear, TO BE ABLE TO FILL IN THE PASSWORD PROMPT ON THE THIRD PARTY WEBSITE. Don’t be fooled by the fact that it is concealed by dots – your original, un-encrypted password is there just waiting to be discovered.

Paper and pencil or memory power is the only way to go for really sensitive passwords, particularly financial websites. And make sure it is complex and unique!

Maureen Hall says:

13 February 2021

Me too, in a domestic safe, installed in a cupboard.

Beryl says:

I have a bit of a dilemma. I have recently been sent a new upgraded fibre broadband router which connects and works well on most devices – except the Samsung TV. The new password is so long and varied the keyboard always cuts out before I finish typing it in. How do I keep the keyboard running long enough to install the new password, short of requesting a new smaller one from the ISP?

Ian says:

Is it possible to change the password on your router through the router’s ‘Admin’ section? I ask, because it is on mine.

Em says:

I’m assuming this is your WiFi password, so you must be able to change it on the router.

There is usually an option to connect to WiFi, if you have physical access to the router, just by pressing the WPS button. You need to select this option on your TV, then go and press the button on your router with about 30 seconds. No password required!

wavechange says:

It’s got to be the WiFi password if other devices are working fine.

Jon Stricklin-Coutinho says:

11 May 2020

You might also try connecting a physical keyboard to your TV via USB or Bluetooth @beryl – it looks like most Samsungs will recognize the device when you plug it in: https://www.samsung.com/au/support/tv-audio-video/how-to-pair-a-smart-wireless-keyboard-to-your-tv/

You can also change the password on the router: usually most routers will have their default IP address and admin login information physically on them, and you would then usually navigate to the specific WiFi network settings, then change the password there. Bear in mind, if you do that for the TV, you’ll also need to change the password on every other device.

Kate Bevan says:

Hello @beryl, as others have said, you should be able to change the password to connect to the wifi on your router. The fiddly bit is finding how to get into your router’s settings, but there should be instructions to do that with the router. It usually means opening a browser (Chrome, Firefox, Microsoft Edge) and typing in your router’s IP address (again, that should be in your instructions – it might be 192.168.0.1, or something very similar) and then typing in the admin password (note: not the wifi password; again, it should be with the router instructions).

Once you’ve managed to log in to the router, you should be able to find the wifi password fairly easily. You can change it to anything you like: pick something you’ll remember (we have advice on choosing strong passwords here https://computing.which.co.uk/hc/en-gb/articles/360000818025-How-to-create-secure-passwords) and then save the changes. You’ll need to put that new password into all your other wifi devices (tablet, laptop etc) to connect back to the wifi, but hopefully a shorter, easier to type password will be easier for your Samsung telly to recognise before the keyboard crashes.

Or, as @jon-stricklin-coutinho suggests, you might be able to plug in an ordinary keyboard to the TV via USB. Let us know how you get on!

Beryl says:

I have tried all of the above but nothing works. The other devices are in the same room as the TV and are working fine. The keyboard always requests the WiFi password but keeps cutting out before completion. This is apparently a common problem with older Samsung Smart TVs see: eu.community.samsung.com – TV Keeps Disconnecting from WiFi

Time to trade it in for a younger model perhaps 🙂

wavechange says:

Are you now on FTTP Beryl? If not I presume you could reinstate the old router if that worked.

Very frustrating.

Mick says:

l did as requested go on the government website only to have it come back as undelivered by Microsoft.
Very frustrated and I sent several messages but none of them connected and yes I did use the Email address from Which. Where to now

Jon Stricklin-Coutinho says:

It sounds like this could either be an error on the NSCS’ side, or an error with how your emails are being sent, Mick. Did you get any sort of error message on the email that was returned to you? Has this been happening with other emails you’re trying to send to other addresses, or just specifically the ones to the phishing email service above?

The NCSC note that there are cases when emails may not be delivered:

In a small number of cases, an email may not reach our service due to it already being widely recognised by spam detection services. The vast majority of reports do reach our system so please keep reporting any suspicious emails you receive.

If you continue to have problems then please contact us so we can investigate it further.

(from https://www.ncsc.gov.uk/information/report-suspicious-emails)

If you’re having an issue specifically with this email address, it may be worth contacting them using the contact form on that page to make them aware of the error.

DerekP says:

Hi All, thanks for some interesting views above, especially from Kate and Em.

In a reply to one of my comments, Kate said “These days you only need to change a password if you think it’s been compromised. ”

If that is the current widsom, then so be it but, if you wait to change passwords until you suspect (or actually know) that you security has been compromised, then surely a lot of the damage may already have been done by then.

Furthermore, some of the best and most expert hacks may never be revealed.

As far far I know, some of my best ones were either never revealed or only revealed after I flagged them up as discovered security loopholes in systems. Whether or not I was prepared to do that depended a lot on the extent to which IT and security staff in different organisations could really be trusted to do the right thing and how they handled revelations of “guilty knowledge”.

Like Em, I write down important passwords or, if I can, write down unambiguous hints instead. But I do not mind using browsers or system keyrings to remember non-critical passwords, such as the one for Which? Conversation.

From my computer buddy volunteering, I also have some experience of doing forgotten password resets on Windows, Apple and Linux PC’s. Here I found that such facilities were available by design on the Apple and Linux machines where I had forgotten my passwords and available by means of widely known tricks on Windows PCs. The latter provide some nice examples of how it is all too easy for systems to contain unsecured loopholes.

Em says:

@DerekP, You are right, but password security is not the only vulnerability we have to be aware of. The worst case I have ever seen was a well-known lift sharing website.

Having signed up and identified a suitable lift sharing candidate, I casually inspected the HTML (the web page content language) behind her profile. I was horrified to find her private address, home telephone number and her work email address (which revealed both her and her employer’s name) embedded in the code.

Knowing what days and at what times she left for work and returned home every day from her profile, gave me, any potential burglar or stalker, all the information needed about her whereabouts and daily movements. Note that no hacking was required and no passwords were needed to find out all this information.

I deleted my profile straight away, informed the lady concerned and notified the lift sharing site of their security blunders. As to “guilty knowledge”, they weren’t overly-concerned and said it would be fixed later that year – which it was – but only after they had implemented HTTPS protocols (the padlock in the web address) bar. It was never made public.

Tony Hunt says:

I have a spreadsheet (named after a deceased family pet) on my laptop and keep my passwords on that. I

wavechange says: