July 19, 2019

Managing Passwords Effectively

We use passwords everywhere and humans have a hard time with this. What can you do?

Managing Passwords Effectively

Passwords are, frankly, a bane of our online existence. You need a password to log in to pretty much everything, and in the year 2019 we log in to a lot of things. Here's a quick list off the top of my head:

  • Household bills (Rent/mortgage, utilities, internet, cable, etc)
  • Bank accounts
  • Social media (Facebook, LinkedIn, Instagram, Snapchat, Twitter, Reddit, etc)
  • Email
  • Home computer
  • Work computer

We're also supposed to have a totally unique password for each website, and each of these passwords should be sufficiently "strong". The definition of "strong" in this context has historically meant "contains at least one uppercase letter, lowercase letter, number, and symbol" - which tends to make passwords harder to memorize and does not increase their strength much, but we'll get to that later.

This poses a significant problem: how are we supposed to create passwords that are strong, memorable, totally unique, and remember them all?

The reality is... we don't. Here's what usually happens:

We create weak passwords - w3akNess! is not a strong password, even though it would likely be categorized as "strong" by many websites because it meets all the complexity requirements.

We create passwords that are not very memorable - this is part of why password resets are so common. Did you capitalize the 'A', or was it the 'E'? And where was the number again? Was it a '1' or a '2'?

We reuse passwords all over the place - think of your most commonly used password and how many places you've used it (or a variation of it).

https://xkcd.com/2176/

So how do we fix this? These three things will go a long way:

  1. Use a password manager and really long, randomly generated passwords if possible.
  2. Create passphrases - not passwords - that are strong and memorable.
  3. Enable 2FA (two-factor authentication)

Use a password manager

You can think of a password manager as a bank vault, but instead of storing money, it stores all of your passwords. You just need to remember one single password - the master password - which is used to "unlock" your vault. From there you can view, copy and paste, add, and edit your passwords as needed. Most password managers offer the ability to auto-fill your username and password, too.

LastPass auto-filled my ShareFile username and password

With a password manager, you don't actually need to remember most of your passwords - you just store them in your password manager. This makes it possible to use long, complex, and random passwords that are totally unique for each thing that you log in to. Here's one such password that I generated with my password manager:

You're not going to ever remember this string of random nonsense - especially at 50-characters long - but no human or computer is going to be able to guess it either. When you need to use that password on a website, the password manager can usually auto-fill it, or you can copy and paste from the password manager if all else fails. Typically this is faster and easier than typing in your password manually, which means that password managers tend to improve your security and make your life easier!

Most of us probably have some experience with password managers. Sometimes when you log into a website, you'll be greeted with a message from your web browser that looks something like this:

Google Chrome asking to save a password

Chrome, Firefox, Edge, and Internet Explorer all have built-in password managers. These password managers can be decent, but they're usually just meant to store usernames/passwords for websites, and thus only accessible in your web browser. Some examples of where this is not helpful:

  • Logging in to Netflix on your smart TV
  • Logging in to mobile apps on your phone
  • Sharing a password securely with someone else (e.g. your significant other or a coworker)
  • Your computer crashes, which means that your passwords are gone and you have to do password resets for a bunch of your accounts (Chrome and Firefox in particular have ways to deal with this, but that's beyond this scope of this post).

The two password managers that I will recommend to anybody are:

These are both pretty low cost - LastPass has a totally free plan for personal use - and both have a trial if you just want to try them out. Some notable features include:

  • You can securely share a password with coworkers who need access to the same password.
  • Both have mobile apps, so you can easily auto-fill (or copy/paste) into your other mobile apps - e.g. your bank's mobile app, Instagram, Facebook, etc.
  • You can store, copy/paste, and auto-fill other kinds of sensitive information - e.g. your WiFi passwords and your home address.

With a password manager, you often use the built-in random password generator to make most of your passwords completely unique, really long, and really complex. However, there are some scenarios where you shouldn't use a randomly-generated password. Your smart TV can't copy and paste from a password manager, and imagine trying use a remote to type in that 50-character behemoth password from earlier to log in to Netflix! But more importantly, what about the master password for your password manager? It does you no good to store that in your password manager, since you need it to get into your password manager in the first place. Or what about your laptop password? You have to type that in manually, too.

In situations like these, you'll want a password that you can easily type yourself, and when considering something like your password manager's master password, you still have to actually remember it too. This is where passphrases come in.

Use Passphrases

One of the things that makes passwords work is that you are the only person who knows your password. Therefore, it should memorable to you and not easily guessable by anyone else.

The Problem: passwords

If you have a lovable little fur-baby by the name of "Cleopatra", you might be tempted to create a password like: cl30Patra!

This password follows long-standing password "wisdom" and most websites would probably say it qualifies as "strong" - it has at least 8 characters and at least one uppercase letter, lowercase letter, number, and symbol.

Unfortunately, hackers know that we have been trained to do basic character substitution like this. The reality is that both Cleopatra and cl30Patra! are terrible passwords. They could both be guessed very easily by either a human or a computer, and both of these passwords are probably on a list of commonly-used passwords somewhere on the internet. In fact, NIST (part of the U.S. government) released guidance that, among other things, recommends that we get rid of these "complexity" requirements!

Verifiers SHOULD NOT impose other composition rules (e.g., requiring  mixtures of different character types or prohibiting consecutively  repeated characters) for memorized secrets
https://pages.nist.gov/800-63-3/sp800-63b.html - Section 5.1.1.2

Also remember that your passwords are supposed to be known only by you, so taking the name of your cat and changing it up a bit probably isn't a good idea.

The solution: passphrases

A better choice would be something like this: cleo poof surprised udder

This passphrase is 24 characters long and only contains lowercase letters and spaces. This is much easier to memorize than cl30Patra! because it's more human-readable, even if it is a nonsensical phrase. You also don't have to remember which letter(s) were substituted for a number, which are capitalized, where the exclamation point is, etc.

What about strength? It turns out that strength is usually more about the length of a password than how supposedly complex it is. Check this out:

Estimated time to crack this password: 8 seconds
Estimated time to crack this password: longer than the age of the universe

Using the website https://www.useapassphrase.com, we can see that the difference is not even comparable - 8 seconds vs. 150,538953 centuries. It would probably take you longer to come up with a password like cl3oPatra! than it would for a computer to guess it! I recommend that you check out that website when you have some time - it also has a really good explanation about why passphrases are better than passwords, so you don't have to take just my word for it.

Here's a popular XKCD comic that can also help summarize this:

https://xkcd.com/936/

So how do you come up with a passphrase like cleo poof surprised udder? Honestly, just choose a few random words at will and try to make sure that they're not related to each other. How do you memorize it? Two tips:

  1. Create a mental scenario. For example: imagine a magic cat named Cleo suddenly poofing onto a farm, to the surprise a nearby cow (which has an udder). You can see this technique in action in the XKCD comic above.
  2. If it makes sense, put it in your password manager (e.g. your Netflix or your WiFi password). A passphrase is easier to read out from your password manager than a random password or cl3oPatra! because it is composed of words - you won't have to refer to the password manager several times while thinking "which letters are capitalized? Did I substitute the 'a' for '@' or was it the 'e' for a '3'?". Also, because lowercase letters and spaces should all be on the same screen, a passphrase would be much easier to input using your smart TV's remote.

2FA (Two-Factor Authentication)

If you can, enable some sort of 2FA for your accounts. Among other things, this will help protect you even if you do reuse passwords or use weak ones (this doesn't mean that 2FA gives you a pass to do those things!).

For more information on two-factor authentication, check out this post.

Summary

  • Get yourself a password manager. I recommend LastPass or 1Password.
  • Change all of your passwords to the longest and craziest random password that is allowed. Make sure each thing you log in to has a totally unique password. Store your passwords in your password manager.
  • For passwords that you need to memorize and/or cannot store in your password manager (e.g. your master password), use passphrases. If you changed all your existing passwords to unique passphrases, that would still be a huge gain because password strength relies more on length than complexity.
  • Enable two-factor authentication