Troy Hunt posted an article on poor password protection practices (try saying that fives times fast), resulting from an analysis of a major corporate data breach. Some of the highlights were:
- 93% of passwords are only 6 to 10 characters long
- Two-thirds of passwords are reused across different services
- Over a third of passwords can be found in a common dictionary
This is bad news for two reasons:
- Lots of passwords are easy to guess
- If an attacker guesses a password, chances are they can use the same password to access other services
The key is to use passwords that are long, complex, and difficult to guess. The challenge, of course, is that the harder a password is to guess, the harder it is for us to remember.
The Risks of Poor Password Hygiene
Like it or not, passwords are a necessity. Since the early days of computing, passwords have been the de facto method for authenticating users. And for the past several decades, IT administrators and security experts have been bashing users over our heads about the importance of password security.
If you work in any kind of computer-driven environment, you’ve probably heard it all before.
- “Use at least 8 characters.”
- “Use at least one number or special character.”
- “Never use the same password twice.”
- “Don’t use personal information, like your spouse’s name or your goldfish’s birthday.”
And if these weren’t enough rules, corporate IT environments might force you to repeat this process every 30 to 90 days.
But it’s not just users who are stressed out about passwords. With a seemingly constant stream of data breaches affecting everyone from individual consumers to multi-national corporations, password theft is a serious threat. Websites like Have I Been Pwned exist for the sole purpose of telling you whether a password has been exposed in a breach. If your password is one of the 11 gigabytes worth of passwords breached so far, some of your accounts may already be compromised.
“Ok,” you may be thinking, “my password is on the list, but if I just change a letter or add a number at the end, my account will be safe again!” And that’s a perfectly reasonable assumption, but it underestimates the tenacity of hackers. Hackers are clever people, and they know that most people will use tricks like substituting letters with numbers, capitalizing certain letters, or adding a phrase to the end to build off of an existing password. So while replacing “o” with “0” might thwart some bad guys, it’s only a matter of time before a sufficiently motivated one cracks your code.
How Password Managers Help
Let’s face it, humans are bad at security. We’re just too predictable, and security is built on unpredictability and randomness. Computers might not be perfectly random, but they have the benefit of speed.
Password managers are programs that let you store usernames, passwords, and other sensitive data digitally. You can store any form of identification – bank account passwords, social media passwords, email passwords, etc. – in the password manager, and in some cases, even generate new passwords. When you need to authenticate with an app or website, simply copy your password from the password manager. Some password managers can integrate with web browsers and mobile apps to automatically insert your username and password when it’s needed.
Password managers store passwords in a file called a vault. Vaults are encrypted, meaning they’re unreadable to other users, apps, and processes. Typically, a password manager encrypts a vault using a master password. Think of it like a safe: you put your usernames, passwords, security questions, and other sensitive info into the safe, then lock the door with a combination or key. Now, you only need the combination or key to the safe to gain access to all of your data.
Isn’t One ‘Master Password’ Less Secure?
You might think that using a single password to access all of your passwords is a huge security risk. And you’re right: If your vault ever gets breached, it’s game over. That’s why protecting access to your vault is an absolute necessity. Master passwords should be:
- Very long: As long as you can reasonably track, without being so long that you’ll forget it.
- Hard to guess: No pet names, birthdays, common words, or other bits of text that can be easily guessed by a dedicated attacker.
- Unique: Never reuse old passwords, even if you tweak them.
- Secret: Don’t share your vault password with anyone. Not your parents, your S.O., or even your dog.
Some password managers allow multiple forms of authentication. The most common is a key file, which is a file stored on your PC that the password manager checks for when unlocking the vault. If someone copies your vault to a computer that doesn’t have the key file (or a copy) stored on it, the vault won’t open even with the right password. Using multiple forms of authentication provides a much more secure foundation than just using a password.
Great, How Do I Get Started?
There are many different password managers (and types of password managers) out there. Many are free, some are subscription-based, and others already come built into your devices and applications. My personal choice is KeePass, but there are others that I’ll list below.
KeePass is a popular open source password manager that’s also my personal choice. It runs locally on a device and stores passwords in a single encrypted file. You can copy this file to other devices, or sync it using a file sharing service like DropBox, iCloud, or OneDrive.
Getting started with KeePass can be confusing. There are two main editions (1.X and 2.X) and dozens of unofficial ports, all of which have different features and varying degrees of compatibility with the main editions. My recommendation is to use KeePass 2.X for Windows, KeePassXC for Linux and Mac, and KeePass2Android for Android.
- Runs on almost any device
- Supports master passwords, key files, Windows authentication, and combining multiple authentication methods
- Protects passwords in memory and on disk so they’re never fully revealed
- Can be confusing, especially for non-technical users
- Local to each device. If you want to sync passwords across devices, you’ll have to set that up yourself
- Easy to lock yourself out if you’re not careful
Other Popular Options
Other popular options include 1Password, LastPass, and Bitwarden. These solutions share a common benefit: online accounts. Instead of having to lug around a password file like with KeePass, these services automatically sync passwords across your different devices. It’s a much easier, more user-friendly approach, but it does mean trusting a third-party to keep your passwords safe.
No matter which approach you use, unique and secure passwords are now a necessity. And until we can find a better authentication method, passwords are here to stay. Start by trying a free solution like Bitwarden or KeePass, and see how password managers can make your online experience both easier and safer.