Just NO! | Octagon Technology

I have been researching the annual “Geek Father’s Day” blog (this was last year’s post) when I came across this “geeky” present.

It is a nice product, with various sections and dividers to highlight and organise your passwords and other sensitive personally identifiable information (PII). It even has a loop for a pen and is pocket sized. In our cyber security courses we do say you can write down your passwords on paper if you really have to – however you have to have a scheme in place to keep that book/list/document very secure and the information it contains obscured. Using an organiser style notebook, that is easily carried – and easily lost/stolen – is not what we are talking about.

To be fair the cover does not say “Secret Password Book”, but when the thief looks inside there is no doubt as to the contents.

Last Thursday was “World Password Day”, I chose not write anything specific for that day because we want people to be thinking wider than just having great passwords, when it comes to their and their organisation’s cyber security.

This blog post is my contribution to password awareness.

Best Practice

Security experts like me will tell you that you need a unique, complicated password for every service you use – the diagram at the head of this post will give you a good guide to the types of password I am referring to. Only if you are extremely gifted will you ever be able to remember such a list of passwords and usernames – so you will need to note them down somewhere. But that somewhere has to be very secure – your online identity and the contents of your bank account will be depending on that security.

You can use an online password bank and smartphone app, but me, I am paranoid, so I like to be in control of where my life secrets are kept, so I opted for an encrypted Microsoft document. There are three useful options for this:

OneNote notebook encrypted section
Excel encrypted document
Word encrypted document

The above is a ranking of how effective I consider each solution. For all of them there are versions for Windows computers, Macs, iOS devices and Android devices. Not sure?

Microsoft OneNote

This is probably the best solution of the three listed. You can get access to your password list from anywhere – your PC, smartphone through the OneNote app and even through a web browser on a PC you do not own (but remember that option comes with its own security concerns). Using the computer and smartphone Microsoft apps gives you peace of mind that no one is trying a man-in-the-middle attack on you by spoofing Microsoft apps – I have not actually heard of an example of this happening but it was something we discussed on the Masters course as a possible attack vector using a side loaded app impersonating a password app.

OneNote encryption 1 — Right hand click on the section tab you want to encrypt

OneNote encryption 2 — However if you forget the password the information is lost forever – this also applies to Word and Excel encrypted documents

The flexibility of OneNote as a tool for capturing ideas and information make it ideal for holding secret information in encrypted sections. How you organise the information and use the app is really up to you – so it can usually suit everyone’s requirements.

However using OneNote as a password bank is not without issues. On my smartphone and tablet I can use the biometric security to access the encrypted data, but on my all singing all dancing Windows 11 laptop, with Windows Hello enabled and face recognition and a finger print scanner, I have to type in the password to get access – so giving the “shoulder surfer hackers” an opportunity to steal my all important data:

“One password to rule them all, One password to find them, One password to bring them all and in the darkness bind them.“
with apologies to JRR Tolkien

Microsoft Excel spreadsheet

The ability of Excel to organise information makes it a useful password bank. Use your imagination and it can fit your needs.

To encrypt the spreadsheet:

excel encryption 1 — File – Info – Protect Workbook – Encrypt with Password

The same caveat applies here as above – lose the password – lose access to the information. Whatever you see out there on the web about removing password protection from Excel and Word files, it cannot be done. Those old “hacking web pages” offering to sell you the app, or the “free” dodgy download to remove the passwords are referring to much older versions of Microsoft Office. (You are using the latest versions of Microsoft Office – aren’t you? Well that is a whole other blog post).

Microsoft Word document

You can write a list in Word and use the Styles with the References – Table of Contents function to create a pretty good password bank.

You access the encryption in the same way as in Excel:

File – Info – Protect Workbook – Encrypt with Password

Again – lose the password and you are done for.

The problem with using Excel and Word as password banks

There is an issue of flexibility here. The encryption function does not fully work with the online and app versions of Word and Excel. In the smart device Microsoft Office app and Online versions you can open the documents but not edit them – however you can copy your passwords to the clipboard.

Online and smart phone app password banks

I am not going to recommend or even discuss online password bank services. If you want to go that way, great. But if you are going to use such a service, do your due diligence:

Check the company’s reputation
See where it operates from
What are its encryption and privacy policies?
Ask trusted contacts if they use the service – if not what do they use?
Do not just use one because you got sent a link via InstaTweeFace!

My parting thoughts

In the password bank debate – encryption is the number one requirement with ease of use second. I fully support any scheme that enables people to use multiple complex passwords, safely – it makes the job of the hacker infinitely harder.

However passwords may become less important in the future. Microsoft, Google and Apple have announced a collaboration with the Fast ID Online Alliance (FIDO) to reduce our reliance on passwords:

But in the future we may not need passwords – have a look at this:

FIDO – the new word in identity authentication

For daily cyber security stories and advice I write a cyber security blog at Smart Thinking Solutions – Cybersecurity Starts in the Boardroom. It is aimed at business leaders and owners who want to know more about the constantly changing threat landscape, so they can remain in the loop. This equally applies if they have to deal with cyber security issues themselves or they have someone else to do it for them.

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_141969298_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.