Passwords, we all use them to access our accounts on different platforms. It is one of the most critical things when talking about cybersecurity, your whole online presence can depend on passwords and in the worst case, only on one easy-to-guess password.
It is important to use strong passwords that are unique. This might sound impossible to achieve, but after all, it is very simple and beneficial. The short answer is to use password managers to create and store your passwords, but there is more to it, so keep reading.
This post will be covering the basics of passwords and how to create strong passwords. You will also learn about password managers, password cracking methods and alternative or additional authentication methods to regular passwords.
Good passwords are complex and long
First, we will be covering the very basics of what makes a good and why. This is very important information as it makes clear what to avoid when creating passwords. After that, it’s a good time to get familiar with password managers as the requirement to memorize dozens of complex, long passwords is impossible.
If this part of the article makes you feel that you don’t have strong passwords, don’t panic. Finish reading the article, take some time off from other activities and follow the steps and change all your passwords. I can guarantee that the feeling of security after doing that is worth it.
Have you been pwned?
Do you know if you have an account that has been compromised in a data breach? It’s a tricky question and it’s hard to answer. Well, there is a website for checking that, and I suggest everyone try it, however, always think first before typing in your email and decide yourself if you are willing to do it. It can be a shocking experience to see that you have an account that might have been compromised or a relief that you haven’t been a part of a data breach, yet.
The site is called haveibeenpwned.com and it’s a project by Troy Hunt.
If you get a similar text as above, don’t panic. This is just a very good reason to start using a password manager and create new passwords for your online accounts. If you didn’t get a red screen saying you were pwned, keep coming back to check the status regularly, there are new breaches all the time.
To gain a better understanding of what the site is about, I suggest you read the FAQ section on the site. There is a good explanation of how the site works. In a nutshell, it doesn’t have your passwords, it only checks if the email address showed up in any of the data breaches that have been added to their database.
There’s also a password checker which you can use to check if a password has been previously exposed in a data breach. This can help you select the new password or check the passwords that you are currently using.
12 steps to more secure passwords
Do not use your username as your password. I believe this one I don’t need to explain any further, this is usually the first thing anyone would try if they wanted to gain access to your account.
Do not use a single word as your password, or any word that can be found from the dictionary. This password cracking method has even its own name, dictionary attack because it tries common names and words found in dictionaries.
Do not use simple keyboard combinations, these are very easily cracked and usually one of the first things an attacker would try.
Do not use personal information, such as birth date, Social Security number, names of pets or family or any other information that you think is personal as a password, all this can be surprisingly easy to find from different social media.
Do not just replace “a” with “@” or letter with a number that looks like the letter. Also don’t only add a dot, exclamation mark or hyphen at the end of the word to make it a password. Attackers are familiar with these kinds of passwords and there are password dictionaries that include all of these variations.
Do not re-use your passwords. If one website you are using encounters a data breach, then all the other accounts with the same password in different websites are at risk as well. Attackers that have access to a password list will usually try to get access to accounts in other websites as well.
Keep the password to your email account extremely strong and safe. Usually, email is used to reset passwords and losing control of your email basically means losing control of your online identity.
Do not store passwords in plain text, not in your computer’s desktop or in a piece of paper taped into your monitor.
Use unique passwords that are preferably 16 characters long and contains letters, numbers, symbols and both upper- and lower-case letters. I prefer randomly generated passwords.
If possible, add characters from different languages, like ä, я or any other character you can easily type with your keyboard. By mixing letters that belong to different writing systems, you are making the password very strong.
Use a password manager to create and manage your passwords securely.
Enable 2-factor authentication on those websites and applications that support it.
Password cracking and password safety
Before we dive deeper into how to create, manage and use passwords securely, it might be good to know how passwords are cracked and account compromised. This will help you to understand the importance of the steps above.
There are multiple ways to crack passwords and the method used can vary depending on the target. Here are the most common password cracking methods used by crackers.
Dictionary attack
This attack method uses a file that contains words that can be found in a dictionary. Depending on the list used, it might contain some common words put together, letters replaced with numbers or special characters added to the end of the word. This is a very simple and fast method to crack passwords.
Brute force attack
Brute force attack uses all possible characters to guess the correct password. This is as fast as dictionary attack but will reveal non-dictionary passwords. If the attacker knows the length of your password, brute force gets a lot faster. The longer and complex characters your passwords have, the safer they are from brute force attacks.
Rainbow table attack
Rainbow table attack is a very straightforward way of cracking passwords. It’s a precomputed table used to reverse hash functions. It requires less processing power than brute force attacks but requires a lot more storage. If the password hashes are “salted”, it makes the rainbow table attack useless.
Phishing and social engineering
Phishing is usually done via email or phone calls, where the attacker pretends to be someone else and tricks the victim into typing or telling their username and password. Phishing is a form of social engineering where the attacker takes advantage of the victim by pretending to be someone with authority over them. It is also common that the attacker takes advantage of the human nature and the willingness to help. Social engineering might not sound very dangerous, but it can be. Don’t underestimate as the attackers are developing new ideas all the time.
Malware
There is malware designed just to steal online credentials. These are keyloggers, screen scrapers or other kinds of malware that try to find files with passwords in them or to log the user action when typing in credentials.
Offline cracking
A lot of passwords are cracked offline. Passwords can be bought as big lists on the dark web from hackers who have breached a web site or company. Sometimes the password hashes are already cracked making it very easy for an interested attacker to compromise many accounts in a very short time.
This way the attacker won’t be stopped by the number of guesses you have when logging in as they only need to log in. This is also the reason why you can’t re-use passwords as otherwise, you could potentially lose control of multiple accounts instead of one.
Shoulder surfing and guessing
And last, but not least, we have the good old shoulder surfing and password guessing. People who can get physically close to you can perform both of these as they can try to observe your desktop, notes, and table for hints. Also, people who are trying to get to know you might be asking a lot of questions for hints to help them guess your passwords. This is why passwords need to be unguessable since making new friends shouldn’t be forbidden.
Password managers
I’m sure that while reading the list above, you were thinking how you are supposed to remember all the passwords if they need to be randomly generated, 16 characters long and contain all sorts of different characters. The answer is, you only need to remember one strong password. This would be the master password you use to open your password database with a password manager.
A password manager is a software application that allows you to store all your passwords in one place. It makes it easy to access all passwords and just copy and paste them when needed. Most password managers allow you to also generate random passwords by the rules you have set to it, for example, types of characters used and length.
There are different types of password managers, some store the passwords in the cloud and others locally. Some web browsers have password manager features in them, like Firefox. Different password managers also store and encrypt the passwords differently and might have some additional features in them.
When selecting between password managers, think if you need to access the passwords with your phone or not and if you would like to use hardware-based security keys to authenticate (or any other specific features you might want). You can find information about hardware-based security keys at the end of this article, heading about user authentication and USB authentication.
Examples of cloud-based password managers
- LastPass
- DashLane
- 1Password
Examples of locally storing password managers
- KeePass
- RoboForm
- PasswordSafe
As this type of password managers are the most popular ones, there are also portable password managers available. This means that you can put your password manager a USB drive and access the passwords only when the USB is plugged in. Otherwise, it works the same way as a desktop version.
There are a lot of different applications and that is why I won’t have a guide on how to use a password manager here. Whatever password manager you decide to choose, they all provide you with helpful setup guides and documentation.
Important password manager tips
- There are a few things to take into account when using a password manager. Please pay attention to the following to avoid losing all your passwords.
- Always follow the documentation of your password manager when using it. This ensures that you are doing things correctly to decrease any risks of misuse.
- Backup the password database or file to cloud, or external storage device. If your computer breaks and the hard drive is unreadable, you might lose your passwords if the file isn’t backed up to anywhere. This is very important as otherwise, you risk losing your whole online identity.
- Use a strong master password that is memorable.
- Write down and store your master password somewhere physically safe. In the case you happen to forget it normally or face an accident that makes you forget it, you still have it stored somewhere very safe and you are able to access all your other passwords.
Creating a strong memorable master password
If you for some reason don’t want to start using a password manager (I really don’t know why you wouldn’t), then here is a guide on creating strong memorable passwords. This is very helpful for password manager users as well, as you need to create a strong master password to access all your other passwords.
Here are some tips on how to create a strong password that is still easy to remember and use.
First, read the “12 steps to more secure passwords”. If you read it already, do it again. It is the base everyone needs to be familiar with.
Now that we have a good base knowledge and understanding what we should have in the end, we can start creating our master password for our password manager.
A good technique is to start by selecting a sentence or sentences from your own life.
Now that we have sentences selected that are related to us somehow, making it easy for us to remember, we can create a password out of it. Just take every first letter of every word and keep all special characters in it.
Example:
Sentence: “When I was 15, my family visited our relatives in EU for 2 weeks.”
Sentence converted into a password: “WIw15,mfvoriEUf2w.”
This password now consists of 18 characters, which is a good length, but it could have some more special characters in it. The more special characters in the original sentence have the more you have them in your password. All in all, it’s a password that you can memorize easily.
User authentication
In addition to passwords, many websites and applications are offering additional authentication methods. These are implemented to make account hijacking harder for the attackers and to keep the users safe. There are a few different methods that are used more and more.
2-factor authentication
2-factor authentication is also known as multi-factor authentication (shortly 2FA or TFA). If 2-factor authentication is enabled, the user is required to fill in the username and password, but also to authenticate themselves with something they have, like a mobile phone or token.
This means that the user is required to fill two things, something they know (username and password) and something they own (code from a mobile phone, owned token or code list). Using only one of these is known as single-factor authentication and it is weaker than 2-factor authentication.
Mobile phones are commonly used to present the second factor, something the user owns. It’s fairly simple to send an SMS to the user when they want to log in or give them a code via mobile application at the time of logging in.
SMS-authentication
SMS-authentication means that when 2-factor authentication is enabled by the user, they receive an SMS every time they are logging in. This means that if the user’s login credentials are leaked, the account still remains safe because the attacker needs to get the code that was delivered via SMS in order to log into the account.
SMS-authentication isn’t as safe as it may sound. There are ways for the attackers to get their hands on the code sent via SMS and log into the victim’s account. The issue is now a large amount of SIM-swap and Mobile Number Port-out attacks.
In the SIM-swap attack, the mobile provider’s customer service is tricked into swapping the victim’s SIM to a new SIM the attacker’s control. SIM-swap can be asked if you need a different size of the SIM card for your new phone or the old SIM card was damaged.
The Mobile Number Port-out attack is very close to the SIM-swap. This time the attacker just asks the victim’s mobile number to be transferred to another mobile network provider.
Both of these attacks are social engineering attacks and takes advantage of the customer support that wants to and is required to help customers. The attacker might have some information about the victim to help them perform either of these attacks.
The result of both of these attacks is the same, the victim’s phone service gets totally shut down and all phone calls and messages are delivered to the device the attackers are controlling, giving them access to the SMS-authentication code.
Authenticator app
As you might have noticed, the SMS-authentication doesn’t sound very safe option. The more secure way to use 2-factor authentication is to use app-based authentication such as Google’s Authenticator or Authy. This is more secure than the SMS as the attacker needs to steal your phone and then have access to the application. If you have fingerprint or code preventing the unauthorized use of your phone, it’s getting really hard for the attackers to log into your account.
Other threat models are that the attacker is able to infect your mobile device with malware that can snoop the code form the authentication application or that they are able to perform MITM (man-in-the-middle) or credential replay attacks. This is where your operational security and common sense play a big part.
USB authentication
In addition to these authentication methods, the most secure (at least at the moment) is hardware-based security keys. It is a simple USB that you plug in and press a button when logging into your account.
The limitations for this are that not too many websites support this authentication method yet. However, many password managers support it and it could be a great way to secure the master password. You can also secure the login to your computer with 2-factor authentication which improves your security a lot. It is worth mentioning that if you have Google mail (Gmail), or any other Google account, you can use the USB to authenticate. Great way to secure your email, as it is an extremely important part of your online identity because you can manage other accounts with your email.
Yubico is the most popular security key manufacturer and the basic model is sold for $20. However, if you need to authenticate with a mobile device, you will need NFC support. The YubiKey model that supports NFC is $50. Most mobile phones nowadays have NFC.
Here is a list of what services are supporting Yubico so far.
Another good site to take a look at is twofactorauth.org as they list all websites that support some sort of 2-factor authentication. Take a look and take in use on sites you don’t have it enabled yet. Using even SMS-authentication is better than not using anything in addition to a password.
Conclusion
If you are not using a password manager, it’s recommended to start using one to secure your online identity. After you have changed your passwords for long, random-generated passwords, you can enable 2-factor authentication on the websites and applications that support it.
Doing this, you make sure that you are doing a bit more than the usual consumer. This will make you much harder target and you will stay safe.
If you want to go the extra mile, which is always a good thing in cybersecurity, you can order the YubiKey and start using it.