World Password Day, was last week...
Photo by FLY:D on Unsplash

World Password Day, was last week...

10 May 2022    

You may have seen that the 5th of May is “World Password Day.” Chances are this completely passed you by. I’m reasonably interested in computer security and it barely registered on my radar. A coupon to save 20% on LastPass arrived in my e-mail, and I read a blog from Microsoft about the inevitable death of the password. Perhaps in the future we really wont be using passwords any more, and maybe that future isn’t all that far away. But what can we do today to make our online lives more secure?

What makes a good password?

Over the years there have been many different schools of thought on this question, and it can be very difficult to understand how exactly a good password should be made. Much of the advice you will find can be outdated, and many techniques that have been encouraged at times in the past are no longer considered to be good practice. I am going to advocate for just three principles that I think we all should use with all our passwords.

  • Passwords should be unique.
  • Passwords should be as long as practical.
  • Passwords should be randomly generated.

You should never use the same password for multiple services. This limits the impact if one of your passwords becomes compromised to just that service, and other services likely remain secure. Consider the scenario where you have used the same password everywhere. Chances are you have also used the same e-mail address as well. Now if a less secure service gets compromised and your password becomes known to attackers, it can also potentially be used to log in to other services you use as well. Attackers will be attempting to login to common services with your compromised password. If you had used a different password those attempts would be in vain.

Password length is almost certainly the most important factor when creating a secure password. Every extra character hugely increases the number of combinations that an attacker has to consider to find your password. There is a great visualization of this over at security.org. Their tool suggests a randomly generated 6 character password could be cracked by a computer in about 5 seconds. 7 characters takes that up to 22 seconds. However 8 characters takes it up to about 8 hours and 10 characters takes it up to 5 years. The minimum password length I would advocate for is 16 characters, which comes out to 1 trillion years. The numbers from here on out get even more unfathomable but hopefully it illustrates the point that a suitably long password has such an unreasonable amount of combinations that it is effectively impossible to guess.

So, if a password is long, why should it matter if it is randomly generated? It is true that this is likely the least important of these three principles. However being randomly generated eliminates the use of any patterns, however obtuse it may be. Attackers can craft their attacks to test common patterns that people use. Resulting in a drastically reduced time it would take to crack a password. Using a randomly generated password automatically avoids using any weak pattern accidentally.

However at this point we have created a problem for ourselves. Most of us these days likely have hundreds, maybe even thousands, of services we have to log in to. How is anyone supposed to remember hundreds of 16+ character long passwords that look like your keyboard was sick all over the screen? Well, you aren’t…

Password Managers.

You could store all of those passwords in a notebook in your desk drawer. Especially if you can lock the drawer, that would be a pretty good solution. For sure it is not perfect, an adversary could break in, or a curious family member of visitor could prise the key from your hand while you are sleeping like a cartoon, but its far out of reach of the remote hacker. Perhaps the biggest drawback is that this solution isn’t very convenient. What if you are away from home, or you spill your drink while typing a password in? Password Managers provide a secure and convenient place to store all your passwords. Most modern services allow you to access your passwords from anywhere, have apps for your smartphone and plugins for browsers to automatically type your password in for you. It is very rare that I have to type a password in myself, for most services I can rely on the auto-fill functionality of my password manager or simply copy and paste the password in.

There are many great choices out there for a password manager. Some, like my choice Bitwarden, are even free. The main aspects I wanted in a password manager were the ability to use both a mobile app, and browser plugin while also being able to log into the website to access the vault from there too. This means I can access my passwords securely and conveniently wherever I am.

Creating a new account at your password manager is as easy as signing up for any other service. But it will present you with a bit of a “chicken and egg” problem. You will need a password for the password manager. You will likely have to compromise here as you will want to make this password possible to remember. Consider a technique to generate a memorable password that is still long, like the “correct horse battery staple” method of putting four or five random words together. I won’t go into detail of how to set up and use a password manager, because this could change and each product will almost certainly have its own documentation on how to get started with using all of its features. It should be an easy journey, perhaps set yourself a goal of every time you type in a password, change it and add the new password into your vault. Most password managers will include the ability to generate random passwords as well, but there are also websites that can help too, like passwordsgenerator.net

What next?

If you’ve got this far, everything you log in to will have a unique and secure password you have come a long way. Logging into the services you use is likely more convenient as well as more secure. However there is more you can do, especially for very sensitive services like your brand new password manager, e-mail and social media accounts. You might be wondering how you can protect your accounts if your password manager is compromised. For that problem you will need Two Factor Authentication. It’s generally easy to set up and use and I’ll get into that next time.

In the meantime, the UK’s National Cyber Security Centre has a great page with some helpful explanations of how to make your online life more secure.

Twitter Facebook LinkedIn
# Security # Software # Passwords # MFA