Juha Saarinen: Maybe don't listen to cyber security experts?

Passwords are a bad idea and not even experts always know how manage them. Photo / 123RF

OPINION:

What's going on at New Zealand's official Computer Emergency Response Team (Cert NZ)?

They manage to publish solid advice that's been shared with them by overseas Certs who've analysed and learned from incidents - and then mix it up with some pretty oddball notions.

Like this month's advisory on non-fungible tokens or NFTs. In simple terms, NFTs are unique digital tokens that are derived from the tech behind cryptocurrencies, which are now crashing and burning, as the giant pyramid scheme they are.

Importantly, NFTs have no legal standing. They are not, as Cert NZ says, "certificates of ownership" of digital items or anything else. At best, NFTs could be seen as a way to licence the use of, for example, the animated GIF pictures Cert NZ loves to post on social media.

Even that's dubious and will require much court wrangling to establish. Meanwhile, anyone can still copy your Bored Ape JPEG or whatever, and there's not a whole lot you can do about it unless you're the copyright holder.

The advice here should be: "NFTs are a huge scam and you will be burned if you dabble in them; stay away". Nothing else, and most certainly not suggesting doing your due diligence will help if you buy NFTs.

Learn from crypto bro Sina Estavi who paid US$2.9 million ($4.7m) for an NFT of Twitter founder Jack Dorsey's first tweet. Estavie tried to cash out on the NFT in April, but the highest bid was just a few hundred dollars. That and the endless scamming that's going on is all you need to know about NFTs.

Cert NZ has also launched the Big Password Energy campaign that it devised with an ad agency.

That means you get nicely shot pictures and a demographic as ad agencies love that.

In this case, 18-34-year-olds are the target. Those naughty people use bad passwords and get hacked a lot.

The rest of us do as well, and there's no doubt that strong, unique passphrases are a good idea.

However, some of the password suggestions that CertT NZ doles out, like Grandma Beverly's MyPerfectlyTrimmedHedge, probably aren't going to work in many places.

That's because the site you're trying to create an account on will have a password or a passphrase policy. You know how you have to use at least two numbers, upper and lower case letters, and one or more %$&@#s and then the form won't accept your password since you cleverly used a space and made it 24 characters long?

Yep, that's the one. Grandma Beverly, who I don't think is in the 18-34 age bracket, will go mental trying to get the site to accept her strong passphrase.

Breathless reports from commercial entities on how people use bad passwords should be taken with a giant pinch of salt.

It's bad business for sites and services not to reset passwords for compromised accounts. If you see "abc123" mentioned in a top 10 easily guessable passwords list, chances are high that the account it was used for has been reset with a more difficult passphrase required for logins.

Cert NZ mentions password managers at the bottom of the BPE page, when they should be at the top in big letters.

Password managers are life changing, and you should use them whenever possible. Kind of hard not to in fact, as they're enabled by default on today's smartphones and computers.

On my Mac, the system's become more refined over the years and now checks for reused passwords and ones that have been found in data leaks.

Simple to use, password managers can create unique, complex passphrases which can be securely shared across your devices. You don't have to remember these because password managers do it for you. What's not to love here?

Can you do better than password managers? Why yes you can, if you learn multi-factor authentication (MFA).

This means that you use, for instance, security keys like those made by Yubico in your computer, a security chip in your smartphone, or respond to a prompt asking if it really is you trying to log in, on a different device that you control.

MFA isn't 100 per cent uncrackable, but it raises the bar high enough that most cyber crims move on to their next victim. It's also become much easier to use, and you should definitely enable MFA, especially if you're an NFT speculator.

Passwords were a bad idea that didn't work at internet scale. As I've written before, the IT industry recognises this and is working to replace them with better forms of authentication.

While that's taking place, there are some pretty good workarounds to manage passwords.

They're the way to get Big Password Energy, whereas blaming users isn't.