I see that Telus is now sending emails out about proper password security for our accounts. They state that a minimum of 8 characters is best, as well as being complex, so a mix of upper/lower case, symbols and numbers. As a security professional, I find these kinds of statements to be sort of error prone. Passwords these days need to be a minimum of 12 characters as anything less than 12 can now be cracked in less than 1.5 hours. Rainbow tables of 8 characters or less can fit on a small thumb drive. For those not knowing, a rainbow table is a table of every combination of letters, number and symbols that can be created, so in essence every password conceivable. 8 character passwords can be cracked in less than 40 minutes now on modern hardware. So aside from giving bad advice in their recent email, does anyone know if Telus has plans to start using MFA (Multifactor Authentication) or 2FA as it's known in some circles? I'd love to protect my account with an Authenticator which changes a 6 digit or higher number every minute to go along with our password. It would go a very long way to implement this level of authentication and make our account quite a bit more secure.
I agree longer passwords would be better, but you have to remember it is human nature to simplify such things to dictionary terms, reducing the effectiveness, so a longer passphrase might be a better choice. MFA or similar was trialed by Telus in a product called Mobile Connect. It was not continued.
Enough folks have problems with a single password; MFA can cause even more problems for those not understanding how to use it, or worse not having the means to access the second means of identity at the time it is needed. Been there, done that; no fun.
Until there is a better way to manage the second factor, the promotion of stronger passwords as you suggest, coupled with the use of a password safe across one's devices is probably the best option.
Newer MFA applications can do push authentication to your device, simply asking upon login, "Is this you? Y or N" on your smart device. No longer do you even have to enter those codes.
Telus can make this optional for users to select, but I guess my issue is that they don't even give us that option.
As for users wanting simple passwords, I get that. I've been teaching my parents who are in their late 70s to combine passwords with numbers in the middle, and they seem to be able to get it. Others can to easily if they are taught the easy tricks to remember. Here is an easy password: Telus19ApplePie$. These are the types of passwords I've taught my parents to use. It's even resistant to dictionary attacks so you can have "Simple passwords to remember". Of course a password safe is the best option, but you always *have* to protect that with MFA or a very complex password, otherwise, that's like leaving the house key under the front door mat.
My parents are in their late eighties / early 90's. Dad is now having difficulty remembering the 4 digit alarm code; Telus19ApplePie$ would not be possible. Having multiple accounts and passwords without an automated password safe on a computer means keeping a logbook of passwords, which is not always the best path, though safe from cyber criminals. The bigger risk for the aged is phone scams and email scams, in my opinion.
For those of us who are wise, longer passwords, separate passwords for each telus login area (email, account, TV, mobility, etc) is the best we can expect just now.
Also, not all MFA work. The web host I use has a non functional MFA. You can set it up, but it does not work properly. Absolute PITA to delete the MFA and return to single-factor authorization. Maybe time to change suppliers.