XMission's Company Journal

Sane Password Management

Do you have trouble remembering your passwords? Struggle to create a secure, new password when you have to sign-up at yet another new website? Get frustrated trying to correctly type secure passwords on your smartphone too? Follow along as I explain password security best practices for the non-mathematicians of the world.

While online security has never been so at risk and challenging as it is now, three basic rules can greatly help protect you:

  1. Avoid commonly used and poor passwords
  2. Use a unique secure password for every login and never re-use passwords
  3. Longer passwords are better than complex ones

Avoid commonly used and poor passwords
Forensics has determined that our attempts to formulate secure, easy to remember passwords are not as random as we might think. In fact, certain words and patterns are incredibly common as can be seen from most-used password lists.

If you’ve tried to use popular passwords like these in recent years at any website that takes security seriously, you should get denied and told that it is part of a password block. Why? Because hackers start by trying out all of these popular passwords when seeking access to your accounts. Next, they use the dictionary. Then they might add a number to the end of dictionary words, and so on. Known as a “brute force attack,” password cracking tools go through a battery of vectors known to work, starting with the easiest tricks first. Password rule #1 is meant to help protect you from the easiest cracking attacks, which is often as far as a they’ll go before moving on to someone else.

Use unique, secure passwords
Why bother generating secure passwords for every single login you have if you created a fantastic long passphrase with over 80 bits of entropy? Because it might get compromised somewhere else that you use it. We have no control over how entities that we trust with a password will store and overall protect it. Unfortunately, many websites have been hacked and we can only assume this will continue. Although most sites don’t store passwords in plain text, many don’t salt and hash their password databases as well as they should. You don’t need to understand what that means whatsoever so let’s continue with the understanding that we don’t have full control over our own passwords once we’ve entered them somewhere.

Our passwords can also be stolen from us in other clever ways. For example, the secure wifi at the airport you used wasn’t what it looked like at all and a hacker now has your Facebook login, which also happens to be your email password. Now they have access to both accounts and start using the password reset via email option so many websites still provide. Think the security questions will help much when they already have access to your Facebook account? Birthday? Mother’s maiden name? No problem…

Longer passwords are better
Although a complex password that doesn’t resemble a word and includes numbers and special characters is significantly harder to crack than a dictionary word, such passwords are incredibly hard for humans to remember so they’re entirely unreasonable if we’re serious about using a unique password for every login. Fortunately, stringing multiple words together creates passwords that are both easy to remember while also reasonably secure. Web comic xkcd explains this very well.

To put this another way, bad operators use computers to crack passwords and the security of a password is typically measured by bits of entropy with the higher the value the more secure the password. I’ve already mentioned entropy but let me help explain its relevance in regards to password security. For example, “password123” has an entropy of 41 bits but the passphrase “hipsterremarkableflavorbumpkin” (four words, all lower case, no special characters) clocks in at a whopping entropy of 114. Note that entropy increases exponentially so each additional bit increases the difficulty along a steep upwards curve. For instance, at a brute force attack rate of 1 million guesses per second, “password123” could be cracked in 18 minutes whereas it would take 658 qualrillion years to crack the other. Check out password strength for fun, although I don’t recommend you test actual passwords you’re using via that tool.

Password managers
Since password best practices call for using a unique password for each login, exactly how can you accomplish such a feat even if you switch from complex non-words to a string of random words? I strongly recommend a password manager and there are many you can choose from. Which one you choose should factor in security and ease of use across all of your devices. We all use smartphones these days so make sure it works on that device and I’d strongly encourage you to pick one that auto-fills your forms. I like the features and functionality of LastPass for all of the reasons I mention above. My password manager reauthenticates on my smartphone via my fingerprint so even if I lose the phone and the thief somehow unlocks my phone they don’t have access to my passwords. While you can securely store your passwords in an encrypted text file that’s password protected, for example, a password manager makes things much easier, which helps you easily follow best practices.

Multi-factor authentication
Also known as 2FA (two-factor authentication), multi-factor authentication can provide greater security than a password alone. For example, the Google Authenticator provides an easy to setup and use solution that’s available for both Android and iPhone/iPad. In this case a 2-step verification process includes receiving a notice on your smartphone requesting permission to access your Google account. After authenticating you only need to re-verify when logging back in so it’s not a significant hassle. Other services can use the Google Authenticator as well, including XMission’s Zimbra hosted email per these instructions.

Out-of-Band verification solutions like this require someone to not only know your password but have access to your smartphone as well. Although highly skilled and motivated hackers can potentially find a way around many out-of-bound verifiers they’ll likely only bother if you have a million dollars’ worth of bitcoin available if they succeed. Password resetting via email or, even worse, by answering simple identity questions like your mother’s maiden name or the last four digits of your Social Security number, are horrible solutions in comparison.

Sane passwords and peace of mind
After reading this article, I hope the road ahead is clear and less frustrating for you. If you want to drown yourself in password security for a few hours, you can’t do better than NIST’s Digital Identity Guidelines or this much shorter summary of them.

Otherwise, let’s summarize some things in conclusion. Get a password manager and set a secure and unique password for each website you login to. Choose a password manager that can generate the passwords for you to simplify things even further. For any logins that require you to memorize a password, like logging into your computer, string together three or four random words. In some cases you might want to reset your password every year or so but that’s easy with a password manager too. Really, that’s it aside from using common sense like avoid sharing passwords via email and instead encrypt them using something like XMission’s free self destructing notes tool.


Comments are currently closed.

One thought on “Sane Password Management

  • Alison Brown says:

    Thank you for writing this common sense guide to creating and storing passwords. I’ve been guilty of creating terrible passwords and reusing them. I’m going take this advice and get on Lastpass today!