Tag Archives: passwords

Don’t Take Your PIN to the Grave

On Sunday morning, I received an early phone call from the son of a client, informing me that his father, my client, had passed away. It was sad news, but not shocking; he had been ill for some time. The primary reason for calling me, however, wasn’t just to inform me of the loss. The son was locked out of his father’s iPhone, where critical documents and photos were kept. And despite having worked with me earlier to document his passwords for services like Netflix and Gmail, my client never shared with me the PIN to unlock his iPhone.

arlington-national-cemetary-1462554

Nobody here needs their passwords anymore.

When we set up devices like smartphones, we are typically asked to enter a small (usually 4- to 6-digit) sequence of numbers. This is our Personal Identification Number (PIN), required to unlock the phone. Newer models add to this security by incorporating biometric methods like fingerprints and even facial recognition; but at the end of the day, that PIN is still there, keeping that critical data safe.

For more, here is Apple’s page: “Use a passcode with your iPhone, iPad, or iPod touch.”

In many cases, users can “opt out” of assigning a PIN to their phones; but by default, the step of setting up a PIN is part of the “new phone setup” process. At that point, we just type in whatever number we usually use, and we almost never write that number down.

Don’t laugh; yours probably isn’t that much better.

I have clients who type their PINs so often and so rapidly, the process is now muscle memory. If asked what that number is, they actually have to take a moment to recall it.

In fact, Vanderbilt University performed a study in 2013 on the typing muscle memory phenomenon.

Instinctively tapping the keys in the correct pattern may make for a speedy unlocking process, but it does nobody any good if the phone’s owner takes that PIN to the grave.

When Syed Rizwan Farook died in a battle with police following his December 2015 terrorist attack in San Bernardino, the first course of action the police took was to attempt to unlock his iPhone, hoping to learn more about his motivations for killing 14 people and injuring 22 more. Unfortunately, the iPhone’s security measures meant that they would not be able to get in through conventional methods. 

From the Wikipedia article on the attack:

On February 9, 2016, the FBI announced that it was unable to unlock one of the mobile phones they had recovered because of the phone’s advanced security features. The phone was an iPhone 5C. … The FBI first asked the National Security Agency to break into the phone, but the NSA was unable to do so. As a result, the FBI asked Apple Inc. to create a new version of the phone’s iOS operating system that could be installed and run in the phone’s random access memory to disable certain security features. Apple declined due to its policy to never undermine the security features of its products.

The struggle between the authorities and Apple led to a public debate over safety vs. privacy, one that continues to this day—despite the FBI eventually employing third-party methods to unlock the phone.

If even the FBI has to undertake extraordinary measures to unlock a phone, it’s not going to be any easier for a layperson—and certainly not a layperson who is also coping with the death of a loved one.

While my client’s son had been led to believe that he may be able to convince Apple to unlock the phone by presenting them with a death certificate, I’m honestly not so sure. This relevant 2013 discussion on the Apple Communities page goes into the details on why the system works the way it does, and why it’s not as simple as having the store “unlock” it, the way they can unlock, for example, a Macintosh computer.

For the record, this is NOT how you get into a Mac without a password.

The lesson here is that a PIN is just as important as every other password you use on a daily basis, if not more so. So when you’re compiling your list of passwords (and here’s my article about how and why to do so), start by writing down all your PINs. 

Your loved ones will thank you for sparing them that extra grief.

child-at-grave-1306721

“I miss you, Grandpa… but at least you kept all your passwords and PINs somewhere safe and accessible!”

Advertisements

Psst… What’s the Password?

4407285444_3f706d9759

On December 14, Yahoo announced that they had suffered a security breach, and hackers had accessed a billion Yahoo accounts.  In the aftermath, I’ve been advising my clients to change their passwords. And that’s when the ugly truth comes out: many of my clients don’t know their passwords.

Today’s modern email programs, web browsers, and operating systems store passwords; so once you enter yours in, you may not have to enter it in again. Even if you get a new computer, in many cases the transfer process from one computer to another includes stored passwords. But what if you are setting up a new device without transferring data from another source? What if you want to change your password and you first need to enter in your current password?

The good news is that in most cases, sites that require a password have methods for recovering forgotten passwords, such as iforgot.apple.com. The bad news is that one method involves security questions, the answers to which may be even harder to recall than the original password in the first place.

Think about this question: “My Best Friend Growing Up.”

friends-on-skates-when-you-need-a-hand-1251312

Is this the answer?

the-best-friend-1372778

…Or is THIS the answer?

One solution to the password dilemma is to use the same password for everything. This is a terrible idea. If that one password gets found out, every account for which you use it is at risk. In fact, there’s a site that can track down whether or not your accounts have been violated: HaveIBeenPwned.com

There are third-party systems like 1password that promise, “Login with a single click. You never need to remember another password again.” I respect any service that allows you to be more secure, but I personally would prefer to keep track of all my passwords myself, instead of leaving it to the tender mercies of another company. Because if 1password ever got hacked… (in fact, there was a scare last year about that very risk!)

So what is one to do? I write down my passwords. But just writing them down isn’t enough. Let me address some comments that come up when I bring up password security:

MY COMPUTER/PHONE/TABLET STORES ALL MY PASSWORDS FOR ME.

That is a great modern convenience. It’s still a good idea to wipe that memory from time to time, especially if you fear your system may have been compromised by harmful software, or if you’ve ever given anyone outside access to your systems. And even if you’ve never had any of those issues, it’s a good idea to clear everything out and change your passwords once a year, if not more frequently.

I KNOW ALL MY PASSWORDS.

If that’s the case, then congratulations. You’re ahead of most people. If, however, this is because you use the same password for all of your accounts and devices, then now would be a good time to change that. Come up with some new passwords—and not just variations on the same one—and write them all down on the forms below. Think of something unique, not necessarily associated with you. For instance, instead of birthdays or family member names, think of the title of your favorite movie, or your favorite song lyric. It’s supposed to be easy for you to remember, but difficult for an outsider who just wants to get to your information.

I ALREADY HAVE MY PASSWORDS WRITTEN DOWN—AND YES, THEY ARE DIFFERENT.

Again, fantastic. But ask yourself these questions:

“Is everything written down in the same place, or do I have different books/sheets/files of varying ages, and it’s hard to tell what’s the most current?” It’s always a good idea to note the date you’ve added or updated a password, so you can be sure which is the most current.

“Is everything legible, and not just to myself?” Bear in mind that somebody else—a lawyer, a family member, your friendly tech support consultant—may need to read your passwords in your absence some day. If you hand-write them, make legibility your top priority. If you type them out, make sure to note what’s upper-and lower-case. Most passwords are case-sensitive.

“How difficult would it be to reset the password if what I’m SURE worked, stopped working for some reason?” Many sites and devices have options for resetting passwords, so forgetting yours may not mean the end of the world. However, the method some services use includes security questions, the answers of which may be tricky to remember, as well. To help with those protocols, we’ve included a sheet for those, as well.

MY HANDWRITING IS EXCELLENT.

Still, to be safe, when hand-writing your passwords and account numbers, do your best to distinguish:

handwriting

The above font is “Secretslob” by Duck Reid. Click the text sample above to download the font from dafont.com.

It may seem like you’re back in grade school, but precise penmanship can mean the difference between access and being locked out.

DOESN’T HAVING EVERYTHING IN ONE PLACE MAKE ME MORE VULNERABLE?

That is a valid concern. Keep your list somewhere safe and accessible. If you’re worried, then print the forms (below) and only use the hard copy, and not a digital version which could get hacked. Share a copy only with somebody you trust, along with instructions should you not be available to help unlock your accounts and devices. If you have a will, include this document with it.


OFFICIAL PASSWORD RECOVERY SHEET (click to download)

official-password-recovery-sheet


OFFICIAL ACCOUNT INFORMATION SHEET (click to download)

official-account-information-sheet-copy


Once you’ve printed out the forms, it may be the perfect time to come up with some new passwords. For some inspiration, I recommend reading Danish blogger Thomas Baekdal’s 2007 essay, “The Usability of Passwords.”

If you have any questions, feel free to ask for any advice you may need regarding anything mentioned above, or anything else. This is sensitive material, so it’s wise to take it seriously.

And if you take nothing else away from this post, please, please, don’t let your password be the word, “password.” ◼︎