With cybercrime on the rise, passwords are not safe anymore. Say hello to passkeys, a better way to protect your account security Plus, tech companies are rapidly adopting the passkey technology.
I haven't gotten into passkeys yet, but I've had a lot of success using a combination of Bitwarden and Google Authenticator. I use different methods, different password lengths, a couple different phone numbers for two-factor and some other things so I don't have a single point of access.
And no, I'm not paranoid, or even overly cautious. I just sort of stumbled into the jumble over time. 😉
Thats cool! I used Bitwarden too. I think its one of the strongest password managers out there. The UI could use some work but I'm not complaining. And I recently started using Authenticator for my Stripe account. I feel like Authenticator is somewhat like passkeys but the tech is quite different. But it seems like you have a strong set up. MFA is still solid!
Thank you, Amrita! I'm not that smart. My approach developed organically as I learned more about computers and online work.
(I'm an old pen and paper guy. Or a typewriter. 😉)
I will say this: it's an approach I think a lot of people would benefit from following. And it's not that hard. All of the tools are readily available, and free.
I'm an old school guy too. Just use my pen and paper to write down all my bank accounts and passwords and its locked up. I also have a backup somewhere else. It does take a lot of pain to keep them updated but I know I am in full control of my access.
The security questions are easy for me as they’re associated to life events from childhood. Unless I get dementia, I’m ok. The struggle is keeping up with passwords. I make such crazy ones there’s no way I can remember them so they’re written down and kept in a hidden home safe since I don’t trust password managers.
I do change everything associated with WiFi regularly. Bad experiences forced me to do that.
I had used password manager at one point, but then I got paranoid, and I too use the archaic approach to write them down and keep it somewhere safe. That's good you update your Wifi password regularly, I feel like that is a major point of attack.
My insurance company was hacked by a trusted contractor. Between that and a hack of my WiFi, I’ve had all kinds of problems and learned a lot. When my provider tried and fails to stop the WiFi hacker, I decided to radically change passwords on a regular basis and take control of the router password as well.
Lol. I hear you. I forget passwords too. Worst of all is when you take time to think about the password in mind and then you add it in only to be rejected by the app because it doesnt meet their criteria and it needs to be 10 characters long or it needs to have special characters - then in the heat of the moment I just add some password knowing I'll be doomed later..
People have already a hard time with dealing with (and wanting to deal with!) a password manager. Passkeys is definitely a step up, but also demands a basic understanding of privacy and encryption practices. That's without mentioning the risk of losing the passkey and getting locked out forever of an encrypted account. Most people should stick for now to enforcing the password manager + 2fa practice. I like solution like Proton Privacy, which is an all-around privacy solution accessible to the average consumer based in Switzerland. Password managers/2fa can be sync'd between multiple devices, and one of these devices can be a backup safely stored. Also people should really do their homework to understand the tech behind these solutions and if they are truly private, and what is the risk (are they open source? Zero knowledge? Truly E2E? etc...).
Yes. the homework sounds about right! Because if you screw up on passkeys, then you have to deal with encryption/decryption protocols which is impossible.
For now password books, managers, password+MFA seems like a good approach until we all have it figured out.
I had to do some research to understand passkeys, how different it is from what i know about it from crypto wallets.
Thanks for letting me knwo about Proton's stuff. I didnt know they had passkeys too. will check them out
Most of my accounts use the same general batch of passwords because they don't matter. Oh no, someone might hack my Panda Express account. Oh no, they might log in to Netflix and have the company cry about a new IP address. Not a big deal. So long as none of the important accounts ever use that PW, it's not a big deal.
Brokerage accounts though? That gets a long password of random characters plus 2FA. Toss in a unique username for extra security.
I don't believe changing a PW frequently has any benefit relative to memorizing 12 to 16 random characters. Transferring money? Requires a separate 2FA.
If someone got me on all 3 of those metrics, it probably means I'm a hostage.
I never bought into the online password keepers. To risky. I do a physical book with everything. Never leaves the house. Use random words and vary some based on perceived threat levels.
Thanks Eric! Sounds like hackers would pick the wrong guy if they tried to get into your system. 😎 Password book is how my dad does it - but he's not a man to be messed around with.
Thanks Eric, I love low-tech no-tech password book. As a non-techie person myself, I too resort to writing it down, and that hasn't failed me so far. @uttam dey had once tried to migrate me over to Bitwarden, but I stuck to my old ways lol.
Dot journals can be next level for organization of a book/journal for referencing. I use one for my trading journal but need to step up my game, so many ways to be creative with these books.
Thanks for sharing this Eric. I did not know much about dot journals. But there seems to be a whole universe of creativity with what can be done with dot journals. I spent all morning looking at Tiktoks about what ppl do with it. Super fascinating!
It’s a double edged sword. They are convenient. And on the other hand (this is my 007 part of the brain speaking) hackable as well. There is no 100% guarantee. It’s rather a continuum with a threshold where you start feeling safe.
Absolutely. Just yesterday I tried to update a user name connected to a password. Guess what? It didn’t work! My idea of ease would be to eliminate both and use a fingerprint or eye scan for identification. Is someone working on that?
Oh yea! there is a bunch of work going on there. I thought it would be too futuristic right for the post since i was already writing about passkeys and it how it works.
But yes. there are solutions already. For example, Amazon has their palm-scanning technology where you dont need to hold your phone, watch, card, wallet or any device when you are checking out from a physical store... Just put the items in your shopping basket and walk out by scanning your palm at the exit. Amazon will automatically know all the items you took and automatically deduct it from the credit card that it stores in your Prime account.
We did think of adding a paragraph/section on password authentication using biometrics, like they do in Minority Report movie (if you have watched it). But yeah, last time we had gone to San Francisco, Whole foods had already implemented the technology.
Whatever comes along, I generally don’t know of it until much later. Here we tend to be on the back foot where tech innovation is concerned. Walmart has had self checkout for a while but only recently has the local Aldi offered it, and then only one register. Seems they’re still experimenting.
I have a pass key for one website. I think it’s an excellent idea if it keeps our private information safe.
For the rest of my sites I pretty much use the same password and I have been using it for years. The only time I have been financially compromised is this last week. Over $1,000 missing from one of our bank accounts. We do not bank online so our number is not online. Only two people know the account number and that is available only to the bank and us. I can only conclude a bank employee stole our money.
Uh-oh! Hope the bank credited your money. Usually they have some sort of fund where they take out from and credit your account if the bank concludes from their investigation that the customer was indeed defrauded. It happened to one of our accounts which was drained of $24k. Chase was very helpful, but we had to sit on their heads in the bank. They credited the funds eventually.
Later they told us that the hacker had control of the account using our passwords so it definitely must have been some malware embedded in something we downloaded. But lesson learned and that gave me confidence to write this post.🥸
Thank you! We were refunded immediately. They almost didn’t want to discuss the situation because they knew only their employees had our bank account number for that account. We don’t have our banking online. But Lord knows how Digital bank robbers rob accounts. My guess is it had to of been an inside job but who knows? 🤷♀️ I’m happy we were refunded immediately, and I am so very sorry about your client who had lost so much money. That had to have been extremely stressful for all involved.
Sounds like you are fairly forward with your security set up. What do you think of biometrics? Or are you already leaning on biometrics such as fingerprint, eye scans in your current setup?
Dashlane is one of the best too. While researching for this topic, I found that they haven't just released passkeys feature in the last year.... recently they topped up their passkey feature with biometrics support feature that they launched as early as last month.
That’s what we need. No letters, special characters. No more driver’s licenses, card/social security numbers or other identifying info stored in the cloud or on servers that can be hacked. A simple finger, hand or eye impression would offer a higher level of security and convenience.
Yes. I agree. I think many apps have also realized that so they're using email to authenticate you. If you have ever logged into Substack, have you noticed that?
I haven't gotten into passkeys yet, but I've had a lot of success using a combination of Bitwarden and Google Authenticator. I use different methods, different password lengths, a couple different phone numbers for two-factor and some other things so I don't have a single point of access.
And no, I'm not paranoid, or even overly cautious. I just sort of stumbled into the jumble over time. 😉
Thats cool! I used Bitwarden too. I think its one of the strongest password managers out there. The UI could use some work but I'm not complaining. And I recently started using Authenticator for my Stripe account. I feel like Authenticator is somewhat like passkeys but the tech is quite different. But it seems like you have a strong set up. MFA is still solid!
Sounds like you have a solid setup Kevin.
Thank you, Amrita! I'm not that smart. My approach developed organically as I learned more about computers and online work.
(I'm an old pen and paper guy. Or a typewriter. 😉)
I will say this: it's an approach I think a lot of people would benefit from following. And it's not that hard. All of the tools are readily available, and free.
I'm an old school guy too. Just use my pen and paper to write down all my bank accounts and passwords and its locked up. I also have a backup somewhere else. It does take a lot of pain to keep them updated but I know I am in full control of my access.
Sounds good to me. I am interested in trying it
The security questions are easy for me as they’re associated to life events from childhood. Unless I get dementia, I’m ok. The struggle is keeping up with passwords. I make such crazy ones there’s no way I can remember them so they’re written down and kept in a hidden home safe since I don’t trust password managers.
I do change everything associated with WiFi regularly. Bad experiences forced me to do that.
I had used password manager at one point, but then I got paranoid, and I too use the archaic approach to write them down and keep it somewhere safe. That's good you update your Wifi password regularly, I feel like that is a major point of attack.
My insurance company was hacked by a trusted contractor. Between that and a hack of my WiFi, I’ve had all kinds of problems and learned a lot. When my provider tried and fails to stop the WiFi hacker, I decided to radically change passwords on a regular basis and take control of the router password as well.
Lol. I hear you. I forget passwords too. Worst of all is when you take time to think about the password in mind and then you add it in only to be rejected by the app because it doesnt meet their criteria and it needs to be 10 characters long or it needs to have special characters - then in the heat of the moment I just add some password knowing I'll be doomed later..
Has that happened with you?
People have already a hard time with dealing with (and wanting to deal with!) a password manager. Passkeys is definitely a step up, but also demands a basic understanding of privacy and encryption practices. That's without mentioning the risk of losing the passkey and getting locked out forever of an encrypted account. Most people should stick for now to enforcing the password manager + 2fa practice. I like solution like Proton Privacy, which is an all-around privacy solution accessible to the average consumer based in Switzerland. Password managers/2fa can be sync'd between multiple devices, and one of these devices can be a backup safely stored. Also people should really do their homework to understand the tech behind these solutions and if they are truly private, and what is the risk (are they open source? Zero knowledge? Truly E2E? etc...).
Yes. the homework sounds about right! Because if you screw up on passkeys, then you have to deal with encryption/decryption protocols which is impossible.
For now password books, managers, password+MFA seems like a good approach until we all have it figured out.
I had to do some research to understand passkeys, how different it is from what i know about it from crypto wallets.
Thanks for letting me knwo about Proton's stuff. I didnt know they had passkeys too. will check them out
Most of my accounts use the same general batch of passwords because they don't matter. Oh no, someone might hack my Panda Express account. Oh no, they might log in to Netflix and have the company cry about a new IP address. Not a big deal. So long as none of the important accounts ever use that PW, it's not a big deal.
Brokerage accounts though? That gets a long password of random characters plus 2FA. Toss in a unique username for extra security.
I don't believe changing a PW frequently has any benefit relative to memorizing 12 to 16 random characters. Transferring money? Requires a separate 2FA.
If someone got me on all 3 of those metrics, it probably means I'm a hostage.
True. if they got you on all three counts, they've probably stalking you somewhere. Thanks for sharing your experience!
Excellent in-depth piece, which captures all the issues surrounding passwords.
Thanks Allan.
Thanks Allan. Glad you liked the post
I love my password book. Lol
I never bought into the online password keepers. To risky. I do a physical book with everything. Never leaves the house. Use random words and vary some based on perceived threat levels.
Great article!!
Thanks Eric! Sounds like hackers would pick the wrong guy if they tried to get into your system. 😎 Password book is how my dad does it - but he's not a man to be messed around with.
I like your Dads style
Thanks Eric, I love low-tech no-tech password book. As a non-techie person myself, I too resort to writing it down, and that hasn't failed me so far. @uttam dey had once tried to migrate me over to Bitwarden, but I stuck to my old ways lol.
Don’t got to fix what ain’t broken. lol
Yes, I only trust my book. And update it regularly and divide accounts/passwords into categories to make things easy and quick to find.
Dot journals can be next level for organization of a book/journal for referencing. I use one for my trading journal but need to step up my game, so many ways to be creative with these books.
Thanks for sharing this Eric. I did not know much about dot journals. But there seems to be a whole universe of creativity with what can be done with dot journals. I spent all morning looking at Tiktoks about what ppl do with it. Super fascinating!
Hahaha. Yea they are. Pretty neat what some dots and creativity can do.
It’s a double edged sword. They are convenient. And on the other hand (this is my 007 part of the brain speaking) hackable as well. There is no 100% guarantee. It’s rather a continuum with a threshold where you start feeling safe.
Absolutely. Just yesterday I tried to update a user name connected to a password. Guess what? It didn’t work! My idea of ease would be to eliminate both and use a fingerprint or eye scan for identification. Is someone working on that?
Oh yea! there is a bunch of work going on there. I thought it would be too futuristic right for the post since i was already writing about passkeys and it how it works.
But yes. there are solutions already. For example, Amazon has their palm-scanning technology where you dont need to hold your phone, watch, card, wallet or any device when you are checking out from a physical store... Just put the items in your shopping basket and walk out by scanning your palm at the exit. Amazon will automatically know all the items you took and automatically deduct it from the credit card that it stores in your Prime account.
Its called Amazon Just Walk Out technology.
We did think of adding a paragraph/section on password authentication using biometrics, like they do in Minority Report movie (if you have watched it). But yeah, last time we had gone to San Francisco, Whole foods had already implemented the technology.
Whatever comes along, I generally don’t know of it until much later. Here we tend to be on the back foot where tech innovation is concerned. Walmart has had self checkout for a while but only recently has the local Aldi offered it, and then only one register. Seems they’re still experimenting.
I have a pass key for one website. I think it’s an excellent idea if it keeps our private information safe.
For the rest of my sites I pretty much use the same password and I have been using it for years. The only time I have been financially compromised is this last week. Over $1,000 missing from one of our bank accounts. We do not bank online so our number is not online. Only two people know the account number and that is available only to the bank and us. I can only conclude a bank employee stole our money.
Uh-oh! Hope the bank credited your money. Usually they have some sort of fund where they take out from and credit your account if the bank concludes from their investigation that the customer was indeed defrauded. It happened to one of our accounts which was drained of $24k. Chase was very helpful, but we had to sit on their heads in the bank. They credited the funds eventually.
Later they told us that the hacker had control of the account using our passwords so it definitely must have been some malware embedded in something we downloaded. But lesson learned and that gave me confidence to write this post.🥸
Thank you! We were refunded immediately. They almost didn’t want to discuss the situation because they knew only their employees had our bank account number for that account. We don’t have our banking online. But Lord knows how Digital bank robbers rob accounts. My guess is it had to of been an inside job but who knows? 🤷♀️ I’m happy we were refunded immediately, and I am so very sorry about your client who had lost so much money. That had to have been extremely stressful for all involved.
You can check where that money went. The account has a very specific list of every charge...
True
I love physical tokens for higher security. In fact I use them wherever I can. Two factor is the minimum for me.
Sounds like you are fairly forward with your security set up. What do you think of biometrics? Or are you already leaning on biometrics such as fingerprint, eye scans in your current setup?
Thanks for the great information. Passwords are the worst! I use Dashlane to help, but am morphing to passkeys and MFA.
Dashlane is one of the best too. While researching for this topic, I found that they haven't just released passkeys feature in the last year.... recently they topped up their passkey feature with biometrics support feature that they launched as early as last month.
https://www.dashlane.com/blog/biometric-unlock-easy-passkey-access
That's great to know. Thanks!
That’s what we need. No letters, special characters. No more driver’s licenses, card/social security numbers or other identifying info stored in the cloud or on servers that can be hacked. A simple finger, hand or eye impression would offer a higher level of security and convenience.
Yes. I agree. I think many apps have also realized that so they're using email to authenticate you. If you have ever logged into Substack, have you noticed that?