Q: Which is the most secure browser, Brave, Chrome, or Firefox?

Q: Which is the most secure browser, Brave, Chrome, or Firefox?

A: Great question! Few people ever give thought to the browser they are using, and just grab the one in front of them.

Let’s start with the 800 pound gorilla in the room–Chrome.

Google created an open source browser called Chromium. There are dozens of browser available that are based on Chromium, Chrome is one of them. So Google started with open source code, and then added their own proprietary code to make Chrome. Chrome is one of the most full-featured browsers available. The bad news is that it comes configured to feed everything you do on the web to Google as part of its data harvesting. Even if you install all the right extensions to improve the security and privacy of Chrome, there is no way to stop all of its harvesting of your data.

Brave is also based on Chromium. The big difference between Brave and Chrome is that Brave ships with almost all security settings properly configured to help ensure a secure and private internet experience. Brave has been one of my three favorite secure browsers from the day it was released. Because it is based on Chromium, it can use almost every extension that is available to Chrome. Unfortunately, because the underlying framework is Chromium, there may be no way to completely prevent Brave from sending some of your data to Google.

Firefox is not based on Chromium. This is huge. Of all the major browsers in the current market, it is the only major player to do so. This plus being open source helps to make Firefox very secure (no secret data harvesting to Google). Although there are many extensions to expand the functionality of Firefox, it cannot use Chrome extensions.

So, which is the most secure? Out of the box, Brave is far more secure than Firefox. However, if you are willing to install maybe three extensions and manually configure the preference settings, I think the nod may go to Firefox.

Q: Why do I need to Change Passwords so Often?

Q: Why do I need to Change Passwords so Often?

A: Actually, changing passwords on a routine basis is very old school, and is no longer mentioned in any US government cybersecurity guidelines.

What was found is that the more often people are forced to change their passwords, the sloppier they became with password creation – making passwords that were easier and easier to hack.

The current guidelines are to:

  1. All passwords should be strong. That definition changes by which authority you ask – typically 8 or 16 (and sometimes more).
  2. Every site and service should have its own unique strong password.
  3. Passwords should be securely stored. Having passwords written on a post-it note on the bottom of ones keyboard does not meet the criteria. This is where the power of a quality password manager (PM) comes in. A PM will automatically create very strong passwords, store them encrypted form on your device. The better ones will allow you to share your passwords among all of your browsers and devices. My favorite – Bitwarden – also serves as your 2-Factor Authentication software.
  4. Whenever possible, use 2-Factor Authentication.
  5. You only need to change your password when it may have been compromised. A good place to check this out is https://haveibeenpwned.com.
Android Phones Constantly Snoop On Their Users

Android Phones Constantly Snoop On Their Users

As reported in a study released 20211006 by University of Edinburgh, UK and Trinity College, Dublin, Ireland, despite the public discontent over data harvesting by big tech, it is (of course) worse than any of us thought.

The researchers found that Android devices, with the notable exception of /e/OS devices, even just out of the box with no other installations and sitting idle, these devices harvest great amounts of user info to the OS developer and third parties such as Facebook, LinkedIn, Microsoft, and Google.

Of greater concern is that this data collection offers no opt-out. Many of the apps cannot be uninstalled. Android users are powerless to stop this harvesting. To make matters worse, it was found that for some system apps such as mini.analytics (Xiaomi), Heytap (Realme), and iCloud (Huawei), the encrypted data stream can be decoded, making your data vulnerable to main-in-the-middle attacks.

Think resetting your  Google advertising identifier will clear up the situation? Nope. The data-collection system easily re-links your old ID with new ID.

Then you just have to love the response Google provided: “While we appreciate the work of the researchers, we disagree that this behavior is unexpected–this is how modern smartphones work. As explained in our Google Play Services Help Center article (and I know every one of you has read this), this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds.”

Grrrrrrr.

What You Can Do About It

The first option is to grin and bear it. This may be a reasonable position to take. After all, it is little ol’ you against a multi-trillion dollar industry. Might as well let the fricken’ blood suckers take all of my personal data and let me get on with my life.

Or, you can make life a little more difficult for them.

I’m fond of the life lessons story about two hikers out in the woods that come across a hungry grizzly bear. Hiker A asks Hiker B “how fast do you have to run to escape a grizzly.”  Hiker B replies “just a little faster than you!”

Going the Android route simply makes it literally effortless for big tech to harvest your data.

Going the Apple route makes it more difficult. Apple has been taking strong steps to block some – not all – of the harvesting of your data. And it looks like with each update they are closing off more avenues to your private life.

Replacing your Android device with an Apple iPhone will go a very long way to helping secure your cybersecurity and internet privacy.

If you are interested in other ways to maintain your freedom, we have the very best, easiest, and most comprehensive DIY books available. Visit https://thepracticalparanoid.com

Your Location Data is Part of a $12 Billion Market

Your Location Data is Part of a $12 Billion Market

Something few of us pay any attention to is the location data that our mobile device is collecting and sharing. Literally every single step you take is recorded, archived, and sold. Based on your location data, your gender, income, political leanings, education, pregnancy status, and more can be inferred. Once this information has been sold, it can be used not only for marketing, but to spoon feed you targeted news and alerts.

It has been used to discover who attends political meetings and rallies, Planned Parenthood, or Burger King. Most recently, the data location of those who downloaded a Muslim prayer app have been targeted by the US government, and a Catholic news outlet used data location to out a priest who frequented gay bars.

If you think there isn’t a target painted on your back (or the soles of your shoes), then why is location data – including YOUR location – currently a $12 billion yearly industry?

Visit https://themarkup.org/privacy/2021/09/30/theres-a-multibillion-dollar-market-for-your-phones-location-data for a great review.

It is Time For a New Router

It is Time For a New Router

Q: When is it a good time to replace my current router with a new unit?

A: NOW! (Really)

What is a Router?

A router is a hardware network device that allows other devices (such as computers, tablets, mobile phones, printers, smart watches, smart doorbells, webcams, etc.) to connect to your local area network (LAN), and then trough the router, communicate with each other (such as sending a file to be printed, or opening a file on the server), and connect to the internet.

As the router is the hub of all of your network activity, a failure or hack at the router means a catastrophic failure of your network and all devices, and a potential hack of all your devices.

Why Replace My Router Now?

Network technologies have changed significantly in just the past few years. If your router is more than 2 years old, it very likely is no longer considered highly secure. This puts ALL of your data from ALL of your devices at risk.

In addition, many of the latest routers include additional security software to help monitor your devices and network for breaches. Earlier routers pretty much let data in and out without any examination.

At the enterprise level (large businesses) Cisco, Jupiter, HP are among the go-to providers of networking equipment. These units have always had security software built-in. They also typically have upgrade options to ensure your always have the latest and greatest features available to you.

This is why these units cost upwards of 5x the cost of prosumer models.

For the purposes of this blog, I’ll not discuss the enterprise, as it is a rarified field demanding one-on-one discussions for your particular environment.

But, for the home user and the small and medium-sized business, prosumer routers can have excellent performance and features, at very affordable prices.

Wi-Fi Encryption

Earlier wi-fi router models used WPA2 for their encryption protocol. Ratified in 2004, this was considered fairly secure. However, it could be hacked. Which is one of the reasons it was replaced in 2018 with WPA3 encryption. Routers with WPA3 capability started shipping in 2019.

Note: If you have older devices (computers, tablets, etc.), they also may be capable of using WPA2, but not WPA3. This makes your older device a security vulnerability. And if you don’t replace the older device, you will need to enable WPA2 on your router for the older device to use the network. This immediately makes the entire network vulnerable.

How to Enable WPA3

For almost all routers, enabling WPA3 is not much more than a tap. For this example, I’m using my favorite prosumer router, the ASUS GT-AXE11000.

  1. Open a web browser to the control panel of your router.
  2. Navigate to the Wi-Fi settings.
  3. Select WPA3-Personal.
  4. Save.
  5. The router may restart to initialize the new encryption.

ASUS WPA3

If you don’t see the option for WPA3, it is time to replace your router with a current model.

Network Security

All consumer-grade, and most prosumer-grade routers lack significant network security beyond a rudimentary firewall. One of the reasons I love the ASUS line is the higher-end models include very good network security.

Here you can see how it protects the network by:

  • Self-analysis, pointing the administrator to configurations that my not be fully secure.
  • Logging the malicious sites users or malware have attempted to access and have been blocked.
  • Two-Way IPS blocks attempts malicious packets from reaching your router or network devices.
  • Infected Device Prevention and Blocking prevents infected devices from releasing your sensitive information.ASUS Network Security

Replacing Your Old Router With New

Older routers were pretty much a plug-and-play device, and any user could set it up.

The only downside to the newer security-conscious devices is they do require some reading to do the job right. And even then, I recommend hiring an IT professional to spend the hour or two to properly install and configure. In the case of the ASUS, there are over 100 settings that require attention.

Another Bonus With Your Upgrade–Speed

Although security is the main reason to upgrade your router, there is a bonus available – better performance and speed.

Older routers will typically max out on their wi-fi speed at 300, 600, perhaps 1000 mbs. In addition, they are limited to the 2.4 GHz and 5 GHz channels. The 2.4 GHz channel is overly crowded – sharing bandwidth with microwave ovens, garage door openers, wireless phones, bluetooth devices, and almost any other wireless device. Think of driving in Los Angeles freeway traffic. The posted speed limit may be 65 mph, but with bumper-to-bumper traffic, everyone is going 15 mph.

Newer routers will still have the legacy 2.4 GHz and 5 GHZ to support older devices, but may now include the 6 GHz channel. As this is newly opened, few devices use it, so it is just you and a few other cars on the freeway.

Q: Why do I need to Change Passwords so Often?

Q: Would an online dating site request a credit card IMFO for a forgotten password? If fraud, what’s the next step?

A: If you use a credit card to pay for the service, and have forgotten your password, it is routine to use your credit card number to validate your identity.

To help secure your online activities:

  • Use strong passwords, with 15 or more characters.
  • Use unique passwords, a different password for every site and service.
  • Use a password manager to create strong passwords and to store your passwords. I’m fond of Bitwarden.
  • Whenever possible, enable two-factor authentication, sometimes called multi-factor authentication. One of the reasons I recommend Bitwarden is that it can act as your 2FA utility.
Q: Can a person remotely control my phone with just my number or email without a password? Is there an app for them to do it?

Q: Can a person remotely control my phone with just my number or email without a password? Is there an app for them to do it?

A: If we are talking state actors, like CIA? Sure it can and has been done. The Pegasus malware has been in the news lately for doing just that. if you are talking hackers or high-level organized crime? There has been no evidence of it ever done.

But, now that we have proof of concept (Pegasus), it is sure to happen sooner rather than later.

The good news is that, at least as of now, it is extraordinarily expensive to design such a tool. This is what has limited release to only very high value targets. And as soon as it was discovered, OS updates were released to block it.

Q: Which is the most secure browser, Brave, Chrome, or Firefox?

Q: Why is Security So important to Apple?

A: Just an educated guess here…

Every business, to be successful, must differentiate themselves from the competition.

An obvious differentiator to use is security and privacy. MS has a long history of paying little attention to security and privacy. This makes it easy for a competitor – particularly one with a history of having better security and privacy (Apple) to fill that niche.

Now with that differentiator in place, a potential buyer needs to make a decision as to what product to buy. They can weigh price, features, availability, stability, appearance, performance, compatibility, AND security and privacy.

If security and privacy are more important to the buyer than other issues, they will likely go with Apple.

Q: Why do I need to Change Passwords so Often?

Q: What is the best anti-virus software to use with Firefox, and why?

A: Antivirus software typically works with your operating system. But there are a few that are specifically designed for use with browsers. As such, they are browser plug-ins or extensions. Such antivirus tools can block access to malicious websites or downloading malicious files.

My favorite is Bitdefender Trafficlight.

Keep in mind that you still need an antivirus for system protection. Again, my preference is Bitdefender antivirus.

Q: How do I hide browsing history from a network administrator?

Q: How do I hide browsing history from a network administrator?

A: You don’t. That is why they are the administrator and you are not! In any organization I support, attempting such action would be considered a breach of computer policy, with termination as the likely result.

If the user enables private browsing mode on their browser, there will be no browsing history on the computer. However, this doesn’t stop browsing history from being recorded by the office router. This cannot be bypassed. The Internet Service Provider will maintain a browsing log. This can be bypassed by using Virtual Private Network (VPN). The DNS provider will also maintain a log. This can be bypassed by switching to a DNS provider that does not maintain logs.

Keep in mind that using VPN or switching DNS provider is very easy for the administrator to spot.

Q: Can a MacBook last 10 years?

Q: Can a MacBook last 10 years?

A: Physically, easy. I suspect the majority of computers can physically outlive their owner.

Realistically, no. Apple (as well as Microsoft and other vendors) will continue to provide system updates for 5–7 years. Once your computer is too old to receive system and application updates, it is HIGHLY vulnerable to malware and breach.

This puts useful lifespan to around 5–7 years.

An unasked question is is it worth it to keep a computer 10 years?

If the computer is used in a business or otherwise make money, I don’t see a way for an older computer to be profitable, or “worth” keeping around. Around 15 years back I created a program that calculated the cost/benefit of a computer versus purchasing a new computer. I used this to provide hard numbers to clients. In almost every case, if the current computer was two years or older, it was the more responsible choice to replace it with a new computer. In addition to getting a new sparkly, the company almost completely eliminates technical support costs, has little to no support-related downtime, no need to pay for extended warranty, and the user can be more productive.

If the computer is not used for business or make money, and the user doesn’t mind operating in the slow lane, as long as the computer receives OS and app updates, go for it.

Q: Why do I need to Change Passwords so Often?

Q: How do I protect a Google Doc?

A: A google doc is just an html file, like a web page. Primary protection is in the form of permissions protection. Be specific who has access, and what permissions they have.

Second, having a viable backup is critical to protect against corruption, change, or deletion. For this, you need a cloud backup of your document. There are several internet providers that specialize in this, such as Backupify and SpinBackup. Yup, you will be using an internet service to backup your internet files! A local backup will be of little use.

Another option is to download your Google docs in either .pdf or Microsoft Office format.

Q: Which is the most secure browser, Brave, Chrome, or Firefox?

Q: What is the best way to back up your data and keep it safe?

A: It is vital to back up all of your data in case the original becomes damaged, corrupt, or deleted. To protect your data you must have AT LEAST one local and one remote backup.

A local backup is typically saved to an external hard disk drive or flash drive. You will need a drive with at least four times the capacity of the data to be backed up. This is to allow for growth as your files are edited and additional files are created. The drive needs to be encrypted. This can be done with Time Machine or Disk Utility (macOS), or Bitlocker (Windows).

The remote backup can be a drive like the local backup, but stored off-site. In many cases a better alternative is to use online backup. This can be done with Google Drive, Microsoft OneDrive, or one of the dozens of commercial internet backup tools.

Q: Why do I need to Change Passwords so Often?

Q: How Do I Know if My Personal Information Has Been Hacked?

ANSWER: A bit of background information is probably in order.

  1. It is almost certain that much of what you think of as personal information is already “out there” and readily available to marketing groups, criminal hackers, advertisers, and other miscreants. Organizations such as social media, Google, your Internet Service Provider, and all major websites track your online activities. Over time, this accumulation of data creates a near perfect personal profile. This profile is sold to marketing groups and others. There isn’t a thing you can do about this – other than to be wise with how you interact with social media, and to operate with as much anonymity and security as you can whenever connected to the internet.
  2. Some of your personal information comes from breaches of websites where you have freely provided your information. For example, health providers, banks, credit card companies, social media, etc. You can check for such breaches at https://haveibeenpwned.com. If you find a breach, again, not much you can do about it, but it is time to change your password for the site.
  3. Almost nobody practices wise cybersecurity and internet privacy. A recent study found that the majority of adults use the same one or two passwords for everything. 85% of high school kids use the same password for everything, with almost 50% freely sharing their passwords with friends. There are some standards to put into practice:
    1. Use a different password for EVERY site and service.
    2. Passwords should be a minimum of 15 characters in length. Complexity doesn’t matter – length matters.
    3. Don’t write down passwords. Instead, use a quality password manager (I’m fond of Bitwarden) to store passwords in an encrypted database.
    4. Use multi-factor or two-factor authentication whenever it is available. For sites such as health care, banking, credit card, financials – if they don’t offer multi-factor authentication, change to another provider that does. This indicates they don’t care about security and privacy.
    5. Don’t share your passwords with anyone.
    6. Don’t use a non-private domain email. For example [email protected] Instead, spend a few dollars to set up your own private domain email, for example [email protected], and make sure you have a quality email provider as your host. I recommend Proton Mail, Google, and Microsoft. Once you have this, ask your provide for help setting up your SPF, DKIM, and DMARC records. This will help prevent getting spam and help prevent your account being used to spam others.
    7. Contact the three major credit reporting organizations to get copies of your credit at least yearly. Review for any errors, and then get them resolved.

Oh, did I mention to be smart about your cybersecurity and internet privacy? Did your eyes roll to the back of your head when you read that? It is actually quite quick and easy, once you know the How! Interested in the how? Have I got a book or two for you: Practical Paranoia Security Essentials.

Q: How Vulnerable Are My Children To a Cybersecurity Or Internet Privacy Breach?

Q: How Vulnerable Are My Children To a Cybersecurity Or Internet Privacy Breach?

A: It is almost a sure bet your child has been knowingly or unknowingly a victim of cybersecurity or internet privacy breach (if they have internet accounts).

According to a report released today (August 11, 2021) by NIST (National Institute of Standards and Technology), 87% of high schoolers use the same password for everything45% of high schoolers share passwords with their friends. According to the research, teens don’t see password sharing as risky behavior, but a way to build friendships and trust.

Apparently, this is not an issue with not knowing cyber best practices. Children as young as third grade know and understand why passwords are needed, and why to use and how to create strong passwords.

So, with almost 90% of children using the same password for everything (my head almost explodes just writing  that), and almost half sharing that singular password with friends, is it any wonder you can bet they have been breached?

Unfortunately, if they have freely shared their password(s) with friends, there isn’t a viable way to determine if this password has been used by friends to access their other accounts. But the doors are wide open for friendly fire upon their social media, email, banking, and school accounts to haunt them for years.

This might be a great time to spend five minutes with your child to review password best practices. For those whose own memory may be a bit dusty 😉 …

  • Use a different password for every website and service.
  • Passwords should be a minimum of 15 characters.
  • Password complexity isn’t important. Better to have an easy to enter passphrase.
  • Whenever possible, enable two-factor authentication (also called multi-factor authentication). This prevents someone who knows your password from accessing your account.
  • Do not share passwords with anyone.
  • Do not write passwords. Instead, store passwords in a password manager utility, which encrypts your data. My preference is Bitwarden for all OS’s.

While you are at it, check all family member accounts for breaches by visiting https://haveibeenpwned.comAlthough this site won’t tell if you have been a victim of friendly fire, it will tell if your account has been attacked.

Q: What’s the Big Deal Over Two-Factor Authentication?

No matter how “great” or “strong” your password, it can be broken, hijacked, or bypassed. Perhaps the most common method to usurp your password is by breaching the user database of a major vendor. For example, recent attacks include:

  • Audi: 2.7 million accounts
  • Guntrader: 112,000 accounts
  • University of California: 547,000 accounts

Once a major site has been breached, the criminal gains access to all of the user accounts and passwords. If the passwords are strongly encrypted, it is simply a matter of time before automated cracking software resolves that bump in the road. More typically, however, is the passwords were either not encrypted at all, or used weak encryption that can be quickly and easily broken.

Given there are currently over 11 BILLION hacked accounts sitting on the dark web waiting for criminals to scoop them up, what can you and I do?

This is where two-factor authentication (2FA) (also called multi-factor authentication) rides in to rescue the day.

With 2FA in place, even if the criminal gains access to your password, they still need the second authentication factor in order to access your account – and only you have it!

What Is Two-Factor Authentication

2FA is just a second way that you can provide proof you are authenticated to access an account. The first way is knowing the password.

The second method can be:

  • Knowing a one-time-use code that is sent to your email.
  • Knowing a one-time-use code that is sent to your smartphone via text or voice.
  • Knowing a one-time use code that is randomly generated every 30 seconds via software or a hardware key.
  • Knowing a one-time use code that was given to you when you registered for 2FA on the site.

Best Practices currently recommends against codes sent to your smartphone, as they are easily intercepted.

How to Stop Business Email Compromise (BEC) Attacks

How to Stop Business Email Compromise (BEC) Attacks

Business Email Compromise (BEC) is any type of cyber attack using email that in itself does not contain a malicious attachment. Although there are many different BEC attack vectors, the dominant one is spoofing, used in almost 50% of all BEC attacks. In a spoofing attack, the criminal sends an email that appears to be from a high-ranking member of the organization, requesting a transfer of funds.

A few statistics to act as a wake-up call:

  • In a recent survey, 71% of organizations acknowledged experiencing a BEC attack over the past year.
  • The FBI’s Internet Crime Complaint Center reports that in 2020 there were 19,369 BEC complaints, with losses of approximately $1.8 billion.
  • One of the largest BEC losses came to Nikkei, the Japanese media group, in the amount of $29 million.

A BEC attack generally works like this:

  1. The criminal acquires the name and email address of a senior-level executive within an organization.
  2. The criminal sends an email, spoofing the name and email address of this executive, to their executive assistant or the accounting department, requesting that monies be sent to some account outside of the organization.
  3. Because this email appears to be from a senior-level executive, there is often no expenditure authorization policy in place to limit amounts, and no requirement for secondary approvals.
  4. The monies are sent to the requested accounts, which are immediately cashed out by the criminal.

What Can I Do To Help Prevent an Attack

Expenditure Authorization Policies

Although it will likely result in a few bruised egos, and introduce some time delays, it is vital that expenditure authorization policies mandate that any significant financial request, from any member of the organization–even the owner, president, or CEO–must be cleared through a secondary approval process. Even something as simple as a required video call to the requestor could block most of these attacks.

Staff Education

As part of staff continuing cybersecurity and internet privacy training, all staff should be educated on how a BEC attack works, and what the new expenditure authorization policies are.

Technology

The corner stone of a BEC attack is the ability to send an email that appears to be from a legitimate source. We do have technology that can help stop this from occurring. These go by the terms Sender Policy Framework (SPF), Domain Keys Identified mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). 

If your eyes just rolled up to the back of your head, I understand, but stay with me.

SPF is an email validation system. It provides a mechanism to authorize servers and services to send email using your domain. This allows a receiving mail server to verify that incoming mail from a specific domain is coming from a host authorized to send that mail. If a criminal sends email to you with spoofed “from” information, your email server can validate or invalidate the authenticity of the incoming email. This prevents email from a forged or spoofed address from reaching an inbox.

DKIM accomplishes much the same as SPF, but from the opposite direction. It provides a mechanism for the receiver to verify that an email stating to have come from a server which has been authorized to send mail for a specific domain via SPF is indeed the server that is sending the email.

DMARC is a configurable policy that determines how to deal with email that has failed the SPF or DKIM validation.

In a nutshell, SPF authorizes a server to send email on behalf of a specific domain, DKIM authenticates the sending server, and DMARC determines what to do with the email if it fails authentication.

Configuring SPF, DKIM, and DMARC doesn’t require an IT professional. Your email service provider may be willing to set it all up for you. Better yet, do it yourself and be certain it is done properly! The entire step-by-step takes only four pages and less than an hour of your time. Where can you find the steps? They are assignments 13.11.1 through 13.11.4 in any of our current Practical Paranoia Security Essentials books.

Oh! I almost forgot… You can now become master of your cybersecurity and internet privacy even if you wouldn’t know an SSL from a TLS (ok, nerd humor isn’t even funny to other nerds). In just 1 hour a day over 10 days with our Practical Paranoia Online Workshops. If you can tap, double-tap, and save a file, you can quickly and easily secure your computer, tablet, phone, data, and communications using the same steps as used by governments, military, and big business. All you are missing is knowing the how. Lucky for you, we’ve got the know-how to spare, and we will share it all with you in the workshop.

Register by July 31, 2021 and receive 55% discount.

 

Finally, Online, Instructor-Led, Cybersecurity Workshop for Non-IT Users

Finally, Online, Instructor-Led, Cybersecurity Workshop for Non-IT Users

It doesn’t take an Apple Genius, Google Guru, or Microsoft Engineer to help secure your devices, data, and communications.

If you can tap, double-tap, and save a file, we can walk you step-by-step through ensuring your cybersecurity and internet privacy to industry standards.
 

Register NOW and receive a 55% discount – only $125 for any workshop in August.
https://thepracticalparanoid.com

How Often Should I Change Passwords

How Often Should I Change Passwords

There was a time, not so long ago, where most IT administrators mandated that every password for everything be changed every three months.

In my specific case, I currently have 940 passwords in my password vault. That means I would be changing at least 10 passwords every day. And getting very little else accomplished!

Thankfully, someone took a deep breath and gave some time to actual critical thinking about the whole password life span issue. The conclusion? Unless a password has been breached, or you think it could have been breached, no need to change it for…ever.

That is right. According to the current guidelines by most of the major US government IT overlords, you never need to change a password unless it may have been compromised.

But, that answer isn’t really quite that simple.

First, there are plenty of old-school IT administrators in the field who refuse to do their own critical thinking, and insist on mandating password changes every X months. Good luck getting these folks to wake up.

Second, this guideline assumes your password habits are healthy. What are healthy password habits?

  • Every website and service uses a unique password. No password is used more than once.
  • All passwords are strong. “Strong” is defined differently by different standards-setting organizations. But a good generalization is a minimum of 15 characters. A password of 123456789012345 is technically as strong as $g1A7^bY0&qX4%r.
  • No password uses a part of your name, address, phone number, social security number, pet name, or is otherwise guessible.

This is far easier than the old-school rules of:

  • At least 1 upper-case letter
  • At least 1 lower-case letter
  • At least 1 number
  • At least 1 special character
  • At least 1 drop of unicorn blood

But now you have a trove of passwords, at least 15 characters in length, none of which are rememberable.

What to do?

Use a password manager to do the remembering for you.

If you are a Mac user, macOS, iOS, iPadOS, and Safari work together to remember and autofill your passwords.

If you are a Windows user, Edge will remember and autofill your passwords.

Brave, Firefox, and Chrome also have their own built-in password managers.

However, my recommendation is to use Bitwarden. Bitwarden is a third-party free/for-fee password manager and Multi-factor Authentication utility (free for password management, for-fee to access the MFA). It works with almost all browsers, all OS’s, and across all of your devices. So a password created on my iPhone is immediately available to my Chromebook, Windows PC, MacBook, and Android tablet. For less than what you will find in your couch cushions, you can have peace of mind in the password department.

World peace will take a bit more.

Enroll by July 31 and Save 55%