Kissell - Take Control of Your Passwords 3.1

Joe Kissell

Welcome to Take Control of Your Passwords, Third Edition, version 3.1, published in April 2019 by alt concepts inc. This book was written by Joe Kissell and edited by Kelly Turner.

Passwords are an irritating fact of modern life. Its tricky to create and remember good ones, but dangerous to use simple ones (or reuse a password in multiple places). This book helps you overcome these problems with a sensible, stress-free strategy for password security.

If you want to share this ebook with a friend, we ask that you do so as you would with a physical book: lend it for a quick look, but ask your friend to buy a copy for careful reading or reference. Discounted classroom and user group copies are available.

Copyright 2019, alt concepts inc. All rights reserved.

You can access extras related to this ebook on the web (use the link in , near the end; its available only to purchasers). On the ebooks Take Control Extras page, you can:

• Download any available new version of the ebook for free, or buy any subsequent edition at a discount.

• Download various formats, including PDF, EPUB, and Mobipocket. (Learn about reading on mobile devices on our Device Advice page.)

• Read the ebooks blog. You may find new tips or information, as well as a link to an author interview.

If you bought this ebook from the Take Control website, it has been added to your account, where you can download it in other formats and access any future updates. However, if you bought this ebook elsewhere, you can add it to your account manually; see .

Be aware of the following:

• Credentials: I frequently use the term credentials as a compact way of saying the combination of your username and password. In some cases, additional pieces of information, such as your ZIP code or the answers to security questions, may be considered part of your credentialsits whatever a site or service needs to reliably identify you as the authorized user of a given account.

• Authentication: The act of proving your identity to a computer systemtypically by entering your credentials and having them confirmed as matching the previously stored recordis called authentication. I use that term a number of times in this book, so I want to make sure youre familiar with it.

In version 3.1 of this book, I updated the text to keep it current with the latest versions of macOS, iOS, and various password manager apps. The most significant changes were:

• Added new information to about the latest techniques attackers are using to guess passwords

• Expanded the topic to say more about methods to replace passwords with biometrics, authenticator devices, or a combination of both

• On that same subject, I updated the discussion of with more information about hardware-based authentication devices

• Rewrote much of the chapter

• In , added a real-life story about what can happen if you store an important password only in your head

• In the chapter

In the nearly two years since the books previous update, a lot of things changed in the world of passwords and password managers. For the third edition, I made hundreds of small changes throughout the book to reflect the current state of affairs, as well as the following major changes:

• Updated references to lists of worst passwords; see

• Added recent technologies from Apple (Touch ID on the MacBook Pro and Face ID on the iPhone X) to

• Revised to cover the use of an Apple Watch for authentication, and to update or remove mentions of other products as appropriate

• Added a sidebar that discusses the 2017 revision to the U.S. governments guidance on password requirements for federal agencies

• Described a major vulnerability, publicized in December 2017, that can invisibly steal data entered by a browsers built-in password manager; see

• Added references to an article I wrote for Wirecutter about password managers; see, for example,

• Extensively revised and expanded my descriptions of ), and removed the discussion of True Key, which no longer appears to be under serious development

• Added a tip in about avoiding a potential password exploit on iOS devices

• Revised my list of recommended VPN providers in

• Expanded to include the use of password managers with built-in emergency access features

• Updated to provide more information on tools built into certain password managers that help you evaluate your passwords strength and, in some cases, change them automatically

• Significantly updated and expanded the discussion of Apples two-factor authentication, two-step verification, and app-specific passwords; see

• Added missing links to password generators in

• Provided working links to the zxcvbn password strength estimator in

• Removed the Teach This Book chapter and its associated downloads

Think of a card, any card. Now, keep that card in mind and think of another. Repeat until youve picked 16 cardsbut make sure your selection includes all four suits, at least one ace and one face card, and no two instances of the same card. Remember the whole set, because Im going to ask you to name them all tomorrow

Im joking, of course. But have you ever noticed that when magicians pull someone out of an audience to help with a trick, they never make such complicated requests? Its unreasonable to ask someone to create a meaningless string of numbers and letters, remember it indefinitely, and produce it on demand.

But websites, banks, and network administrators make exactly that request of us almost daily. Want to buy something online? Sure, but you need more than a credit cardyou usually need a password too. Sync this data with the cloud, sign up for that free service, manage your utilities or PTA schedule onlineno problem, but you must have a password for that. Make sure its between 10 and 14 characters, contains upper- and lowercase letters, at least one digit, at least one punctuation character (but not that punctuation character!), and doesnt have any repeated strings. Oh yeah, and dont even think about using a word that might be found in a dictionary or reusing a password you used anywhere else.

Are you kidding me? This is madness. Coming up with unique, random passwords all the time, remembering them, and producing them reliably is not the sort of task the human brain is cut out for.

Faced with this difficult and increasingly absurd task, people naturally tend to look for shortcuts their brains can handle. They pick easy passwords, like their kids names or patterns of keys on the keyboard. Even if they go to the effort of creating something more complex, they use the same password everywhere, because then they have only one thing to remember instead of hundreds.

Speaking as a fellow human being, I dont blame anyone for taking the easy way out. You might try to come up with clever, random-looking passwords the first few times, but once your list of password-protected accounts grows into the dozens, and then the hundreds, its not plausible to keep following the rules.