The “Dark” Web

Or: Why you shouldn’t use Experian/LifeLock Dark Web Monitoring

You know “the web”. This is what you and your friends visit, link to, and find in search engines.

The “dark web” is pretty much everything else.

While most associate the dark web with being the “evil” places on the Internet, that’s simply not true. It’s a branding thing – use words like dark or black and suddenly people think “evil.” The vast majority of the dark web really is just the rest of the Internet that you’ve never seen or heard of, or which doesn’t show Google/Meta ads or push their approved narratives, so search engines don’t index them. Bob’s Antique Shoe Repair, that tiny diner that just has a picture of their menu on their website, and the pages on a poorly designed website that just aren’t linked to effectively from anything else. These all end up being invisible to the typical person because the Internet is just so insanely massive.

Don’t get me wrong, there are evil parts of the dark web, as there are of the web you know already. Facebook has actively been supporting child porn on their platform. So has Google. As well as racism, intolerancemurderporntrafficking, and more. That last one is a joke, but it also really demonstrates the ridiculousness of allowing a social media site like Facebook that allows all of this evil to remain in control the approved narratives for everyone else.

Anyway…this isn’t about that. What we need to talk about today is whether the “dark web” fear tactics from Experian and other credit reporting agencies, as well as exclusively-profit-driven Norton LifeLock and other “dark-web monitoring” services, are actually doing you a favor by warning you about the appearance of information “found” on the dark web.

No. No, you don’t need to worry. As long as you’re using new, strong, unique passwords for every single website and service you don’t have anything more to worry about just because one site or another was hacked and your data is now in one more place.

I briefly covered part of this in the Dictionary Attacks & Targeted Dictionary Attacks sections of the recent Password Advice article: There are literally billions of hacked accounts reported every single month. HIBP covers only a tiny fraction of them – less than 3%. If HIBP hasn’t found it then there’s very little chance Experian will. Experian telling you the same thing that’s been reported in dozens of MSM stories and news articles shouldn’t really surprise you. What would surprise me was if they found anything new.

It is impossible to stress just how significant unique passwords are. Invest your time and mental focus on creating unique passwords instead of worrying about the dark web.

For the rest of this article I chiefly name Experian, but it would be safe to mentally replace it with any of these other “dark-web monitoring” companies and the advice still applies. Experian is just a perfect demonstration of why you don’t feed these gremlins.

The impetus of this particular article is a friend who was concerned about Experian reporting that her information was “recently” exposed in an AT&T data leak. This data leak, which AT&T vehemently denied for weeks (years, actually) before finally acknowledging it on March 30th, 2024, contains 73 million customers’ information, and was added to the Experian “dark web” reports on April 26th, 2024. Experian waited almost a month to even acknowledge the data that had been available to anyone for months prior, that AT&T knew about for months, and that had actually been compromised five years ago and had been available on the dark web, linked to on many security forums, three years ago.

Okay, so they’re slow, that doesn’t mean it isn’t important.

That’s true. It does, however, strongly suggest that they’re not pulling their weight. You see, the dark web monitoring is one of their paid services and it took them literally months to find information that was being publicly disclosed on many popular technology websites, years after it was posted on the popular dark web info-trading sites. Do you really think they’re capable of finding information in time to make any difference?

More importantly, is there any information about you that knowing that it were leaked or compromised would make that much of a difference to your daily life? Your bank account or financial information, maybe your passwords (especially if you reuse passwords)…anything else? Checking your credit a few times per year or being alerted months after something got out isn’t going to help. Monitor your bank, financial, and investment accounts rigorously. Check them at least once per month since most institutions rely on fraud policies that can not reverse transactions after 60 days. If you’re not checking your statements then if you have a problem anything that Experian or LifeLock told you would be too late to do anything about it anyway.

There are other concerns, though.

It’s not merely that Experian is ineffective. These services actually increase your risk.

Sites and services that collect sensitive information are prime targets. That is, Experian is more likely to be a target than Betty’s Knitting Hub. A relatively minor hack on Experian (or LifeLock) could result in major data access. Even a single customer record could enable an attacker to abuse someone’s entire identity. Experian is no stranger to this. At all.

The sensitive information I’m most concerned about isn’t your credit report data or your name, date of birth, or SSN. All of which can be obtained in seconds with a background check – cheap. No, what I’m concerned with is all the data that you are required to populate into the “my private information” form on the Experian (or LifeLock) website so they know what to look for on the dark web. Stuff like your email addresses, phone numbers, user names, bank account numbers, credit card numbers, passwords, investment account details…you know, all the things an actual hacker would consider a wonderful treasure trove. This “feature” isn’t the same thing as adding your personal information to a credit report, as credit reports are actually limited in what they store and share, and for good reasons. The “monitoring” feature is wholly different because it literally creates a singular repository of information that would make it extremely easy for an attacker that gained access to that one page a lottery-winning-level of access to your information.

Question: If you give this information to Experian and Experian gets hacked and your data gets leaked as a result, what do you think the resolution is going to be? Maybe a couple years of “free” service from the same company that got hacked in the first place?

Yes. They were hacked. A lot. A whole lot. And that’s when they weren’t just flat-out selling your information.

Experian and Norton LifeLock have been hacked before. Lots. However, if you populate these forms it wouldn’t even require the attacker to necessarily even hack Experian or LifeLock. All they need to do is gain access to that one online account (at Experian or LifeLock) and suddenly they have access to this huge treasure trove of information. Using a good password is an absolute necessity, especially in cases like this, but their account validation system has proven to be quite defective in the past so I wouldn’t trust it with any other information.

DO NOT give these data brokers any more information than they’re already going to sell or allow to be hacked. The benefit, even if there were any, is far outweighed by the massive additional risk.

Instead of using these ineffective and oft malicious services, just use new, strong, unique passwords on each site and take a few minutes each month to look at your statements.


Shawn K. Hall

Password Advice

This is a long and extensive article covering my basic password advice and reasoning. Please take the time to read it and if you have any questions comment below and I will respond.

Assume the worst

Whenever you start dealing with password problems, it’s safest to assume all passwords and accounts are compromised. If someone had access to your device then collecting your passwords from Chrome, Edge, Firefox and Safari would take only seconds. Even if you don’t store your passwords within your browser then the attacker could still collect your passwords from an installed keylogger or other malware.

Do not change your passwords until each of your devices has been disinfected, of course. It doesn’t make sense to give the attackers direct access to your new logins so clean it up first.

While changing passwords is a good first step, if you do not check the filters/rules, forwarding, reply-to, and active sessions for your email accounts then any passwords you change are moot since the attacker could continue to have access to your email accounts and can simply reset any passwords you’ve changed. The “forgot password” option on most websites sends an email to reset your password and requires no additional validation.

Why use a password manager?

Using the native browser password management system (such as the Google Password Manager in Google Chrome) means that if your browser or Google account are ever compromised, or if someone manages to have even brief access to your computer, or if a piece of malware steals the local password database from the browser, then your passwords are all immediately and completely compromised.

Not using a password manager means that you have to have a written record of all your passwords somewhere. I’ve seen this implemented as a wall of papers with painstakingly recorded names, username and passwords, as a “password book” where two thirds of each page is scribbled out, as drawers full of sticky notes, paper scrap or 5×7 cards each with a different account, within Notes or Contacts on iPhone & Android, and as a single monumental spreadsheet or document.

These are all bad ideas.

There isn’t any level of website trust and either the data is physically exposed to anyone who enters the room or rummages through a drawer, or the data is unencryped and accessible to anyone with momentary access to the device to access Notes or Contacts, even malware or rogue apps.

Knowing the username and password for a website is only part of safely authenticating: password managers ensure that you are using the login details ONLY on the real website that you saved it with, and warns you if you try to fill it anywhere else. This alone can prevent most phishing attacks.

The worst of these is using either the Notes or Contacts feature on smart phones because it’s not only unencrypted, but when you copy something on mobile devices the contents of your clipboard are then automatically sent to many applications on the device to see if they have any use for it. It’s announcing your password to potentially malicious or rogue applications. Why would a flashlight app need to view your clipboard? Simple answer: so it can hack your accounts.

Using a third-party password manager solves each of these potential issues by locking the password “vault” in at least 500,000 layers (really) of encryption so simply copying the vault file itself will not enable an attacker to compromise your accounts.

One other benefit of a password manager is that it will synchronize between your computers, phones and tablets so your passwords will automatically be available on each device, in every browser, and in most apps. You will still have to enter the master password, of course.

I recommend Bitwarden, which is free for most peoples needs:

The basic version (all that most people require) is free, open source, cross-platform and well-maintained.

Once you have a password manager set up you can then generate new, strong, unique passwords for each of your other accounts with minimal effort.

Master Password

Before you begin using a password manager you will need to think of a master password.

All password managers operate through a “master password” mechanism. They basically use a single password that unlocks access to your “password vault” which holds all of your other passwords, so it needs to be memorable, strong, long and completely new. Something not remotely like anything you’ve ever used before.

Your master password should be a bare minimum of 24 characters. If you’re comfortable typing more, go big. I recommend using an entire phrase: something like a line from a song, a Bible verse, a quote, or something else like that which you are unlikely to forget. Just make sure you change it a little bit so that it can not be easily hacked by someone that uses these same rules for creating their password cracking database. 🙂

One note if you choose a song: make sure you don’t hum or sing the song while you are typing it. An observer would be able to use this hint to improve their chances of accessing your accounts.

It should go without saying, but I will say it anyway: do not use the same stinking password you’ve been using since you first touched a computer as your master password. Trust me when I say it’s a bad password. A very bad password.

Note: If you forget your master password you can reset it, but you will lose access to all stored passwords. Real password managers don’t keep a copy of your password so if you forget it, it’s gone. Bad password managers either allow recovery or reset, but they should be avoided since this means that it’s never really secure. Some “business”-type password managers provide recovery through the business as long as the business account is still accessible. This is okay as long as you trust the business with access to your passwords or use it only to store the business accounts.

Length and Entropy

For all passwords, I recommend using a minimum of 24 characters, randomly-generated, including mixed case + symbols + numbers. If you don’t yet have a password manager like Bitwarden or RoboForm then you should do that first. If the site won’t let you use that many characters, use as many as it will allow.

ALWAYS use a new, unique, long, random password for each and every account.

An 8-character password is a joke. There are only 96^8 possibilities in an English 8-character password, or 7,213,895,789,838,336 variations. Roughly 7 quadrillion variations. The CPU on my 2016 laptop supports 14.4 billion calculations per second so it would take only 5.8 days to traverse the entire list. This password math also assumes that only a single computer was being used and that it’s an 8+ year old laptop using only a CPU for calculation. A relatively inexpensive video card (GPU) from 2022 can process the same password list in 48 minutes. Tandem or cloud computing can reduce this numbers to tiny fractions of this based on the number of devices you throw at it. These numbers also represent the maximum amount of time to process the entire list, not the average or mean time to crack an actual password, which is significantly less.

Furthermore, this assumes that most common printable characters are available and supported by the password platform. Many aren’t. Most systems even limit entropy by requiring a number (which reduces complexity for at least one character by 90%), or symbol (65%), and usually require the first character to be a letter (46%). These rules actually reduce potential password complexity in the name of increased security. Sigh.

15 characters isn’t long, either. A 15-character password still has relatively minor entropy – depending on the specific rules a site imposes, a 15-character password has only 96^15 variations in the English language, or 542,086,379,860,909,058,354,552,242,176 possible variations. I know that looks like a long number, but in cracking terms, it’s not.

These numbers are all based on cracking based on the full scope of the potential passwords. The actual time to crack is much smaller when based on dictionary attacks. More on that later.

With today’s hardware and what’s coming soon with commercial quantum computing you shouldn’t be thinking in terms of “how long do I have to make it?” but rather “how long can I make it?” Always use the longest password you can for any given site. For example, Facebook allows you to use a password that’s 500 characters long. Use it! That changes the number of variations up to 96^500 (that’s about a thousand digits). Using a password manager makes generating, storing and filling this password a breeze.

But again, if you’re not using a random password then you’re still the “low-hanging fruit.” Instead of having to try 96^n variations for any given account, they only need to try the millions of “known” passwords, or even better, only the most popular 10, 100 or 10,000 known passwords. This tiny dictionary will often succeed since people use such weak passwords, so it minimizes the effort significantly. By using a randomly generated long password your passwords are vastly more secure.

If a password manager is not possible yet then use a long passphrase that includes MISSPELLINGS and not simply “1337 5p34k”. A passphrase is a series of words instead of simply characters. People assume this means that this alone means it is more secure. Unfortunately, that’s not always the case.

The potential randomness (entropy) in passwords using only dictionary words (about 175,000 variations) is less than what you could get with only 3 characters of random text (~885,000), which means that any passphrase less than 7 words is functionally as insecure as using a 12 character random password, which is pretty weak.

Yes, passphrases are better because they’re longer, but if you use each word exactly as-is then you’re just trading entropy with a weaker scope. Adding random misspellings, numbers or symbols will significantly increase the value of using a passphrase. Not because a website requires it, but because it increases entropy.

Password Hygiene: Why use random passwords?

The first thing that happens after a website is hacked is that the leaked passwords are used in “credential stuffing” attacks where the attacker tries each of your passwords on all of the most popular websites and many unpopular websites. The attacker can try thousands of websites at a time with your leaked login details within seconds after downloading the breach data. If you have been reusing passwords then this means that the password you used on a Walking Dead fan site or a CNN talkback page that gets hacked likely grants the attacker direct access to your Amazon, Facebook or even Wells Fargo account.

There are only three critical password rules to remember:

  1. Any password you can remember is not secure.
  2. Never reuse any password or any part of a password.
  3. Don’t share your passwords with anyone.

If nothing else, these rules are the best reason to use a password manager (such as Bitwarden, RoboForm, LastPass, Dashlane, or 1Password) that performs site validation (to prevent phishing) and includes a built-in random password generator.

HaveIBeenPwned (HIBP), a white-hat repository detailing hundreds of hacking events since 2007, currently has over 847 million unique passwords in their database. It also has a counter applied to each password, so you can see that 300,185 idiots all thought “P@ssw0rd” was actually a good idea. This number is vastly undercounted, too, since this number only represents the number of times that this password has appeared within these few publicly disclosed breaches, while most sites either still haven’t had their data compromised or, more likely, the compromised data is not yet public.

Every website will be hacked eventually, if it hasn’t been already. I’m seeing an average of 200+ major hacks every month, with the total number of compromised accounts in the billions. Every month.

Microsoft was hacked three times in the ten-month window between April 2023 and January 2024. Adobe has been hacked at least six times that we know about. The NSA, FBI, Department of Defense, Whitehouse, and most government agencies have been hacked at least once. Most businesses (including Microsoft) did not even know they were hacked for months or even years and take even longer before they acknowledge it publicly…if they ever acknowledge it publicly.

Looking through the HIBP breach reports I see that the typical business is hacked for just shy of a year and a half before discovering it (16.8 months on average). They just don’t know. It’s safest to assume every site is already hacked and will likely be hacked at least once per year. The best defense is to practice good security hygiene yourself to ensure that the damage any individual hacking event can cause you is minimal.

Every password will be hacked eventually. A mysterious international “state-sponsored” boogeyman isn’t necessary. Being a billionaire, politician, or other high-value target isn’t necessary, either. Any 12 year old can buy time on Amazon or other cloud providers to automate anything they want, including cracking passwords, and no human being will ever know what goes through a 12-year-old’s mind. They can even do so for free using a trial or by paying for it with stolen credit cards in order to avoid any expense at all.

Dictionary Attacks

People often assume that passwords are usually cracked using brute force: sending every possible random password combination that a site/service/app can support until the correct password is determined. However, since people almost always reuse the same passwords or the same passwords as everyone else, hackers usually perform a “dictionary” attack. This is when the attacker uses a collection of common passwords instead of randomly generating every possibility. These common passwords are usually from password dumps from previous breaches. The attackers test the most commonly used known passwords instead of wasting time & resources on less likely passwords. These lists are out there and they are huge.

Every person will be hacked eventually, but the point here is that while there are currently only 753 dumps worth of data in the HIBP database the numbers show that most people never even consider password hygiene. 753 dumps and 847 million unique passwords might sound like a lot, but remember: there are currently over 200 major hacks every month. HIBP only includes a tiny tiny fraction of the trillions of accounts that we know have been compromised. If all the data from each of these hacks were actually available the doom and gloom might be far worse. Maybe people are even worse than what the HIBP data shows? We don’t know. What we do know is the data from HIBP and the numbers below are a signal based on what we can easily observe – the HIBP data. Nevertheless, what we see is truly terrifying.

According to the HIBP dataset:

  • 22,232 passwords have each been used by over 10,000 compromised accounts.
  • 1,222 passwords have each been used by over 100,000 compromised accounts.
  • 44 passwords have each been used by over 1,000,000 compromised accounts.

The top 10 most frequently used passwords account for over 13% of all accounts within the HIBP data. The 44 passwords with over a million accounts each make up a whopping 20.8% of all accounts within the HIBP data, so it is not an exaggeration to say that 20% of the world is using absolute crap passwords. Way more than that, actually, but isn’t that enough?

Here’s where it will really blow your mind: The top 10,000 most frequently used passwords account for 89% of all accounts within the HIBP data. Eightynine percent! That means that 9 out of 10 accounts in the world are likely able to be cracked with one of these mere 10,000 passwords. Put another way, almost 90% of the world is using passwords that are functionally no more complex than a 4-digit pin number.

Targeted Dictionary Attacks

Targeted attacks are quite different. Sure, the data is already depressing, but it gets worse. The password data from HIBP is generic and broadly applicable. People tend to use the same types of information in their passwords.

If you’ve been pretty good not to use one of these weaker passwords (on its own at least) there’s still the risk of a targeted attack. Targeted attacks will build on this corpus of information as well as a background check on the target individual. A background check will include your name, initials, aliases, email addresses, phone numbers, extended family members (grandchildren, children, siblings, parents, grandparents, cousins and so on) names and birthdates, neighbors, pets, physical and mailing addresses, cities, zip codes, business records, as well as public information you’ve posted on sites like LinkedIn, Facebook, Twitter and other social media.

Much of this information can be generated or collected in an hour or less or bought wholesale through any of a dozen providers that charge as little as $15/month for unlimited background checks.

This information is then added to a custom “personal data dictionary” about you and used as the basis for attacking your passwords. If you are one of the 7 billion people on planet Earth using these facts as the basis for any part of your passwords then this should concern you. This reduces the effort by way of complexity from potentially trillions and quadrillions of variations to mere dozens.

When personal data dictionaries are used together with your publicly available personal data from previous password dumps, an attacker can build up an exacting profile of the specific pieces of personal information you are likely to use when you build a password and programmatically predict every likely variation in mere seconds. Once a personalized data dictionary is generated, most passwords will be compromised near-instantaneously.

All of this to make sure you understand why you need to use a new, unique, long, random password for each and every account. I don’t care how much you loved your cat, just use a random password. Please.

Password Change Order

Now that you’re getting a password manager set up you need to change every password for every account. Really. Most people have dozens or even hundreds of accounts, so this is not a minor task. If you don’t change the passwords then all you’ve done is protect yourself from phishing, while many of the accounts are already exposed or even compromised. Change each stored password to a new, unique, long, random password.

I recommend you change passwords in this order:

  1. Email (Google, Yahoo, AT&T, Hotmail/Outlook, Comcast) – reviewing filters, forwarding, reply-to, and active sessions; and enable 2FA (two-factor authentication)
  2. Banking, Finance and Investment (BofA, Wells Fargo, Vanguard); and enable 2FA (two-factor authentication)
  3. Anything with stored credit card, payment or banking information (Verizon, Costco, Amazon, Walmart, Propane); and enable 2FA (two-factor authentication)
  4. Social Media & Forums (Facebook, Twitter, LinkedIn); and enable 2FA (two-factor authentication)
  5. Everything else

#1 – EMAIL MUST BE DONE FIRST! Any attacker that has access to your email account can just change your passwords again after you change any other accounts.

You must check the filters, forwarding, reply-to, and active sessions for your email accounts or an attacker will be able to either recover access to your email accounts and simply reset whatever passwords you’ve changed.

How do you eat an elephant? One bite at a time.

As I write this I can see your eyes glaze over. Hundreds of accounts and I just want you to change all your passwords?! Yes. Don’t be silly though: you don’t have to change every password right now. Even if you just change one or two passwords each day you will get it done before you know it. You just need to commit to actually working towards this goal.

Device Accounts

There is a gotcha when using good passwords with specific services: device accounts.

You can change almost any password for almost any account and use a password manager to fill it on your devices. Unfortunately, there are three accounts where this can actually be a problem. Apple, Google and Microsoft accounts are now often used for device-level authentication on macOS, iPhones, iPads, Android, Chromebooks, and Windows devices. That means that you will need to be able to manually enter this new, unique, long, random password every time you log in to your phone or your computer, when you make an app store purchase, or at least when initially setting up these devices. An 80+ character random password isn’t fun to type even once, and these devices require it to be entered each time certain actions occur, which could be quite frequent.

In these scenarios using a passphrase is just about the only safe option. Your passwords for these accounts (that are tied to your devices!) need to be as long as possible but memorable, since you may not be able to access another trusted device with your password manager when you are logging in to one of these devices.

If you have accounts on these services that are not used for device authentication then you can still safely generate good random passwords for these accounts.

But wait, there’s more!

In addition to a password manager, there are a couple other things you can do to minimize your risk.

  1. Set a watch on your email addresses/domains with HIBP:
    This will alert you when your email address appears in breach data along with the site that it was leaked from and what other information was exposed.
  2. Check your passwords against the Pwned Passwords database.
    If you don’t want to risk putting your password into a form on the Internet (and you shouldn’t!), then you have three options:

    1. You can use the “pwcheck” program I created for this purpose. Steps in the next section.
    2. You can create an SHA-1 hash of the password and send ONLY the first 5 characters of it to this URL:
      Replace 00000 with the first five characters of the SHA-1 hash of your password, then compare the results.
    3. You can download and extract the 30+GB database of the entire password collection and compare it yourself offline.

Note: The HIBP Pwned Passwords service uses the k-Anonymity standard to ensure that your actual password isn’t uploaded when using pwcheck or the API URL. Now compare the return data with the actual SHA-1 hash and if it’s not there then it hasn’t (yet) appeared in a publicly disclosed data dump. More about that stuff here.

  1. Call me! When you have any security question or concern, please call me. This post covers a lot of the “why” and some of the “how” but you’re sure to have issues when you start using a password manager.

Checking a password with pwcheck

I wrote pwcheck to help test the security of passwords. Over time I’ve added more features to it, such as the ability to generate passwords and passphrases. To use it you’ll need to open a command prompt: click the Start button, type “cmd”, press Enter. A black or blue command window will appear.

To test a password, copy it to the clipboard then type this into the command prompt:

pwcheck .

You’ll get something back like:

Uh-oh. This password has been used by 10382543 compromised accounts.


Yay. This password is not known to be compromised. Yet.

You can use pwcheck to generate random passwords, too. Type one of these commands in the command prompt:

pwcheck /g1
pwcheck /g2
pwcheck /g3

You can then highlight the password and press Enter or CTRL+C to copy it to the clipboard.

/g1 creates a truly random, but relatively short password.

/g2 creates a word-based password (aka, “passphrase”). This is much longer, but doesn’t include symbols or numbers, and does include spaces, so often needs fiddling before some websites will accept it.

/g3 creates a passphrase, like /g2, but replaces the spaces with random symbols and numbers.

For each of these commands you can also add a space and number after the password type (as below) to control the length of the password. For /g1 this number sets the number of characters. For /g2 and /g3 it sets the number of words.

pwcheck /g1 112
pwcheck /g2 9
pwcheck /g3 4

Credit Freeze

Whether you’ve been hacked or not you should freeze (sometimes called a lock) your credit. Do this by creating an account at each individual reporting agency and then setting up a freeze/lock on the account. This will prevent any new lines of credit (where the creditor actually checks your rating) so it should minimize the risk of financial damage.

Here’s the specific pages for the big three credit reporting agencies:

There is NO CHARGE for the ability to freeze your credit, but each of the big three credit bureaus are businesses so they make it easy to accidentally sign up for a paid service instead of simply freezing your credit. Be careful to follow the links/buttons for Freeze your account for free or similar verbiage. Also note that each credit bureau requires that you have a cell phone in order to freeze your credit. This is absurd, especially since so much of the elder population that are the largest targets for credit fraud are also the least likely to willingly use cell phones.


Shawn K. Hall

Updates 2023-07-11

Welcome back, Folks!

Today is Patch Tuesday for July, 2023.

This month has actually been pretty quiet. There were only 140 major hacks, and over 145 application updates this month. There are only about 4 GB of updates for most users.

This Month in Technology

1st Source Bank, Activate Healthcare LLC, Advanced Medical Management, LLC, American Airlines, American Board of Internal Medicine, Apple iOS, Arris devices, ARx Patient Solutions, ASUS routers, Atlantic General Hospital, Atomic Wallet, Atrium Health Wake Forest Baptist, Bangladesh government web portal, Barracuda ESG, Barrow County, Georgia, Beacon Ridge, BORN Ontario, BreachForums Clone, Bristol Myers Squibb, CalPERS, ChatGPT, Chilean Army, Cisco data center switches, City of San Luis, ClearMedi, Commonwealth Health Physician Network-Cardiology, Community Research Foundation, Core Recovery, LLC, D-Link devices, Des Moines Public Schools, Desert Physicians Management, Deutsche Bank AG, Dozor-Teleport, D’Youville University, EncroChat, Extreme Networks, Floating Point Group, FortiGate firewalls, G7 summit, Genworth, GlobalHealth Holdings, LLC, Grafana, Great Valley Cardiology, Hashflow, HCA Healthcare, Henrietta Johnson Medical Center, Illinois, Imagine360, Indonesian passport system, iOttie, Itasca County Health & Human Services, Jones Lang LaSalle, JumpCloud, K&L Gates, Kannact, Inc., Kinmax, Kirkland & Ellis, Lansing Community College, LetMeSpy, Limbach Facility Services LLC Group Benefit Plan, Locally, Louisiana OMV, Lumberton ISD, Maimonides Medical Center, Mastodon, MediaTek devices, Microsoft Teams, Microsoft, Missouri, Mondelez International, Mount Desert Island Hospital, MOVEit Transfer, Murfreesboro Medical Clinic & SurgiCenter, National Student Clearinghouse, Nebraska, Netgear devices, New Horizons Medical, Inc, New York City Department of Education, Nickelodeon, Nova Scotia, nuclear weapons experts, Ofcom, ONIX Group, Oregon Department of Transportation, Oregon DMV, Orrick, Herrington & Sutcliffe LLP, Paris High School, Parker Drilling Company Group Health and Flexible Benefit Plan, PBI Research Services, Peachtree Orthopaedic Clinic, P.A., Pennsylvania, Petro-Canada Gas Stations, Poly Network, Port of Nagoya, Japan, Proskauer Rose, Radisson, Razer, Realm IDX, Recovery Centers of America, Senior Choice, Inc, Shell Oil, Siemens Energy, Solar Energy Monitoring Systems, SolarView Systems, South Carolina, South Dakota, South Suburban Surgical Suites, LLC, Southwest Airlines, Sturdy Finance, Suncor Energy, Tenda devices, Texas, The Atrium, The Patriot, The Williamsport Home, Tidewater Diagnostic Imaging, Ltd., TomTom, TP-Link devices, TSMC, U.S. Department of Energy, Ukrainian Government FaceBook Page, Ultimate Member WordPress Plug-In, University of Colorado, University of Illinois, University of Manchester, University of Pittsburgh Medical Center, UofL Health, UPMC, UPS, US Federal agencies, USPTO, Vermillion, Vincera Core Physicians, Vincera Imaging LLC, Vincera Rehab LLC, Vincera Surgery Center, Vitra Home Care, LLC, Zellis, Zyxel devices, and Zyxel NAS have reportedly been hacked or compromised this month.

The state of Alaska, Taos, Azure, Microsoft 365 (multiple times),, Microsoft Teams, and Outlook for the web have suffered from outages this month.

Last months updates broke .NET WebApps, default browser GPO, Apple Safari on mobile, Windows Start Menu, and Windows File Explorer.

The US Federal government is still using unsecured devices across 50 different agencies. Sweden is fining companies that use Google Analytics. Microsoft is going to be permanently storing all the AI interactions with Bing to “better serve you.” Facebook parent company Meta says the only way to delete your account from their defective Threads service is to delete your Instagram account.

Now for the good news:

A federal judge has blocked the federal government from orchestrating censorship with private tech companies.

Let’s Get Busy

Now back to our regularly scheduled program.

Patch Tuesday is huge this month. The typical computer should see roughly 4 GB in updates today. Let’s get started.

Windows 10 and Windows 11 versions 22H2 should now be installed. Sadly, the new “Moments” features on Windows 11 will insert advertisements in the Start menu and Control Panel. Just another sign of the continuing decline of Windows.

Microsoft released updates to address 132 vulnerabilities in .NET and Visual Studio, ASP.NET and .NET, Azure Active Directory, Microsoft Dynamics, Microsoft Graphics Component, Microsoft Media-Wiki Extensions, Microsoft Office Access, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office SharePoint, Microsoft Office, Microsoft Power Apps, Microsoft Printer Drivers, Microsoft Windows Codecs Library, Mono Authenticode, Paint 3D, Role: DNS Server, Service Fabric, Visual Studio Code, Windows Active Directory Certificate Services, Windows Active Template Library, Windows Admin Center, Windows App Store, Windows Authentication Methods, Windows CDP User Components, Windows Certificates, Windows Clip Service, Windows Cloud Files Mini Filter Driver, Windows Cluster Server, Windows CNG Key Isolation Service, Windows Common Log File System Driver, Windows Connected User Experiences and Telemetry, Windows CryptoAPI, Windows Cryptographic Services, Windows Defender, Windows Deployment Services, Windows EFI Partition, Windows Error Reporting, Windows Failover Cluster, Windows Geolocation Service, Windows HTTP.sys, Windows Image Acquisition, Windows Installer, Windows Kernel, Windows Layer 2 Tunneling Protocol, Windows Layer-2 Bridge Network Driver, Windows Local Security Authority (LSA), Windows Media, Windows Message Queuing, Windows MSHTML Platform, Windows Netlogon, Windows Network Load Balancing, Windows NT OS Kernel, Windows ODBC Driver, Windows OLE, Windows Online Certificate Status Protocol (OCSP) SnapIn, Windows Partition Management Driver, Windows Peer Name Resolution Protocol, Windows PGM, Windows Print Spooler Components, Windows Remote Desktop, Windows Remote Procedure Call, Windows Routing and Remote Access Service (RRAS), Windows Server Update Service, Windows SmartScreen, Windows SPNEGO Extended Negotiation, Windows Transaction Manager, Windows Update Orchestrator Service, Windows VOLSNAP.SYS, Windows Volume Shadow Copy, Windows Win32K, and MSRT (~ 3 GB). This includes security updates. A reboot is required.

Apple released updates for iOS 15.7.7, iOS 16.5.1, iPadOS 15.7.7, iPadOS 16.5.1, macOS Big Sur 11.7.8, macOS Monterey 12.6.7, macOS Ventura 13.4.1, Rapid Security Responses for iOS 16.5.1, Rapid Security Responses for iPadOS 16.5.1, Rapid Security Responses for macOS Ventura 13.4.1, Safari 16.5.1, Safari 16.5.2, watchOS 8.8.1, and watchOS 9.5.2. This includes security updates. Use Apple Software Update to install these updates. A reboot is required.

iOS 15.7.7 and 16.5.1 are security updates. Use Settings, General, Software Update to install the most current update.

iPadOS 15.7.7 and 16.5.1 are security updates. Use Settings, General, Software Update to install the most current update.

watchOS 8.8.1 and 9.5.2 are security updates. Use the Watch app on your iPhone to install the most current version.

Don’t forget to check your mobile devices, too! Many updates will also apply to your tablet, phone, kindle or television – so check your device-appropriate App Store and install updates.

Important Notes

Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.

The release of macOS Ventura (13.x) means that macOS Catalina (10.15) and older are no longer supported. If you can not install at least macOS Big Sur (11) on your Mac then you should immediately remove it from the Internet and use it offline only. It will no longer receive patches or updates and can now no longer be secured.

The now-current — and final — release of the Windows 10 (v22H2) is very large so will take a long time to download on slower connections. All non-LTS versions of Windows 10 other than v22H2 are now out of support, upgrade to v22H2 now. If you aren’t sure whether you are using LTS, you aren’t. If you don’t let it finish and you’re on a slow connection, this process will kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.

The now-current release of the Windows 11 (v22H2) is very large so will take a long time to download on slower connections. Windows 11 pushes you to get the latest Windows 11 release every 12 months and only supports any consumer builds for 24 months. If you don’t let it finish and you’re on a slow connection, this process will kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.

Windows 11 is now stable and can be upgraded to if your hardware supports it, but I recommend you continue to use Windows 10 until early 2025 before you consider switching to it.

Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.

It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need or use, reducing the attack surface. This includes “free” applications like Avast, OpenOffice, and games you do not actually play.

Also note that using the applications own “check for updates” function, when available, will best preserve your current settings, and often avoid any crapware that might come with a fresh installer. Use this option if it’s available to you.

Finally, if you’re sick of doing this all yourself, let me! Call or email me any time, and we can set you up with subscription SaferPC updates which will be installed each month whenever necessary. Click, call or email for more details:

Driver Updates

If you’re using this hardware – these updates are for you.

AMD Adrenalin 23.7.1 resolves several bugs and improves compatibility. This is not a security update.

Crucial Storage Executive 9.04 doesn’t provide a changelog so should be treated as a security update.

DS4Windows 3.2.12 resolves several bugs. This is not a security update.

Garmin Express 7.17.3 doesn’t provide a changelog so should be treated as a security update.

Nvidia Driver 474.44 is a security update.

Xerox Smart Start doesn’t provide a changelog so should be treated as a security update.

Browser Updates

One or more of these are likely to be of interest to everyone.

Brave 1.52.130 is a security update.

Google Chrome 114.0.5735.198 is a security update.

Microsoft Edge 114.0.1823.79 is a security update.

Firefox 115.0.2 is a security update.

Firefox ESR 115.0.2 is a security update.

Vivaldi 6.1.3035.84 is a security update.

Microsoft Edge WebView2 114.0.1823.79 is a security update.

Email Updates

One or more of these are likely to be of interest to everyone.

Spark resolves several bugs and improves mail collections. This is not a security update.

Spark (macOS) resolves several bugs and improves mail collections. This is not a security update.

Thunderbird 102.13.0 is a security update.

Internet Updates

One or more of these are likely to be of interest to everyone.

Dropbox 177.4.5399 resolves a reliability bug. This is not a security update.

Facebook Messenger is a security update.

FileZilla Client 3.65.0 updates libraries and resolves several bugs. This should be treated as a security update.

FreeFileSync 12.4 resolves several bugs. This is not a security update.

Google Drive 77.0 is a security update.

Microsoft Teams resolves a couple bugs and adds user feedback. This is not a security update.

Pocketnet-Core 0.21.3 resolves several bugs. This is not a security update.

PushBullet 502 doesn’t provide a changelog so should be treated as a security update.

Rclone 1.63.0 adds several new features and resolves dozens of bugs. This should be treated as a security update.

Signal 6.24.0 adds search to mentions. This is not a security update.

Signal (Android) 6.24.4 doesn’t provide a changelog so should be treated as a security update.

Syncthing 1.23.6 resolves several bugs. This is not a security update.

Technitium DNS Server 11.3 adds new record types and resolves several bugs. This is not a security update.

Telegram 4.8.4 improves stability. This is not a security update.

WinSCP 6.1.1 is a security update.

Zoom is a security update.

Media Updates

These are unlikely to be of interest to most people.

3tene 3.0.10 resolves a dozen bugs. This is not a security update.

Bitwig Studio 5.0 is a major update add over a hundred new features, objects, object controls, and resolves over 20 bugs.

darktable 4.4.1 resolves several bugs. This is not a security update.

Kodi 20.2 resolves almost 40 bugs. This is not a security update.

Plex Desktop improves the Discover feature. This is not a security update.

Plex Home Theater resolves a couple bugs with Live TV. This is not a security update.

Plex Media Server resolves several bugs. This is a security update.

Game Updates

These are unlikely to be of interest to most people.

GameMaker Studio 2023.6.0.89 resolves over 60 bugs. This is not a security update.

GDevelop 5.2.166 enables 3D editing for all users, adds 3D models to the asset store and resolves several bugs. This is not a security update.

Lego Studio resolves several bugs. This is not a security update.

Steam 2023.06.14 resolves over a hundred bugs and improves the notification and in-game chat experience. This is not a security update.

Office Updates

One or more of these are likely to be of interest to most people.

Adobe ColdFusion 2018u17, 2021u7, and 2023u1 are security updates.

Adobe InDesign 18.4 and 17.4.2 are security updates.

Adobe Reader DC 23.003.20244 is a security update.

Blender 3.6 vastly improves performance and adds several new features, including cache, UI, text and selection improvements, new Simulation abilities and UV improvements. This is not a security update.

Calibre 6.22.0 adds support for new hardware and resolves several bugs. This is not a security update.

ImageMagick 7.1.1-12 resolves several bugs. This is not a security update.

Kdenlive 23.04.2 improves timeline and resolves several bugs. This is not a security update.

Notepad++ 8.5.4 resolves over a dozen bugs. This is not a security update. 5.0.7 resolves several bugs. This is a security update.

PDF-XChange Editor is a security update.

Security Software Updates

One or more of these is likely to be of interest to most people.

Chainsaw 2.7.2 resolves several bugs. This is not a security update.

HTTP Toolkit 1.12.8 doesn’t provide a changelog so should betreated as a security update.

Microsoft Edge Policy 2023.07.05 adds new policies.

PureOS 10.3 improves security and management. THis is a security update.

RogueKiller 15.11.0 is a security update.

Stinger adds several new detections. This is not a security update.

SuperAntiSpyware 10.0.1254 resolves several bugs. This is not a security update.

Capture Updates

These are unlikely to be of interest to most people.

Camtasia 23.1.0 adds variable speed playback, reflections, and resolves several bugs. This is not a security update.

Open Broadcaster Software 29.1.3 resolves a dozen bugs. This is not a security update.

ScreenToGif 2.38.1 resolves several bugs. This is not a security update.

Converter Updates

These are unlikely to be of interest to most people.

DVDFab adds support for new encodings. This is not a security update.

IsoBuster 5.2 doesn’t adds support for spanned archives, new file type support, and resolves several bugs. This is not a security update.

StreamFab resolves several bugs. This is not a security update.

UniFab resolves several bugs. This is not a security update.

Utility Updates

These are unlikely to be of interest to most people.

1Password for Mac 8.10.8 vastly improves LastPass import, and resolves several bugs. This is not a security update.

1Password for Windows 8.10.8 vastly improves LastPass import, and resolves several bugs. This is not a security update.

7-Zip 23.01 improves translation details and resolves several bugs. This is not a security update.

Agent Ransack 2022.3405 resolves several bugs. This is not a security update.

Autoruns 14.1 resolves several bugs. This is not a security update.

Bitwarden 2023.5.1 resolves several bugs. This is not a security update.

CCleaner 6.13.10517 resolves several bugs and adds cleanup support for a dozen more applications. This is not a security update.

Cygwin 3.4.7 resolves several bugs. This is not a security update.

DesktopOK 10.88 improves compatibility. This is not a security update.

dnGrep switches underlying .NET support to v7, which significantly improves performance. This is not a security update.

ESEDatabaseView 1.73 adds full screen support. This is not a security update.

Etcher 1.18.8 fixes the support link. This is not a security update.

FileLocator Pro 2022.3405 resolves several bugs. This is not a security update.

Fing 3.4.0 doesn’t provide a detailed changelog so should be treated as a security update.

Go 1.20.6 is a security update.

Homedale 2.07 adds cosmetic changes for local MAC addresses. This is not a security update.

HWiNFO 7.50 doesn’t provide a detailed changelog so should be treated as a security update.

Kingston SSD Manager doesn’t provide a detailed changelog so should be treated as a security update.

ManageWirelessNetworks 1.12 adds a sort-by toolbar button. This is not a security update.

MobileFileSearch 1.46 adds a sort-by toolbar button. This is not a security update.

MPAM 1.393.60.0 adds support for new detections. This should be treated as a security update.

NetworkTrafficView 2.50 adds support for the sapics geo-IP databases. This is not a security update.

NTLite 2023.6.9292 resolves several bugs. This is not a security update.

OSForensics 10.0.1014 adds new filesto detection. This is not a security update.

AOMEI Partition Assistant 10.1.0 adds interactive UEFI BIOS import and export support. This is not a security update.

PowerToys 0.71.0 resolves several bugs. This should be treated as a security update.

ProcessMonitor 3.95 resolves a crash bug. This is not a security update.

RoboForm 9.4.9 resolves several bugs. This is not a security update.

ScreenConnect resolves dozens of bugs. This is not a security update.

SimpleWMIView 1.55 resolves a bug. This is not a security update.

Sysmon 15.0 is a security update.

TaskSchedulerView 1.73 adds a sort-by button to the toolbar and resolves a cosmetic bug. This is not a security update.

Unity 2023.1.3 resolves dozens of bugs. This is not a security update.

Ventoy 1.0.93 improves compatibility and resolves several bugs. This is not a security update.

WinGet 1.5.1881 resolves a couple bugs. This is not a security update.

ZoomText 2023 2023.2306.21.400 resolves several bugs. This is not a security update.

Developer Updates

These are unlikely to be of interest to most people.

GitHub Desktop 3.2.6 resolves a dozen bugs. This is not a security update.

Godot 4.1 resolves dozens of bugs and adds several new features. This is not a security update.

GitHub includefragment 6.3.0 adds a customelements manifest. This is not a security update.

Node.js 20.4.0 resolves dozens of bugs. This is a security update.

Node.js 16.20.1 is a security update.

Node.js 18.16.1 is a security update.

Redemption adds several new features and resolves a dozen bugs. This is not a security update.

Visual Studio Code 1.80 resolves several bugs. This is not a security update.

Web Package Updates

These are likely to be of interest only to web developers.

Invision Community is a security update.

Drupal 9.5.10 improves compatibility. This is not a security update.

Joomla 4.3.3 resolves dozens of bugs. This is not a security update.

OpenCart resolves over a dozen bugs. This is not a security update.

ownCloud Client resolves a dozen bugs. This is not a security update.

Piwigo 13.8.0 is a security update.

Akismet 5.2 resolves several bugs. This is not a security update.

Autoptimize is a security update.

Duplicator 1.5.5 resolves a dozen bugs. This is not a security update.

myStickymenu 2.6.4 resolves several bugs. This is not a security update.

W3 Total Cache 2.3.3 resolves several bugs. This is not a security update.

Widgets on Pages 1.8.1 resolves a compatibility bug. This is not a security update.

WooCommerce 7.8.2 resolves several bugs. This is not a security update.

That’s all for now folks. Keep it clean out there. 😉


Shawn K. Hall


Flash Begone!

Adobe Flash: You Will Not Be Missed

Flash is going to be going away in about a month. Adobe announced the end-of-life (EOL) for Flash about two and a half years ago. Microsoft will be removing the built-in Windows version in 40 days. Flash is currently built into chromium-based browsers (Chrome, Edge, Brave, Vivaldi and so on), and will no longer be included at all in a couple weeks, and the only other browser that has supported it (Firefox) will block it in late December. By mid-January no browser will support Flash and any website that relies on it will have major compatibility problems. Facebook game players have been terrified of this because it’s going to finally kill Farmville.

HTML5 is the replacement for Flash. Flash is closed-source and historically extremely insecure – directly responsible for over half of all malware infections. Flash was originally designed by Macromedia which was later bought by Adobe. Adobe’s entire system has always been designed around closed-source and limiting access to how their software works, which means that it doesn’t have the ability for outside code review or security analysis. HTML5, on the other hand, is open-source, designed by the same people that designed the Internet itself. It does have a digital rights management (DRM) stub which allows publishers to prevent data from being copied (like Netflix), but it’s nowhere near as closed as Flash has been.

Those few sites that lament the loss of Flash don’t understand the risks and troubles that we’ve all experienced as a direct result of this uniquely horrific technology. There are over 1,000 known vulnerabilities in Adobe Flash. At 24 years old, that’s an average of 42 vulnerabilities per year or 3.5 per month. At the time of publication, 652 of the vulnerabilities score a “perfect 10” on the CVS risk scale, and 894 vulnerabilities score 9.0 and above. Put simply, 90% of the known vulnerabilities in Adobe Flash are considered Critical and are capable of completely taking over the affected device.

If you don’t want to wait, you can eliminate Flash yourself using the Adobe Flash Removal Tool.

That’s all for now folks. Keep it clean out there. 😉


Shawn K. Hall

Do Not Reuse Passwords

Password security is a growing field and the old conventional wisdom of using a “strong” password and changing it frequently has lead to people using the same “strong” password on many different websites, resulting in their complete identity being hijacked when any one of those sites is compromised.

HaveIBeenPwned (HIBP) is a service that collects data dumps from when websites are hacked and uses the data to provide a service to alert users whenever their accounts are compromised. It’s like a central clearinghouse for account monitoring. Unfortunately, by the time accounts are listed in HIBP it is often years after the account has been hacked and the hackers that originally took the account information have had that entire period to make use of your account details. Many websites store their passwords in plain text, and many of the others that do use password hashing algorithms to store only a mathematical representation of the password and not the password itself neglect to use properly salted hashes, which means that those hashed passwords can often be compared with rainbow tables to effectively convert them to their plain text equivalent. Seeing the passwords that people – still today – continue to use is destroying my hope in humanity. For example, “123456” is used by almost 1% of business professionals for their online social interactions. Dead serious.

The trends on these exposed passwords show that there are very common patterns and weak password consideration is the rule of the day. Few people, and by few I mean I could probably count them on one hand, actually do passwords right. It’s time to take your own security seriously, because the evidence shows that many of those you do business with do not.

Here’s the Problem

Weak passwords you’ve used on service x (Yahoo, for example) will be dumped along with all the other passwords on that hacked service. Those same weak passwords will be tested on service y and service z. And everywhere else. This process is called “password stuffing.”

If you reuse even part of your passwords then you open yourself up to being targeted either randomly or by evil people you may already know. “Script kiddies” live and die by their ability to make an example out of people who they feel have done them harm. You could also become the victim of automated scanners that consume the usernames and passwords from these dumps then try them on every known system from Facebook to Gmail to email to banking services. The passwords will be munged in order to test similar or stylistically equivalent passwords. For example, of the LinkedIn hack, almost 2.5 million accounts (or about 1.5%) used some variant of the site name in their password. Those same accounts probably use some variation of the site name in most of their passwords. This can safely be assumed to be done everywhere, meaning that if you use “linkedin123456” for LinkedIn, there’s a good chance that your Facebook password is “facebook123456”.

So when over a million people used “123456” as their LinkedIn password, not only did it expose that as a very commonly used password, but it demonstrated that those million-plus email addresses tied to those weak passwords were used by people that didn’t take security seriously. If you use a weak password anywhere, chances are good that you use weak passwords elsewhere, if not everywhere. If something as quick and easy as changing a password isn’t done, then you also probably neglect your hardware and software. You’re using older and insecure programs. You’re exposing all of yourself with a single simple decision that you think will make your life easier.

It doesn’t. Reusing even part of a password only makes life easier for whoever attacks you. They can stay in their momma’s basement and spend all day throwing your account details at different sites until they get in. When they do, it doesn’t hurt them, it hurts you. Two or three hijacked accounts, or variations on your passwords from multiple dumps show how you think, and the style and scope of password complexity you use.

Again referring to the 2012 LinkedIn hack, there were over 26,000 variations of passwords that included “12” or “2012” in the password. From this we can imply that users will seed their passwords with the year they changed it. The same accounts are probably still using the same patterns with “2019” or “2020” today.

“Different” !== Strong

Usually these dumps are sold on the black market or used by the original hacker for a while before they’re inevitably released publicly. The data is out there so it’s necessary to use defensive passwords.

You can’t just change a number at the end of your password and possibly think that it’s going to make a difference in your security. The delay it might impose against an organized attacker is less than a single second. You can’t create a strong password by typing random characters on your keyboard. You just can’t. The predictive value of muscle memory, social and cognitive signals, and even keyboard bias result in a relatively small set of potential values for manually-generated passwords.

1337-sp34k offers no additional protection.

Using a strong password is no longer a suggestion. To be secure in the current world you must use a strong, unique, randomly-generated password for any and all sites and services. Failing to do so will result in that password being used as the seed to corrupt your digital life later on. Maybe not today, maybe not tomorrow, but soon, and for the rest of eternity.

The rules used to be pretty simple, but were still never observed:

  • DO NOT use a series of numbers and a word or two. (123badpassword)
  • DO NOT use a word or two and a series of numbers. (badpassword123)
  • DO NOT use a word with numbers breaking it up. (1bad2password3)
  • DO NOT use the site name or URL as any part of the password. (mylinkedinpassword)
  • DO NOT use keyboard sequences like “qwerty” or “123456”.
  • DO NOT use any word or name related to you or your life (pets, family, friends, musicians).
  • DO NOT use dates or other simple patterns.

Unfortunately, these rules are still ignored, and even if they were followed to a T, these rules are no longer sufficient for creating a passwords or passphrases manually. Today, any password you can remember is not a good password. It’s time you put the effort into proper password management.

Fortunately, the new rules are actually simpler:

But my browser remembers my passwords!

All modern browsers (Chrome, Firefox, Edge, Safari) have password management built-in. You can use that in order to generate strong passwords and, while short, they’ll be unique for each site. Unfortunately, since these passwords are stored in the browser they can be extracted by any malicious software that manages to make it onto the device or compromise your browser Sync account, where password managers generally use much stronger encryption.

Websites are still catching up to the reality of password managers

Long passwords, 300 characters or more, are not a problem for your password manager, but they’re probably a problem for the site. BofA limits your password to 20 characters. Yahoo limits your password to 128 characters. Facebook allows much longer passwords, but only requires 6 characters and character case isn’t treated as significant so entropy is significantly reduced, especially for shorter passwords.

Some websites and app logins don’t allow you to copy & paste in the password field which means that they often don’t play well with password managers. Others (like AT&T and Yahoo) refuse to allow certain characters in passwords, so randomly generated passwords have to be manually munged instead of allowing them to be truly random.

Nevertheless, failing to use a password manager means that you’re not using random passwords at all, and are likely reusing passwords to your own peril.

The solution is to get a password manager now and immediately start working to migrate your accounts to it. Almost Every password manager today offers password analysis to warn you of weak, reused, and known compromised passwords so you can prioritize changing the passwords for those accounts.

What’s your favorite password manager?