Sunday, October 3, 2021

NCS Month 2021 #1: Password Password Passwha--?

Last year, instead of my bog standard reminder to change your passwords, I asked how often you change the password on your primary email account.

And the results are in!

I received one reply (it was me, no surprise), and they said every 6 months.

That's... not terrible. I mean, obviously, it could be worse. Six months average on a year-old survey, and we're getting to the point where more and more services are switching to biometrics instead of passwords or PINs, which... is not good news.

Sure, you don't have to remember as much, but biometrics are not protected in the US (unless something has changed and I missed it), and it's relatively easy to steal someone's fingerprint or DNA, unless they wear nitrile gloves and hair nets 24/7.

I'm sorry if I'm offending anyone here, but PINs are stupid. Most PIN receivers limit you to 4 characters, and all that is is a really shitty password. It's not even alphanumeric, with 36-62 possibilities (36 if not case sensitive, 62 if case sensitive), it's just numbers. One thousand possibilities. If you think a PIN is more secure than a password, you're an idiot.

If you think biometrics are more secure than a password, you're still an idiot.

Do you know what it means when I say biometrics aren't protected?

That means if you use a fingerprint or voiceprint to unlock your phone, the police or the court system doesn't need a warrant or a subpoena to force you to unlock your device. They can just open it up without your consent, and get away with it without even having suspicion of wrongdoing.

That means they can peruse your personal property to find evidence of you breaking the law, and then convict you based on that evidence. Goodbye Fourth Amendment.

Don't use biometrics. Get a password, and a damn good one.

And if a service doesn't let you set a password, don't use it.