Passwords

Nothing to hide, but nothing to show you either.
Jump to navigation Jump to search
I think the best advice here is to shift you thinking from passwords to passphrases.
— Edward Snowden, via Last Week Tonight with John Oliver
Hacking password illustration.jpg

If you've been on the internet for any meaningful amount of time, then it is very likely that passwords are a bane of your existence. It seems that every website and service wants you to register an account, even for most inane things, and a large reason for that is the ability to log your activity against your account, to make the service more attractive for advertisers.

Unless you've thought about this before, you likely have one or two decentish passwords that you reuse across all the websites and services. At most, you might have a system that you follow which allows you to slightly modify the passwords per site (for example, appending the first three letters of the website's domain to the end of the password). You probably find yourself clocking 'Forgotten password?' link all the time for almost every account you don't log into daily.
Surely there must be a better way...

There is, but it will involve a change to some of your habits.



Why password reuse is a problem[edit | edit source]

You might be wondering why is reusing passwords such a problem. Surely, there is no problem since you keep the password secret, and it's not like the websites you use can tell the passwords are being reused.

Well, the crux of the issue is that the websites and services have varying degrees of attention to security and commitment to your privacy, and sooner or later, one of the accounts will get hacked and it's login data will be leaked publicly. If you're reusing passwords, that means that login details for all your accounts are now public. Criminals, of course, know that people reuse passwords, so they will try the same combination on your email provider's site or your bank (this is known as credential stuffing). This is how an irrelevant website you used once 10 years ago getting hacked can lead to your email being hacked, and since for most people email is their identity anchor, they are now completely compromised.

The solution to this is to use a unique password for every website you use. In that case, a criminal attempting to perform credential stuffing will get nowhere since they only know the password to the account that was hacked.

Easy wins[edit | edit source]

Choosing better passwords[edit | edit source]

At minimum[edit | edit source]

Following guidelines should be kept in mind when choosing passwords, at minimum:

  • length is the most important aspects - because modern password crackers have access to incredibly powerful hardware that can literally try every possible combination of shorter passwords, your password should at minimum be 8 characters long
    • 8 characters are really the bare minimum - because the difficulty of cracking your password rises exponentially with each character, the best way to make your password better is to make it longer; don't take the 8 characters as a challenge and make the important passwords for important accounts longer.
  • avoid using common words, phrases and characters combinations - you are not the only person to think it's really clever to make your password the word 'password', you are not the only person who's frustrated so using 'ihatepasswords' helps you blow off some steam, you are not the only person who's dog is called Max, you are not the first person to notice that characters QWERTY sit analogise each other on a standard keyboard; hackers know all those tricks and will use them against you in a dictionary attack.
  • do not use any bit of information which you've posted online before - while you may not be surprised that a site called PrivacyWiki advocates not posting stuff about yourself online in the first place, if you've already done that, none of the info should be used in a password. Do not include your birthday, your home town, your favourite team which you post about all the time. Hackers may use public information gathering, so called OSINT, against you
  • don't needlessly change good passwords - once you take the advice from this guide, and established better password practices, don't needlessly change good passwords that haven't been compromised. Research shows that people who are forced to change passwords forget them more often, and almost always change them to weaker password to make them more memorable. Commit to remembering one, or few really good password (more on that in password manager section) rather than remembering many terrible ones.

Use a system[edit | edit source]

There exist password generation systems which can give you a method of coming up with strong and memorable passwords.

xkcd[edit | edit source]

Randall Munroe of xkcd fame suggests a system of appending 4 random everyday words.

Password Strength by Randall Munroe of xkcd
This file is licensed under CC BY-NC 2.5. The file has not been modified.

Of course, this means that you can't use the actual combination of 'correct-horse-battery-staple' as your password (nor 'hunter2').

Diceware[edit | edit source]

One of the valid criticisms of the above method is that people are really really bad at selecting random words. Diceware is a system which makes the selection actually random, and yet produces memorable passwords.

The system is explained in detail on the author's website, but the basic gist is that you throw a fair dice 5 times to generate a random number, and then lookup the number on a list of pre-defined words. You do this until you have, at minimum, 3 to 4 words. Then you put a space in-between those words, and that's your password. A more accessible video version from University of Nottingham's Dr Michael Pound is embedded below.

Diceware in action

Sign up for breach alerts[edit | edit source]

Security researcher Troy Hunt maintains a website which compiles data from known public breaches and makes it easy for you to search for your email address (or phone number) among this data. This will give you an idea about how many of the accounts you've used in the past got hacked, as it is safe to assume that if your get any hits here, the username and password for the given account at the time of breach is now public.
You may subscribe over at https://haveibeenpwned.com.

A step further[edit | edit source]

Use a password manager[edit | edit source]

A password manager is the promised land of privacy and security where you have to remember only one (good) password, and yet you won't be reusing them and putting yourself at risk. Using a password manager is something that seems complicated in the beginning, but once you've gotten used to it you will wonder how you ever lived your life without it.

The basic idea is that you put all our passwords into an encrypted vault. This means that you no longer need to remember all the passwords, just the master password that unlocks the vault. When you wish to log into an online service, you simply open the password vault and the software fills in the form for you automatically (usually via a browser extensions).

For this to work, the most of the effort comes at the account creation time. If you're creating a new account, instead of reusing a password, you need to open the vault, create an entry for the new account, generate the password and make sure it's saved.
This sounds annoying, but it is better to think about it in the terms of transferring effort. If you use a password manager, and you put in the effort, you are guaranteeing yourself a seamless experience for the foreseeable future. If you reuse a password, you will find yourself wondering what the password is and resetting it almost every time you want to log in. Going through the reset process takes time and effort too. But unlike the password management use, there is no maximum limit on the amount of time, effort and frustration that you might end up spending.

Choosing the password manager[edit | edit source]

Broadly speaking, there are two types of password managers; online/cloud password managers and offline/local password manager.
With an online/cloud password manager, your passwords are stored on an online server accessible from any device where you have an internet connection and a web browser.
With an offline/local password manager, your passwords are stored in a local file that exists on your device. You're free to copy it to any device you want, or even putting it in your own personal cloud (like NextCloud, ⚠ Dropbox or ⚠ Google Drive).

For people who are new to password managers, we generally recommend sticking to online/cloud due to ease of use and convenience.

Bitwarden[edit | edit source]

Bitwarden application on MacOS

Bitwarden is our password manager of choice for most use cases. It is free software with open source client and server licensed under GNU GPLv3 and AGP. It has passed two independent audits, has a bug bounty program and can be self-hosted if you're inclined to do so. On the usability side, it has apps for all major operating systems and extensions for all major browsers. The free plan is fairly generous and usable.

Keepass[edit | edit source]

If you're leaning more towards the offline/local side of things, Keepass is a great choice. You can manage your password vault however you like, and access it with myriad of open source clients. The .kbdx file database can be opened by a number of different programs (but only if you supply a valid password, of course). A list of all the tools which can use .kbdx file format can be found here.

Any password manager is better than no password manager[edit | edit source]

If above recommendations don't work for you, don't get too bent out of shape over the password manager choice. If a different one seems more attractive to you, generally, go for it as long as the company/service is mainstream and reputable. Password managers are normally highly scrutinised, and any password manager that has managed to operate for a while is generally a valid choice. Basic concepts are valid across all of them.

Use two/multi factor authentication[edit | edit source]

Two factor (or multi factor) authentication (2FA) is simply requiring something else, in addition to a password, to allow you to log into the website or a service. If you've ever received a number code from your bank or from Twitter via SMS, then congratulations, you're already using 2FA! But there's more to it.
A factor of authentication is essentially the type of evidence you can provide a system to prove who are who you say you are. Speaking very broadly, security professionals generally recognise 4 different factors of authentication:

  • knowledge, that is, 'something you know' - information only you would know
    • this covers your everyday password
  • possession, that is, 'something you have' - proof that you are in possession of something only you would have
    • Twitter code. In Finnish no less.
      this is what happens when you get that temporary code via SMS; it proves you posses the SIM card tied to the phone number at that moment
  • biometric, that is, 'something you are' - proof of unique characteristics that only you posses
    • this is your fingerprint, your retina scan, or even behavioural characteristics such as style of typing or walking gait[1]
  • location, that is, 'where you are'[2] - proof that you're where you would be expected to be
    • if you've ever received an email from some service telling you that you've logged in from your city or town, then you've seen location based authentication

Biggest, and most obvious benefit of 2FA is that it can lessen or remove the danger of using passwords incorrectly. When you actively use 2FA with all the accounts that support 2FA, it is much harder to hack you since the hacker needs to defeat all the different authentication methods. This means that in some situations, even if your password is compromised, your account may still remain safe.

Let's see how we can use these 'multiple factors' in practice.

Knowledge[edit | edit source]

Rest of this page is about passwords, so we won't worry about that here. Instead, let's address secret questions.

Secret questions[edit | edit source]

Many online services may ask you to provide a secret question and answer combination. The most common and infamous one is asking you your mother's maiden name. There are a couple problems with this.
Firstly, secret question/answer combo is 'something you know', same as your password, which means that it is vulnerable to the same attacks and issues that passwords have. If your device is infected by a keylogger, and the hacker gets your password, they may very well keylog your secret question answer. It's no protection.
Secondly, information like your mother's maiden name is not something only you would know; your immediate family does. It is also not information that is commonly regarded as secret. It is in fact public, the hacker could just look up public birth records, or census, or christening records or indeed, just find it on Facebook.

We recommend you don't answer secret questions truthfully, but regard them as secondary passwords. Fill them with random text generated by your password manager, and record them in the password manager. If you need to use it, you can still use it, but nobody can guess the random string your used as your 'answer'.

Possession[edit | edit source]

One-time password[edit | edit source]

When you receive a message via text/SMS asking you to enter a code into an app or a website, you're using a temporary password of sorts, often called an 'one time password' (OTP). This proves that you're in possession of the device at that particular moment, thus providing another 'factor' of authentication.

SMS-based one time password[edit | edit source]

Probably the most recognisable temporary password method is receiving an SMS message from your bank or some service like email provider or social media. While this works fine, it fundamentally relies on another service controlling the means of delivery. This is, obviously, your mobile phone provider.

The danger here is that a determined hacker could call up your service provider and convince the minimum-wage support staff to execute a SIM swap attack which allows them to move the phone number to a SIM card they control. While this is not an attack that is easily scalable, there are many cases of this happening.

This is particularly dangerous if you hold a large amount of cryptocurrency or store sensitive information in the cloud protected by such SMS-based authentication since by the time you notice the problem, the hacker has stolen your cryptocurrency or published sensitive info publicly, and there's nothing that can be done to reduce or recover from the damage.
Another issue is that a hacker can still phish your one-time password by sending you to a fake website with a fake two factor login window, and then simply passing those valid details to the real service and logging in as you.

That being said, if the particular service offer this as the only multi factor authentication option, you should still use it. You just shouldn't use it over other, better, options.

Time synchronised one time password[edit | edit source]

Recommended OTP apps
Platform Name
Android Aegis
iOS Tofu
Windows WinOTP
Linux OTPClient

This one works very similarly, except that instead of receiving an SMS, an app uses a previously stored secret hash and current time to calculate a valid one-time password. The service does the same, and since they both base their calculation on the same secret code they know (but an attacker does not), the code matches and login is accepted.

By doing this, you avoid the possibility of having your phone number SIM swapped, although you can still be phished as described above.

Other implementation[edit | edit source]

There are also other ways to implement a possession check, such as a notification on your phone asking you to tap accept the login. This is often used by banks and other valuable services like Google, Facebook or Apple account. Since those are fairly self explanatory, here we will just once again encourage you to use them.

Biometric[edit | edit source]

iPhones can be used to unlock Macbooks in in the Apple walled garden. Courage.

If you have a modern smartphone, then you know what biometric identification is; fingerprint sensor, retina scan, facial recognition.

One major issue here is that biometric authentication cannot be changed if compromised. If a scan of your fingerprint makes its way online, any determined hacker with a fancy 3D printer can print a replica of your fingerprint. This is why biometric authentication should generally not be relied upon for primary authentication.

Going all the way[edit | edit source]

Going passwordless?[edit | edit source]

A FIDO2 compatible Yubikey 5 NFC. It's meant to be used as a key, so why not have it on your keychain?

One oasis in the desert of passwords that is the internet is the possibility of being able to one day go completely passwordless. There are efforts afoot which aim to completely replace password based authentication with one passwordless token to rule them all.

FIDO Alliance is a consortium of companies promoting use of hardware tokens to assist with authentication on the internet using public key cryptography. While this may sound complicated, it basically amounts to a physical key that you can use to 'unlock' your online services just as you would unlock any physical door (but better, since these 'keys' cannot be copied, you can have multiple different ones, and they can be revoked remotely if stolen or lost). The key can be a dedicated USB authetnicator, or a smartphone, or any other device that is closely associated with the user (smartwatch, national ID card, etc) WebAuthn is a project to standardise passwordless authentication on the internet ran by the World Wide Web Consortium.

Together, FIDO Alliance and World Wide Web Consortium are combining their efforts on to bring about passwordless future in the FIDO2 Project which aims to provide a standardised way of authenticating without passwords.

Should you use it? Well, yes, in theory, but the problem is that the support for FIDO2 is very nascent with single digit number of services supporting passwordless authentication. To be quite frank, at this stage of adoption, it is not worth the hassle of buying a compatible device to use it with handful of services that support it. Hopefully, this changes quickly.
The exceptions to this are people who have heightened security requirements such as journalists, system admits or financial directors.

Footnotes[edit source]

  1. yes, it is possible to identify you by your walking gait. See: https://apnews.com/article/bf75dd1c26c947b7826d270a16e2658a
  2. some experts don't accept this as being one of the factors, and instead say that location is just a mashup of possession and biometric; you cannot be located directly without having a device on you (something you have) and you cannot make meaningful conclusions unless you analyse user's behaviour (something you are)