I have never been a fan of passwords. Back in junior high, a friend briefly convinced me to join the DeMolay fraternal organization sponsored by the Masons. I wasn’t impressed with their induction process, which was overloaded with arcane mumbo jumbo, although it was interesting to participate in a ceremony at the immense lodge in Guthrie.
At meetings, we got in a big circle and had to whisper a password to a fellow that went around it. My head was swimming with all of the nonsense they had laid upon us previously, so I couldn’t for the life of me remember the password. I was sweating bullets as the fellow approached me, wondering what would happen when I failed the test. Fortunately, the guy next to me whispered the password so loudly that I could make it out. That was my first lesson in how passwords are a pain in the keester.
My first online credentials
Around that time, I got a 300 baud modem to connect my TRS-80 Color Computer to dialup services. I had accounts with Dow Jones and CompuServe, finding the latter far more useful to me. My packet included a CompuServe username of 71460,2557 and the initial password COUCH?TANGENT. You can tell how novel online services were at the time by how I still remember those.
They urged you to change your password while sticking with that format of two random words separated by a symbol. Almost 30 years later, Randall Munroe illustrated the advantages of sufficiently random passphrases over passwords in xkcd:
However, these days most sites won’t let you just use a passphrase of random words, as they insist that you include a lowercase letter, a capital letter, a number, a symbol, etc. You can add those to a properly random passphrase, but you are then making it harder to remember.
Theoretically, set requirements can actually weaken passwords, as they narrow the possibilities the attacker has to try. For example, knowing the password can’t just be a long string of lowercase characters means countless such possibilities can be excluded.
We are told that length and complexity are critical to slow down brute force cracking:
We also know that reusing a password or passphrase across different services greatly increases the likelihood of it being discoverable since so many services, large and small, are the victims of cyberattacks. I’ve had various services notify me of breaches over the years, and two different hospital systems have been attacked in our region, resulting in the diversion of ambulances to other facilities and temporary reversions to paper-and-pencil recordkeeping.
Password managers
It is impossible for most of us to avoid reusing passwords without a password manager. I began using the SplashID one in January 2009. Back then it was called SplashID Desktop for iPhone and iPod Touch version 4, and cost $20. It let me store usernames and passwords on my phone along with notes about when I signed up for a service, at what cost, and more.
Going meta here, I found that timeframe and cost by looking them up in SplashID Pro 9, which also revealed that I paid $10 to upgrade to version 5 in August 2009 and paid $30 in January 2014 for a SplashID Safe Lifetime All Access License.
I like how SplashID can sync across all of my devices, with both web access and dedicated apps for iOS, Windows, Mac, etc. Eventually the Chrome and Safari web browsers could learn usernames and passwords if you logged into them. However, that isn’t secure enough for my taste for accounts with financial institutions, although I’m willing to let the browsers know the credentials for some services where a breach wouldn’t be a big deal. That comfort depends on me using a unique password for each service.
The web browsers, however, don’t let me store the fake answers I create for security questions.
Insecurity questions
Besides password length and complexity, and the danger of a service getting hacked, security questions are another weakness to shore up.
Many services include useless and unsafe questions you can use if you forget your credentials. They are usually stupid ones like In what city were you born? What was the name of your first pet? and the like. The answers are easy to guess, readily found in social media posts, or easily obtained by social engineering, including “games” on social media that lure people into revealing them.
So I make up nonsensical fake answers to all security questions, which in turn means I have to note the Q&A in SplashID.
LastPass lost
SplashID has added features over the years, including password generation and linking URLs with an entry to try and make it easier to login. But it is an inexpensive recordkeeper that lacks the bells and whistles of some other popular services…such as LastPass.
Frustrated by having to repeatedly type in my lengthy master password into SplashID when logging into services, I made the mistake of using LastPass in 2021. It cost me $27 for the first year, and I renewed for a couple of years after that. For awhile it was okay, but then its attempts to overlay links to your credentials on login screens started blocking things I needed to see or type. Then things went south…
LastPass had security breaches, so I deleted my account with them and went back to relying on SplashID, which I’d made sure to keep updated all along. Of course, there could be a breach of SplashID that I might not know about. Such is life, but hopefully it is a far smaller target than LastPass, just as the Mac is less vulnerable to viruses and malware than Windows because of its small market share. (I’m satisfied with using the included Microsoft Defender on Windows, but on my Mac I downloaded the free AVG AntiVirus.)
When I shifted to using my Mac mini as my primary computer at home, I of course wanted to install a SplashID app on it rather than having to always use the cloud version.
I noticed they had shifted to SplashID Pro 9 and were urging me to migrate from SplashID Safe 8, which I’d used for years on Windows and my iOS devices. I didn’t want to get overloaded with too many changes at once, so I opted to download the old SplashID Safe 8. It had some issues at first, refusing to sync via the cloud and sometimes failing to fully quit unless I performed a Force Quit on it. But when I found the time to play with it more, I did manage to get it syncing reliably with the cloud and all was okay.
How long is a lifetime?
Eventually I had enough patience to delve into their terms for SplashID Pro 9. I noticed that they indicated they would eventually shut down the SplashID Safe services. So I was concerned that by changing the name of the software they planned to kiss us old Lifetime All Access License holders goodbye. After all, I had used their software on multiple devices for a decade for just $30.
So I was pleased to find that they gave me until the end of June to migrate to the new program and would transfer my SplashID Safe Lifetime license to SplashID Pro 9. Thank you, Morgan Slain!
I downloaded SplashID Pro 9 and it migrated my 946 records. Can you tell I’ve been online for over 40 years and manage a large number of services at work? I then downloaded SplashID Pro 9 on my iPhone and iPad as well as my Windows desktop at work, got everything synced up, and I began using it instead of the old SplashID Safe 8.
Using Google accounts to login
Many years ago, services began offering to let you login via Facebook. I don’t regard Facebook/Meta as trustworthy, so I avoided that. For a long time, I also avoided using Login with Google to link to services, since if my Google account were compromised, that would be a vector into multiple services. But we have used that feature to make many school district services easier for staff to access, so I now use it with my personal Google account for some newer low-threat services. However, I have found that few services let you switch an existing account from using a custom username and password to just using your Google account, so I forget which ones can just use Google. Sometimes I look up credentials for a service in SplashID only to find a notation to myself to use Google to authenticate. ðŸ¤
Multi-factor authentication
A recent trend is multi-factor authentication (MFA), often either in the form of having a numeric code sent via text to your cell phone or using an authenticator app that generates temporary numeric codes. That’s much better than an insecurity question, but until I switched to a Mac desktop, that meant I needed my phone nearby.
We have had several school district employees fall victim to phishing attacks and face increasing insurance requirements. So this spring we starting requiring 2-Step Verification for staff Google accounts. Our two Instructional Technology Specialists worked hard to help people use it, and the transition wasn’t too painful. I think enough people now have to use MFA for their financial and other accounts that most were somewhat familiar with the process.
Authenticator apps on cell phones were an important option to keep MFA feasible at work, since those can be used even when a cellular signal can’t reach within some school locations. I started using authenticator apps to generate codes for various services in 2023, although now that I’m using a Mac mini, text codes are pretty easy to use at home. Since the Mac will receive texts via my iPhone over Wi-Fi, I don’t have to keep my phone handy. However, the app-based authenticators are inherently more secure than codes sent via SMS/text.
I mostly use Google Authenticator, although I also have the Microsoft Authenticator for Microsoft services and, thanks to the federal government, I also have the Oracle authenticator on my iPhone. I ordered free COVID tests for our school district during the pandemic, and for the last set of orders I had to use the Oracle Authenticator to access the ASPR HPOP. Oh, allow me to translate those federal government acronyms for you: the Administration for Strategic Preparedness & Response’s Health Partner Order Portal. 🙄
Security keys
When we decided to require MFA at work, I was concerned we might have an outlier employee who refused to use a cell phone. A cumbersome workaround would be generating, printing, and using one-time backup codes, but a less irksome alternative to using a cell phone would be a physical security key.
I decided I needed experience with that option just in case, so I spent $34 on a Titan Security Key. I linked it with my district Google account, and now the default MFA method for that account is for me to insert the key in a USB-C port on a device and press the button, or bring it near a device with Near Field Communication and do the same.
The key has always worked fine, but it is a bit annoying to have to pull it out and insert it into a Chromebox or Chromebook every time I login to one, as I can’t tell them to not ask for MFA again like I can on a desktop computer. I can go through prompts for Try another way to instead get a prompt via the Gmail app on my iPhone for MFA, but there have been a few odd situations where the key was useful. I have encountered authentication traps where something demanded I authenticate, but then demanded authentication to use the second form of authentication, setting up an endless loop of frustration until I used the key, which just works. So I will probably keep using the physical security key until I retire. I’m thinking I might smash it with a hammer when I leave employment, not out of anger or frustration, but as a real-world expression of separation beyond just leaving behind my master keys and door fob.
Passkeys
Recognizing the many problems with passwords, Google began offering “passkeys” for some accounts. You link a mobile device with your account and then use a fingerprint, facescan, or personal identification number to login rather than a username and password. That’s cute, but they don’t support passkeys yet for education accounts, so they aren’t as useful to me as they could be.
I did set up a passkey for my personal Google account, but I’ve only had cause to use it a few times. I’m skeptical that passkeys will replace passwords for most services, but never say never.
Since I first encountered passwords in DeMolay over 40 years ago, they have multiplied like rabbits as little tokens of my identity in a digital life. Those pesky little buggers!