Change my password? again? | computer world

This time every year I have to fill out my company’s electronic insurance application – and they ask me every year if we encourage strong passwords and change them often. This question really bothers me, because we don’t have to change passwords often. Instead, we must choose authentication processes that are appropriately proportional to the risks of the site; Using a password must be the last something you want to rely on.

First, think about what information and data a website holds about you. The sites that we want to provide the most protection for are often the weakest. When you can, always add two-factor authentication to access the site. (Not all multi-factor authentication is created equal, but some kind of multi-factor is better than nothing. If you encourage attackers to go elsewhere, it has done its job.

Banks and financial institutions often make slow deployments of authentication software, so you have to accept a username and password and then a two-factor authenticator – usually a text sent to your smartphone. Although smartphone SIMs can be cloned (so attackers can spoof your phone and intercept text messages), the vast majority of us are still better off with the process. Relying solely on your username and password to access the bank puts your account at risk.

To be fair, not all passwords are created equal. If you reuse a password on another website or another bank account, you are at greater risk. Attackers often steal or buy a cracked password repository or password “hashes” and then try to reuse them to gain access to other sites. If you’ve already received a password reset notification – and you haven’t tried to log into the account – it’s possible that an attacker is trying a password-filling attack on the site. So do not reuse the same password anywhere.

For years, online users have been asked to change their usernames to see if the site is selling your information elsewhere. Now I see the same kind of recommendations for choosing passwords or passphrases. there very funny video online Which highlights the process people use to choose passwords. You start by choosing a password, then you use it everywhere. Then when a site says one isn’t good enough, you add another letter. Then you need a special character (such as an exclamation point). The truth is that our brain can only hold so much information, which is why we tend to reuse the same password, or one of its variations, across multiple sites.

Microsoft often recommends Use of personal identification numbers About passwords. He argues that the PIN is device specific, so if an attacker steals your PIN, they must also steal the device. There is a problem with this argument. I have several devices that require a PIN, and I have to admit that I use the same PIN on all of them because I don’t remember PINs better than passwords. According to Microsoft, the advantage of a PIN is that “when a PIN is generated, it establishes a trust relationship with the identity provider and generates an asymmetric key pair that is used for authentication.” The PIN is saved by the computer’s Trusted Platform Module (TPM) chip. (If you’re wondering why a Windows 10 device is asking you to use a PIN instead of a password, it’s because your registered operating system had the hardware to support this process.) If you don’t need or want to get a PIN, You can remove it. Press the Windows key and the I key to open Settings. Choose Accounts, then click Continue. On the left panel, click Connection Options. On the left panel, choose Delete, under the PIN section.