Week 5:  Better password habits

The internet has brought us a lot of convenience such as shopping, banking, connecting with family.  But it has also made security more important than ever. Just like we lock our front doors to keep our homes safe, we need to take steps to protect ourselves online. The digital world is always changing, and so are the threats and the ways we can stay safe.

Hackers and scammers are always looking for new ways to trick people. In the past, they relied on simple tricks like guessing easy passwords or sending fake emails. Now, they’re using advanced technology like artificial intelligence (AI) to create more believable scams.

Here are some of the new threats:

 Ransomware – This is like a digital “kidnapping” of your computer or files. Hackers lock your files and demand money to unlock them.

 AI-Powered Scams – Scammers use AI to write convincing fake emails, text messages, and even phone calls that sound real.

Supply Chain Attacks – Instead of targeting you directly, hackers sneak into big companies, which can put your information at risk if you use their services.

 Future Threats: Supercomputers – Scientists are building incredibly fast computers called quantum computers. One day, these might be powerful enough to break today’s security codes, so experts are already working on new ways to protect us.

There are many things that you can do to stay safe, including watching out for scams, keeping your devices updated, using two factor verification and continuously learning about technology.  But a key player in safety is to use strong passwords, and to keep these passwords safe and accessible.  In today’s lesson, we will discuss password managers, a tool to keep track of all those passwords.  We will also look at the unique Apple option (Password apps),  whether or not to use a browser for keeping passwords and passkeys, a new method to authenticate yourself.

What is a password?  A password is a secret authentication credential consisting of a string of characters that acts as a digital key to verify your identity and grant access to an account, device, or system. Much like a physical key unlocks a door, a password unlocks access to digital resources while keeping unauthorized users out.

• A few key aspects that distinguish passwords:

o They are meant to be known only by the authorized user

o They can combine letters, numbers, and special characters

o They serve as the first line of defense in digital security

o They can be used alongside other authentication methods (like fingerprints or security keys)

For example: "CorrectHorseBatteryStaple" or "9&K#mP2$vL" would both be passwords, though they represent different approaches to password creation (memorable phrase vs. random characters).

There are password vulnerabilities that we all face.  These can be due to a number of factors, some which can be controlled, and others which cannot.

Password Reuse presents one of the most significant security risks in our digital lives. When users employ identical passwords across multiple services, they create a single dangerous point of failure. This practice means that if one service experiences a data breach, all accounts sharing that password become vulnerable to unauthorized access. This vulnerability is particularly concerning for email accounts, as they often serve as the recovery method for other services. When cybercriminals obtain a password from one breached service, they systematically test it against other popular platforms, potentially gaining access to multiple accounts through a single compromise.

Social Engineering Attacks rely on human psychology rather than technical vulnerabilities. These attacks involve sophisticated deception techniques where attackers manipulate users into revealing their passwords. Common methods include phishing emails that mimic legitimate services, directing users to convincing but fraudulent websites designed to capture login credentials. Phone scams where criminals pose as technical support or authority figures can pressure users into divulging sensitive information. Attackers also mine social media profiles for personal information that might be used in passwords or security questions. Even in physical spaces, "shoulder surfing" - where attackers observe password entry - remains a persistent threat.

Technical Vulnerabilities exploit the mathematical and computational aspects of password security. Brute force attacks methodically attempt every possible character combination until the correct password is found, while dictionary attacks focus on commonly used words and known passwords to speed up the process. Rainbow table attacks use pre-computed password hashes to crack encrypted passwords more efficiently. Keyloggers, malicious software that records every keystroke, can capture passwords as they're typed. Man-in-the-middle attacks intercept password transmission between user and server, potentially exposing credentials even on seemingly secure connections.

Poor Password Practices stem from users prioritizing convenience over security. The use of weak, easily guessable passwords like "password123" remains surprisingly common despite well-known risks. Many users still write passwords on sticky notes or store them in unencrypted digital files, making them easily discoverable. The practice of sharing passwords through insecure channels like email or text messages exposes credentials to potential interception. Users often fail to change passwords after learning of compromises, and many still incorporate obvious personal information like birthdays or pet names, making passwords vulnerable to educated guesses.

Storage Vulnerabilities occur at both the service and user levels. Organizations that store passwords without proper encryption expose users to unnecessary risk. Inadequate password reset mechanisms can allow attackers to bypass normal authentication. Browser password managers, while convenient, can become security risks if not protected by a strong master password. Cloud storage of passwords, unless properly encrypted, creates additional attack vectors for cybercriminals. These vulnerabilities often remain invisible to users until a breach occurs, making them particularly dangerous.

Physical Security Risks remind us that digital security isn't purely a technical challenge. Leaving devices unlocked in public or shared spaces creates opportunities for unauthorized access. The absence of screen locks or device passwords makes stored credentials easily accessible to anyone with physical access. Improper disposal of hardware without secure data wiping can expose stored passwords to recovery by malicious actors. Lost or stolen devices with saved passwords can give attackers direct access to multiple accounts, especially if additional security measures aren't in place.

Keep in mind that many of these vulnerabilities can be controlled.  A password manager of some type might alleviate at least some of these risks and vulnerabilities.

What is a password manager?

A password manager is software that allows you to create, store and manage passwords for various online accounts.  I have often discussed the  importance of password managers, especially when we have so many that we are trying to learn and often are asked to change them.  A password manager has benefits for you:

• Security:  With password managers, you can create complex passwords for each account without having to memorize them.  This reduces the risk of potential breaches where you might have passwords used on various accounts.

• Convenience:  You can install an app or use it as an extension of your browser, allowing you to auto-fill and auto-login to certain sites

• Peace of mind:  Nothing is more frustrating than forgetting a password!  With password managers, you have a constant list of all passwords, and a central place to find them.

• Password “hygiene”:  With password managers, you can have better and more complex passwords and can also easily update them.  Also, the program will spot any passwords which are reused or even those which may have been breached.  Although you cannot change the password on the password manager, you can get one-click access to the site so that you can change it there.

Password managers have some common features:

• Password storage for any and all accounts

• Password generation:  Let the manager create that really long password.  It will be remembered so you won’t have to!

• Autofill:  They will automatically fill in your username and password (as long as you are connected to the manager).

• Security:  Password managers use encryption to protect your password “vault”.  You only need to know the master password, which will decrypt the vault.

• Two-factor Authentication (2FA):  Most offer 2FA to add an extra level of security. 

There are three types of password managers which will be discussed today:

• Browser password managers work inside the browser (Chrome, Firefox, Safari, Edge).

• Platform-specific password managers such as Apple Password, which is integrated into the Apple ecosystem.

• Third party password managers (such as 1Password or Dashlane) which are free or subscription based which can be used on all devices and browsers , as long as you are connected to the manager.  

Before generating a passkey, the authenticator will require that the user identify themselves using a PIN, swipe pattern or biometrics. The authenticator then sends the public key (which is roughly equivalent to a username) to the account web server for storage, and the authenticator securely stores the private key locally. If the authenticator is a smartphone or other device, the private key will be stored in the device keychain. If the authenticator is a password manager, the private key will be stored in the password manager’s encrypted vault.

Passkeys are more secure than passwords, for numerous reasons:

• For passwords to work, account servers must store them – or at least their hashes – so they can compare the stored data with the password the user enters. As mentioned in the previous section, passkey technology doesn’t require account servers to store users’ private keys, only their public keys. If the account server is breached, threat actors will access only public keys, which are useless without the accompanying private keys.

• Most people have poor password hygiene. They use passwords that are too short, or contain dictionary words, or biographical information that’s easy to guess. They reuse passwords across multiple sites. And instead of using a password manager, they store their passwords on sticky notes or in unencrypted text files. Passkeys, on the other hand, are generated by the user’s authenticator, so they’re always highly complex and unique to every user and every account, every time.

• Many people also don’t secure their accounts with two-factor authentication (2FA). Passkeys depend on 2FA by design; to use a passkey, an end user must have their authenticator close by, satisfying the criteria of something you are (the biometric) and something you have (the authenticator).

• Unlike passwords, passkeys can’t be compromised in phishing schemes, because it’s impossible to trick a user into entering a passkey on a phony lookalike site.

Despite the advantages of passkeys, they are still not readily available across all platforms and companies.  There are also drawbacks when using different systems and devices when accessing, since the passkey is tied to a device.  Nevertheless, it is an exciting direction, especially when considering the alternative (remembering every password).

This lesson introduced you to three types of password managers:  Browser specific, Platform specific and Third party.  We discussed the advantages of having a password manager  and why you should consider adding one.  We evaluated the safety levels of different options, concluding that browser storage is the least secure, whereas password managers and the Apple Password app offer higher security.  Don’t let this confuse you.  Pick a system that will work for you and begin to use it.  You will appreciate the ease that these types of software provide and hopefully will feel safer while browsing online.