Passwords and Password Managers
Passwords. Easily the most susceptible element of our privacy and protecting ourselves and our information.
Here’s the problem, incredibly well captured by XKCD:
There’s a whole long backstory, but the TL;DR is that for a long while there was thinking that “complex” passwords were the best form of security, largely because at that point in time, the compute power required to “crack” those passwords was difficult to come by. Fast forward to today and your average complex password has zero chance against a standard desktop class machine never mind some actual high powered compute resource, and the worst part is that this has led to humans choosing repeatable and easily guessed variations of passwords … incrementing numbers, replacing letters with numbers or symbols … all pointless exercises as the Bad Actors know you do this and simply include that variation.
So what IS the answer? It’s actually quite simple … random groupings of words or a Pass Phrase. (For my security nerds, yes “no passwords” is even better, and we’ll get there!)
The key to passwords being as secure as we can make them is
- making them long and
- storing them safely
Here’s the reality … which of these is a better password?
- bacon connect frypan eggs omelette
The first is what many corporate password policies and sadly websites like banks make you create and use. The second is more secure and easier to remember.
Why? Isn’t the second one bad because it’s plain words in just lowercase letters? Well, it’s because of the math. Like the XKCD comic shows, it’s about entropy, or “how many permutations” exist. The first password is 19, the second 34. Even with a dictionary attack, there’s still 5 words to get in the right order from a pool of 470,000ish words, and that’s just English.
So, when you are creating passwords, use a pass phrase, preferably with 4-6 words that you can remember the topic or theme of.
Password Managers. Put simply, these are a way to safely store passwords, and allow you to generate unique and long passwords for each site or app you use. The way they work is you have a Master Password (one like we discussed above) to unlock the vault, and then you can either copy of the impossible to remember password you set or use the autofill options. Because the password manager creates stupidly long passwords, and it’s easy to have a unique one for each site/app you use, you don’t have to remember anything except that master passphrase, and if a site/app has a breach, you haven’t reused the same password everywhere so the bad actors can’t replay it.
I use 1Password, with a family pass so everyone can have their own vault, and we have a shared family one with things we all use. There are a few options out there, I have tried several of them and find 1Password to be that blend of usable and secure when configured correctly (good master passwords and MFA enabled).
Summary. You store so many things of great importance, from finances to medical information to healthcare, take the time to set good passphrases and use a password manager.
(next up I’ll tackle passwordless or “no passwords” and how that all works).