Password Safety
One of the first things most people think about when it comes to online safety is their password. We all know that passwords are to our online accounts what keys are for our locks. Would you use the same key for your house, your car, your office and your safety deposit box? And if you did, what would happen if a bad guys could get a copy? They'd have access to everything. With so much of our personal, confidential, financial and medical information accessible from our various accounts what can we do to make things as safe as possible?
For me personally I employ and advise a three faceted approach:
- Complex passwords
- Unique passwords
- Two-step authentication (where available)
Clearly the solution is to use a unique password for each account and make them complicated enough that an attacker couldn't guess it or crack it in an amount of time that would be actionable. One problem this presents to general users is the inconvenience and difficulty in remembering these passwords or storing them in a secure way.
My recommendation is to use a password manager such as LastPass. Applications like LastPass give you the ability to store all passwords in your encrypted "vault" and then request them through browser add-ons or it's standalone program. They also have built in features that allow you to generate secure passwords at any length or complexity.
When using a password manager, all you have to remember is your master password. When you sign in, the manager can then decrypt all your saved passwords and let you use them. When I sign up for a website I use LastPass to generate the longest and most complex password supported by the site. It gets stored in my vault safely for later use.
There are various options online to choose from and I suggest you do some research and try a few different ones to see what is comfortable for you. One thing to consider when using a password manager is that the master password is your single point of failure and should be a long and complex password that you don't use ANYWHERE else.
If you're wondering how to come up with a secure password that you can remember there are various strategies online, but I follow this:
Take a poem, song lyrics or phrase that is easy for you to remember.
For this example I'll use the phrase: "The stars at night are big and bright. Deep in the heart of Texas."
Then I take the first letters from each word: TsanababdithoT
Then swap out the vowels for some numbers/special characters: T5@n@b@bd1th0T
I checked that password on RoboForm's Password Strength Checker (link deprecated), and got the following results:
Estimated Time To Crack: Billions of Years
Recommendations: Good Job! All Character Types In Use.
Strength Evaluation: Strong
Score: 89
Length of Password: 14
Attempts Per Second: 100,000
And that's just an example of a very secure password that I thought up in just a few seconds that I probably won't ever be able to forget it.
Another very important recommendation I want to touch on in this post is using two-step authentication. I use it for all accounts that offer it and it's very easy to set-up and use. It works in tandem with an application on my mobile device called Google Authenticator and it's available for Android and IOS. After you install the app, you access the security settings for the account you want to protect and register it with your device.
What it does is provide a "second" password when logging it that is only used one time. When you log in, the site will prompt for the two-step authentication code, you then open the Google Authenticator app and the code for the session will be listed. The codes are only available for a short time and are constantly changing.
Here's a list of sites that support Google Authenticator.
A few closing thoughts:
Some information security professionals see a password manager as insecure due to it being a single point of failure. I can understand this and would respond that although this might be true, having a complex master password (mine is 25 characters) and using the manager in conjunction with two-step authentication makes it a pretty safe and solid system. And even if there is a breach, none of my passwords are the same and changing them is incredibly fast and easy with a manager.
Also, I usually don't recommend keeping hard copies of passwords, but if you can guarantee the physical security of your password list, this in my opinion is preferable to using the same, insecure password for all your accounts.
If you have any specific questions or ideas for future posts, please send your ideas to opensourcesec@protonmail.com Thanks for reading. Stay safe.