Passwords

"I think the best advice here is to shift you thinking from passwords to passphrases." If you've been on the internet for any meaningful amount of time, then it is very likely that passwords are a bane of your existence. It seems that every website and service wants you to register an account, even for most inane things, and a large reason for that is the ability to log your activity against your account, to make the service more attractive for advertisers.

Unless you've thought about this before, you likely have one or two decentish passwords that you reuse across all the websites and services. At most, you might have a system that you follow which allows you to slightly modify the passwords per site (for example, appending the first three letters of the website's domain to the end of the password). You probably find yourself clocking 'Forgotten password?' link all the time for almost every account you don't log into daily.

Surely there must be a better way...

There is, but it will involve a change to some of your habits.

Why password reuse is a problem
You might be wondering why is reusing passwords such a problem. Surely, there is no problem since you keep the password secret, and it's not like the websites you use can tell the passwords are being reused.

Well, the crux of the issue is that the websites and services have varying degrees of attention to security and commitment to your privacy, and sooner or later, one of the accounts will get hacked and it's login data will be leaked publicly. If you're reusing passwords, that means that login details for all your accounts are now public. Criminals, of course, know that people reuse passwords, so they will try the same combination on your email provider's site or your bank (this is known as credential stuffing). This is how an irrelevant website you used once 10 years ago getting hacked can lead to your email being hacked, and since for most people email is their identity anchor, they are now completely compromised.

The solution to this is to use a unique password for every website you use. In that case, a criminal attempting to perform credential stuffing will get nowhere since they only know the password to the account that was hacked.

=Easy wins=

At minimum
Following guidelines should be kept in mind when choosing passwords, at minimum:
 * length is the most important aspects - because modern password crackers have access to incredibly powerful hardware that can literally try every possible combination of shorter passwords, your password should at minimum be 8 characters long
 * 8 characters are really the bare minimum - because the difficulty of cracking your password rises exponentially with each character, the best way to make your password better is to make it longer; don't take the 8 characters as a challenge and make the important passwords for important accounts longer.
 * avoid using common words, phrases and characters combinations - you are not the only person to think it's really clever to make your password the word 'password', you are not the only person who's frustrated so using 'ihatepasswords' helps you blow off some steam, you are not the only person who's dog is called Max, you are not the first person to notice that characters QWERTY sit analogise each other on a standard keyboard; hackers know all those tricks and will use them against you in a dictionary attack.
 * see List of the most common passwords
 * do not use any bit of information which you've posted online before - while you may not be surprised that a site called advocates not posting stuff about yourself online in the first place, if you've already done that, none of the info should be used in a password. Do not include your birthday, your home town, your favourite team which you post about all the time. Hackers may use this info, so called OSINT, to leverage that info against you
 * don't needlessly change good passwords - once you take the advice from this guide, and established better password practices, don't needlessly change good passwords that haven't been compromised. Research shows that people who are forced to change passwords forget them more often, and almost always change them to weaker password to make them more memorable. Commit to remembering one, or few really good password (more on that in password manager section) rather than remembering many terrible ones.

Use a system
There exist password generation systems which can give you a method of coming up with strong and memorable passwords.

xkcd
Randall Munroe of xkcd fame suggests a system of appending 4 random everyday words.



Of course, this means that you can't use the actual combination of 'correct-horse-battery-staple' as your password (nor 'hunter2').

Diceware
One of the valid criticisms of the above method is that people are really really bad at selecting random words. Diceware is a system which makes the selection actually random, and yet produces memorable passwords.

The system is explained in detail on the author's website, but the basic gist is that you throw a fair dice 5 times to generate a random number, and then lookup the number on a list of pre-defined words. You do this until you have, at minimum, 3 to 4 words. Then you put a space in-between those words, and that's your password. A more accessible video version from University of Nottingham's Dr Michael Pound is embedded below.

Sign up for breach alerts
Security researcher Troy Hunt maintains a website which compiles data from known public breaches and makes it easy for you to search for your email address (or phone number) among this data. This will give you an idea about how many of the accounts you've used in the past got hacked, as it is safe to assume that if your get any hits here, the username and password for the given account at the time of breach is now public. You may subscibe over at https://haveibeenpwned.com. =A step further=

Use a password manager
A password manager is the promised land of privacy and security where you have to remember only one (good) password, and yet you won't be reusing them and putting yourself at risk. Using a password manager is something that seems complicated in the beginning, but once you've gotten used to it you will wonder how you ever lived your life without it.

The basic idea is that you put all our passwords into an encrypted vault. This means that you no longer need to remember all the passwords, just the master password that unlocks the vault. When you wish to log into an online service, you simply open the password vault and the software fills in the form for you automatically (usually via a browser extensions).

For this to work, the most of the effort comes at the account creation time. If you're creating a new account, instead of reusing a password, you need to open the vault, create an entry for the new account, generate the password and make sure it's saved. This sounds annoying, but it is better to think about it in the terms of transferring effort. If you use a password manager, and you put in the effort, you are guaranteeing yourself a seamless experience for the foreseeable future. If you reuse a password, you will find yourself wondering what the password is and often resetting it almost every time you want to log in, and going through the reset process takes time and effort. But unlike the password management use, there is no ceiling on the amount of time, effort and frustration that you might end up spending.

Choosing the password manager
Broadly speaking, there are two types of password managers; online/cloud password managers and offline/local password manager. With an online/cloud password manager, your passwords are stored on an online server accessible from any device where you have an internet connection and a web browser. With an offline/local password manager, your passwords are stored in a local file that exists on your device. You're free to copy it to any device you want, or even putting it in your own personal cloud (like NextCloud, or ).

For people who are new to password managers, we generally recommend sticking to online/cloud due to ease of use and convenience.

Bitwarden
Bitwarden is our password manager of choice for most use cases. It is free software with open source client and server licensed under GNU GPLv3 and AGP. It has passed two independent audits, has a bug bounty program and can be self-hosted if you're inclined to do so. On the usability side, it has apps for all major operating systems and extensions for all major browsers. The free plan is fairly generous and usable.

Keepass
If you're leaning more towards the offline/local side of things, Keepass is a great choice. You can manage your password vault however you like, and access it with myriad of open source clients. The .kbdx file database can be opened by a number of different programs (but only if you supply a valid password of course). A list of all the tools which can use .kbdx file format can be found here.

Any password manager is better than no password manager
If above recommendations don't work for you, don't get too bent out of shape over the password manager choice. If a different one seems more attractive to you, generally, go for it as long as the company/service is mainstream and reputable. Password managers are generally highly scrutinised, and any password manager that has managed to operate for a while is generally a valid choice. Basic concepts are valid across all of them.

Use two/multi factor authentication
Two factor (or multi factor) authentication (2FA) is simply requiring something else, in addition to a password, to allow you to log into the website or a service. If you've ever received a number code from your bank or from Twitter via SMS, then congratulations, you're already using 2FA! But there's more to it. A factor of authentication is essentially the type of evidence you can provide a system to prove who are who you say you are. Speaking very broadly, security professionals generally recognise 4 different factors of authentication:
 * knowledge, that is 'something you know' - information only you would know
 * this covers your everyday password
 * possession, that is 'something you have' - proof that you are in possession of something only you would have
 * this is what happens when you get that temporary code via SMS; it proves you posses the SIM card tied to the phone number at that moment
 * biometric, that is 'something you are' - proof of unique characteristics that only you posses
 * this is your fingerprint, your retina scan, or even behavioural characteristics such as style of typing or walking gait
 * location, that is 'where you are' - proof that you're where you would be expected to be
 * if you've ever received an email from some service telling you that you've logged in from your city or town, then you've seen location based authentication

Biggest, and most obvious benefit of 2FA is that it can lessen or remove the danger of using passwords incorrectly. When you actively use 2FA with all the accounts that will allow you, it is much harder to hack you since the hacker needs to defeat all the different methods. This means that in some situations, even if your password is compromised, your account may still remain safe.

Let's see how we can use these 'multiple factors' in practice.

Knowledge
Rest of this page is about passwords, so we won't worry about that here. Instead, let's address secret questions.

Secret questions
Many online services may ask you to provide a secret question and answer combination. The most common and infamous one is asking you your mother's maiden name. There are a couple problems with this. Firstly, secret question/answer combo is 'something you know', same as your password, which means that it is vulnerable to the same attacks and issues that passwords have. If your device is infected by a keylogger, and the hacker gets your password, they may very well keylog your secret question answer. It's no protection. Secondly, information like your mother's maiden name is not something only you would know; your immediate family does. It is also not information that is commonly regarded as secret. It is in fact public, the hacker could just look up public birth records, or census, or christening records or indeed, just find it on Facebook.

We recommend you don't answer secret questions truthfully, but regard them as secondary passwords. Fill them with random text generated by your password manager, and record them in the password manager. If you need to use it, you can still use it, but nobody can guess the random string your used as your 'answer'.