“Please create a password for your account. Enter the new password in the fields below:

New Password ______________Superdoc______________
New Password (verify) ________Superdoc______________

Bad Password Choice: The password you have chosen is not a good choice, because it is based on a dictionary word.

New Password ______________Sup3rdoc______________
New Password (verify) ________Sup3rdoc______________

The password you provided was not a good password. A good password must contain all of the following: upper case letter, lower case letter, number, non-alphanumeric character, be at least 7 characters long.

New Password ______________Sup3r$D0C______________
New Password (verify) ________Sup3r$DOC______________

The passwords you entered did not match.”

Ugghhh!

Passwords are the bane of our lives. Creating them is difficult enough. Remembering 50 of them for all your websites is an impossible task. Most people have three or four which they recycle.

This is not a good practice. If a hacker cracks your password, they gain access to many of your online accounts. You may not care particularly if they are unimportant sites, but access to these “disposable” accounts provides a gateway for hackers to escalate access to your other online services.

Hackers can often convince customer support to reset security questions by using the small amounts of data gleaned from compromised accounts and from your publicly accessible data. (Note: Never use your date of birth or dog's name in your password.)

Such compromises are possible even if your own online security is strong. There are almost daily reports of companies, both large and small, having their data stolen. 

Some companies delegate the authentication of their users to social media services such as Facebook, Twitter and others. Instead of creating a new username and password, you are redirected to your preferred service where you logon. If successful, you are transferred back to the original web site with an authentication token that is trusted by all parties.

While this may be an improvement, it is not perfect. It is prone to a “man in the middle” attack and even these online authentication providers can be hacked. In 2013 over one billion Yahoo’s customers’ accounts were stolen.

What to do?

One solution is to write every password down in a book. Offline security keeps passwords safe from hackers but not from local thieves. It is also not very practical when you are away from your home computer, and woe betide you if you lose your book.

Another solution is to keep all your passwords and other secure data in an encrypted online file. It is best to put the file on a host that requires you to authenticate to log on. Companies such as Dropbox provide this service. However, your password file needs to be encrypted to stop the host's employees reading it. A different password is best for this step.

This is a good solution but not very convenient and proves to be too much of an effort for most users. In the battle between security and convenience, security usually loses.

Most browsers now offer the facility to save passwords. The better ones encrypt the data and store it on the web making it available wherever and whenever you log into your account. They can even fill in online forms for you.

While these systems make a concerted effort at securing data, they will usually have a back door to allow access by law enforcement agencies. By definition an open backdoor is not secure. 

Alternatively, there are a large number of web based products designed to make it easier to be secure online. The more sophisticated ones can generate long passwords, store financial data and restrict activity based on your device or geographic location. They can be used on mobile phones, tablets and desktops and will sync across operating systems and browsers.

Most permit, and recommend, using two factor authentication. The first factor is your username / password combination. The second factor is a physical device that generates a password that changes every thirty seconds. In the past these second factors authenticators were small dongles that you would keep on your key ring. However, with the ubiquity of smart phones a mobile app is now more commonly used.

An alternative second factor is a SMS code. This is still popular with banks but with better and cheaper solutions now available this is being deprecated by many online sites.

The real value of two factor authentication is that even if your main password is compromised, hackers still cannot access your account without the second factor. 

Conclusion

The web is a vastly more interesting, but also a more hostile, place than it was 25 years ago. Few can ignore it and the risks can be managed with a cautious approach to browsing and unsolicited emails, and by using a password manager with two factor authentication.