Today (March 3rd) is World Password Day. It’s a good time to go back and reset all of our passwords. Sounds like a huge undertaking that will leave you locked out of countless accounts because you can’t remember which password you used… right? Not if you follow best practices! Following best practices sounds daunting at first, but there is an easy way that will actually make your life easier.
What are best password practices?
One of the biggest problems with passwords is that people tend to use the same password for everything. One of my favorite security researchers in the area of passwords and authentication is Troy Hunt (creator of https://haveibeenpwned.com – it’s a great resource… go check it out). Just yesterday he released findings that showed in a recent breach with 2,232,284 testable passwords, 86% (1,910,144) of those passwords had already been compromised prior to the breach he was testing. This means that at least ~1,910,144 people probably use the same password for everything. Now that their password is compromised, all of their other accounts (including online banking) are probably compromised as well.
In addition to using unique passwords, using long passwords with special characters is also important. If a website or account stores your password correctly, even if they are breached, no one will be able to know your password right away. Instead, anyone who has access to the information would have to perform a “brute force attack” on the password field. This means trying every possible combination with automated software. By using long passwords and expanding the character-set the attacker would need to use (which is done by using uppercase, lowercase, numbers, and symbols), you can add decades to the amount of time it would take to compromise your password.
Passwords shouldn’t be relied upon. Two factor authentication (2fa) helps solve many password problems. In addition to requiring a password, accounts with 2fa require something additional (usually a code from your phone) to log in. For instructions on which sites support 2fa and how to set it up, look at https://twofactorauth.org/.
How can I easily follow best password practices?
This is an area that seems to be a fairly hot topic among security researchers. Many advocate for the use of pass-phrases, but most (myself included) recommend the use of a good password manager. By using a password manager (especially one that integrates with your web browser and phone), it becomes very easy to generate strong, random passwords for each account and website. Some (such as LastPass) even offer tools to help you automatically change your random password periodically on certain sites. Some password managers are local – this means that it none of your information is stored on someone else’s computer (so it is less of a target), but you are responsible for maintaining backups and understanding how to use them. Some password managers are “cloud” based. This means that all of your passwords are stored on the password manager’s servers instead of your own computer. This makes it easier to use and less likely that disaster could strike and leave you without all of your passwords, but it also makes it a higher target for potential attackers (since everyone’s password is stored in the same place). Luckily, if you are using a industry standard password manager, all of your information should be heavily encrypted. This means that without your “master” password, the attacker would not be able to see your passwords even if they got a copy of the encrypted data.
What’s the bottom line?
At the end of the day, the best password manager (in my opinion) is the one that you will actually use. I hate the idea of writing down random passwords on a sheet of paper and manually typing them in on each site (not to mention that if someone breaks into your house they will have all of your passwords), but if that’s what you will use (and actually have different passwords on each site), then that’s the one you should use. My personal favorite is LastPass (cloud). It is easy to use, cheap, and the premium version syncs all of your accounts across all of your devices. There is also history of seeing that they handle vulnerabilities properly (which as I’ve said before, all software will have vulnerabilities; how the vulnerabilities are handled is more important than the fact that the software had a vulnerability in the first place). If you use a strong master password and enable two factor authentication, it is reasonably secure (sorry, I will never say that anything is 100% secure). Once most people get in the habit of actually using whatever password manager they choose, they often tell me that it was much easier than trying to remember which one of their common passwords they used on a specific site. If LastPass doesn’t work for you, other good alternatives are Dashlane (cloud), KeePass (local), and 1Password* (cloud).
*1Password does not offer two factor authentication, and there is a lot of debate around that (https://github.com/2factorauth/twofactorauth/pull/2048).