Take Control of Security for Mac Users, Chapter 5: Improve Your Passwords
Strong passwords are key to maintaining the security of your Mac, and in this chapter, Joe Kissell explains why, looks at what’s involved with a strong password, suggests several password managers, and encourages you to up the security of a few key passwords right away.
I have a question regarding password construction.
Quoting from Chapter 5:
"But I’m going to forgo all that here and cut to the chase. In my professional judgment, as of 2015, every single password you use should be at least 15 characters long; include upper- and lowercase letters, digits, and punctuation; and be randomly generated. "
Typing random passwords on a full keyboard is relatively easy where all ten fingers can be used, but typing them on a mobile device takes many extra keystrokes to enter capitals, numbers and characters, plus switching among these different modes.
Does it affect the strength of a random password if one switches the order of the characters to make it easier to type? For example (a simple case) can one rearrange b8Fa$G to baFG8$ to reduce the number of keystrokes?
In my Passwords book, I go into more detail about this sort of thing—making passwords that are easier to type on mobile keyboards and so on. One of the things I talk about is minimizing the number of mode switches—like, put all the characters that appear on the number/punctuation keyboard together in your password so you only have to switch to/from it once. Doing what you describe makes a tiny negative change to the password's entropy, but I think it's a fair trade for increased usability.
The password to all my computers, websites and devices is STEALFROMMENOW. Is that bad? I put it in all caps to make it harder!
> But if there are more than four or five passwords you need to keep in your head, you’re doing it wrong.
Or, alas, you're doing the wrong job: sysadmin. ;)
> (Even though OS X recommends using a hint, I don’t—it might help you remember your password but it can also give attackers a huge leg up.)
For passwords like that, my hint is simply the date I created it. I retain the last several passwords for key accounts, and knowing which to use would be useful for an OS backup, but not too sensitive to give an attacker.
Good book so far. Do you really have a different randomly generated 15 character 4 category password for each of your hardware devices? I have 5 devices and could not remember that many. Can't use a manager for that process either. That does not even count bank issued PINs and the like, which seem very insecure to me.
PINs are a special case, because they're part of a two-factor system—what you have (a card) and what you know (the PIN). But anyway, PIN length is out of your control, so not worth worrying about.
As for your five devices…first, this book is only about Macs, so if the devices aren't Macs, that's a different story (but see below). If you do have five Macs, it's not entirely unreasonable to use the same (excellent) login password on all of them, because the risk of your login password being compromised is much smaller than the risk of, say, a Web password being compromised. Plus, it only helps an attacker who has access to more than one of your Macs. But if you were a Risk Level 4 person, I still wouldn't recommend it.
FWIW, for iOS devices, my opinion is that most people can stick with 4-digit passcodes, as long as the device is set up to erase its data after 10 incorrect tries. Those with very high risk levels might need longer, alphanumeric passcodes, but I wouldn't go as high as 15 characters because iOS has additional security measures that curtail most brute-force attacks. (This is a big topic, and that's why my book focuses only on Macs.)
Good response. Thank you.
Just an FYI you might find interesting. I had an early ATM card long ago and the bank let me choose and record the pin on a keypad in the office when they gave me the card. I didn't even know what a PIN was at that time. I entered it myself and it was more than 4 characters long. This was about 1984 I think.