Profile picture
, 20 tweets, 6 min read
My Authors
Read all threads
It’s #PasswordDay (you didn’t forget, did you?). Shelter-in-place means people everywhere are signing up for dozens of new apps and sites, and that means dozens of new passwords, so I wanted to bust some myths and share some knowledge on how to use passwords safely. 1/
Passwords are the best and the worst of things. They’ve worked from time immemorial. Centuries before computers, passwords were used by Roman armies to identify allies and prove loyalties. 2/
The first computer passwords were from the 60s at MIT to protect researchers on shared systems. Back then, computers were the size of minivans, people had access to at most one of them, and the threat model was an officemate who wanted to play text adventure games 3/
Fast forward to the 90s and people start having 100s of online accounts that can be signed in to from anywhere. Now the threat model isn’t that pal with local access, it’s anyone anywhere on the Internet. But most advice on passwords hasn’t evolved from that '60s threat model 4/
Strong passwords do improve security under certain circumstances. But they’re also terrible for a few reasons.
5/
A) A password is just a piece of knowledge, so anyone who knows it can use it just as effectively as you. Ali Baba overheard someone say “Open Sesame” and pwned the thieves' cave. In a world of credential dumps and phishing, we’re all vulnerable to that same attack. 6/
B) In theory they’re hard to guess and the more numbers and symbols the better, but in practice people reuse things they’ll remember. Cleverly swapping ‘$’ and ‘5’ instead of ‘s’ does nothing for phishing or credential breaches, as @haveibeenpwned blogs all the time. 7/
C) Humans are trusting, busy, distracted souls, and NOBODY is immune to phishing. Particularly during pandemic work-from-home, there’s no way to “beware of suspicious links” when the baby’s crying, your boss is pinging you, and an urgent message shows up from your "bank" 8/
In the movies, Neo hacks into your mainframe; in real life, hackers exploit our trusting human nature: smbc-comics.com/index.php?db=c… 9/
So on to the password myth-busting:
10/
Myth: Sites should automatically sign you out after a few minutes of inactivity. 11/
Busted: The more often you type a password, the more desensitized you get to doing it, so the more likely you'll muscle-memory it into a phishing page.
Better to use a PIN/face/fingerprint to guard against household hackers, but keep your sites and apps signed in 12/
Myth: You should change your passwords every few months for the best protection.
13/
Busted: When people are constantly asked to change their pwds, they reuse old ones or simple permutations (Str0ngPa$$1, Str0ngPa$$2, etc). They’re also more likely to use something easy to memorize (thus easy for hackers to guess). Yes, you can tell your IT team I said that 14/
Myth: You should never write your password down. 15/
Busted: Unless your principal fear is someone with access to your wallet, the larger threat is all the world’s hackers vs. a reused password. Protect against local threats with a PIN/fingerprint, and use a PASSWORD MANAGER to automatically fill strong, unique pwds. 16/
In fact, let’s close out #PasswordDay with that advice: If you do one thing to secure yourself, please start using a password manager. Nothing else provides such security gains while reducing effort. No, really: Go set up a password manager! 17/
We’ve been putting a lot of effort into the built-in @Android, @GoogleChrome, and passwords.google.com features for all our users, but there are many commercial options out there as well. @lilyhnewman and @dangoodin001 have reviewed a bunch. 18/
Our studies show that people who use pw manager apps are more secure overall: They verify you're on the real site, they generate unique pwds, and features like Password Checkup will even alert you if your pwd is breached or leaked on the dark web. blog.google/technology/saf… 19/
We’re working hard to replace passwords overall (let's talk about Webauthn and OpenID Connect soon), but today passwords are everywhere and password managers are the best way to make them secure. Stay safe and stay healthy everyone. #passwordday /fin
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with mark risher

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#passwordday

More from @mrisher see all

Profile picture
mark risher
@mrisher
Google loves security keys, and today announced an open source implementation to help spur further innovation from the security research community 1/ security.googleblog.com/2020/01/say-he….
.@FIDOAlliance technology is the strongest defense against phishing attacks, but it’s been hard to get mainstream users — and even many high-risk businesses — to adopt. 2/
We’re hopeful that this implementation, which runs off an off-the-shelf hardware board you can buy for $10, allows developers to innovate on usability and human factors to help drive widespread adoption 3/
Read 5 tweets
Profile picture
mark risher
@mrisher
With hacking and security on everyone's minds, we built the Advanced Protection Program in 2017 to bundle @Google's strongest security offerings into one simple package. Today, we're making it even easier to enroll 1/
Effective immediately, anyone with an Android or iPhone can enroll into Advanced Protection with just one click, without needing to buy/wait for separate, dedicated security keys. blog.google/technology/saf… 2/
By building the same, robust @FIDOAlliance Security Key technology directly into Android and iOS and enabling instant enrollment, users can instantly lock down their accounts with the most phishing-resistant defenses out there. 3/
Read 4 tweets
Profile picture
mark risher
@mrisher
Raise your virtual hand if you’ve had it with passwords ✋. In all honesty, if I could raise three hands, I would – and I’ve got a hunch I’m not alone! Follow along as I dig into the state of passwords and a few ways to make them less of a headache. 1/
First, let’s get a few facts straight when it comes to #passwords. I’m busting the top 3 password myths to help you stay safe online. 2/
Myth #1: Never write down your password.

This is legacy advice from when computers lived at the office & the threat was Pat in the cube next door. But with personal devices & remote hackers, memorized passwords leads to re-use, which is way worse for overall security. 3/
Read 16 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!