Keeping your passwords safe George Skarbek 13th June 2019

Browser Autocomplete Most browsers offer to save passwords. This improves your productivity as you do not need to open the password file. But there are security issues. Do not save passwords in your browser, particularly for banking sites. If someone at your home opens that browser and clicks on a banking site, the browser will log into your account. Similarly if the computer is stolen. Another issue is when disposing of your now old computer you must remember to clear the password cache. If you do use autocomplete then beware of the risks. NOTE: It is relatively easy to export these IDs and passwords to a text file.

Password vaults Tools like  LastPass, KeePass, 1Password and others collect, retain, and often enter your login credentials for you. LastPass can also fill in other fields such as your name, full address, credit card number so that a form can be filled in with one click. LastPass stores your passwords as extremely well-encrypted data that even they do not have access to. Your data is only decrypted on your device(s), computer or USB and only when you provide the correct master password. In my opinion this type of software is worth considering.

DIY password list tips If you have created a password list some time ago and are updating it now, here are some suggestions for why it is important to understand how to keep your passwords safe. The main tip is: NEVER print your password list. Remember that Windows will index all files in the Documents folder and sub-folders. It will search over 100,000 files in under one second looking for any name in all files, for example “pass” or “bank”.

Tips on password safety If you have printed a list, NEVER have it in your wallet or handbag. What happens is this is lost or stolen? Never save it in any document that is not encrypted, such as in Excel or Word without encrypting it first. Use Help in Excel or Word for encryption method. Never save it using Notepad as this cannot be encrypted. Never call that document Passwords. It is preferable not to use the same password for more than one site.

Suggestions If you do not wish to use password manager software then using Excel is a good choice because it has good encryption build in. In the first column have the name of where the password is to be used, for example ANZ. The second column is the user ID, such as 123456 or Fred@Nurk.com The third column is the password. Other columns can have additional information such as security questions and answers. That Excel file MUST be encrypted. If your Excel is 2003 or earlier then do NOT use it as the encrypted password file can be easily cracked. That Excel master password can be written down somewhere safe.

More suggestions For all passwords, except for really trivial cases, use upper and lower case letters, at least one number and one symbol and make it at least eight characters long. Especially for the banking or super fund accounts. With six lowercase letters, using a brute-force attack of one million attempts per second it will take about 1.2 seconds to crack it. With 8 characters using upper and lower case letters, numbers and symbols the time increases to 5,845 centuries. Give your file a generic name such as Xmas2013gifts

Suggestions for extreme protection For additional safety I recommend that when creating passwords you always hide a letter by using another letter or symbol. This is done to add more protection in the unlikely case your password file is found and cracked. For example, when using a lowercase letter, say a “b” - it will always be entered as say, W or a comma, a tilde or anything but a “b” in the actual password.

And another extreme suggestion You can make it ever harder for anyone to find that password file. If you are using Excel then rename the .xlsx to something else such as .dll (Dynamic Link Library) and then to open that file right-click on it and select Open With … and select Excel. Do not save a .dll file in the Documents folder as this will really stand out. Save in the C:Windows\System32 which has about 170 .dll files just starting with A. Call it something like Abl.dll. An extra advantage is that Ransomware will NOT encrypt .dll or .exe files. Remember to back it up. If you have 10,000+ music files then call it Something.mp3 with the music files.

This way you do not need to look at a password file! Final suggestion Use an algorithmic password so that you never have to look at your password file. If your name is Fred then use an algorithm, starting as: { Fred$7 (Note the space after opening the curly bracket) Then after your selected number add two letters that pertain to that password. Say the second and third letter. If that site is Westpac, then your password will be { Fred$7se This way you do not need to look at a password file!

After death …. Having protected your wealth from hackers and thieves during your life don’t leave a huge problem when you die. Remember that your executor must have access to your password file, where to find it and how to open it with the required password. If you have transposed a letter with something else then include all details.

Any Questions?