Passwords
Too many blog posts have been done on this topic, yet people are still making the same mistakes. This one hopes to explain the reasons for the recommendations often made.
1. Avoid commonly used passwords
There are several lists of the most commonly used passwords that can be used by password cracking software to perform a dictionary attack. In simple terms, every line in the list is used as a password attempt, until it cracks your password. You can check if your password has appeared in a list or download the entire list from this site.
Here are the results for “Password1!” and “qg^7RPm%3”:
“Password1!":
“qg^7RPm%3”:
Change your passwords if they’ve appeared on any list.
Prefer length over complexity
To better explain this, we first have to cover what brute-forcing is.
Bruteforce
| Type of Password | Characters used | Start | End | Maximum number of attempts required | Approach | |
|---|---|---|---|---|---|---|
| A number | Numbers | 0 | 9 | 10 | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 | |
| An alphabet | Alphabet | A | z | 52 | A, B, C, … , Z a, b, c, … , z | |
| An alphanumeric | Alphanumeric | 0 | z | 62 | 0 to 9 A to Z a to z | |
| A character | Keyboard characters | ` | ? | 94 or more | ` 1 … 9 0 - = q w e … p [ ] \ z x c … m , . / | |
| ~ ! … ( ) _ + Q W E … P { } | Z X C … < > ? |
A bruteforce attack attempts every combination possible, based on the characters allowed. The attack is dependent on the length of your password, and the types of characters used. As seen from the table, expanding the character types increases the number of attempts required to guess a single character.
Optional interactive JS Here: 4 digit pin input. User enters number. Bruteforce box appears beside when button clicked.
The importance of length
Below is a very famous comic that has been explained, but I’ll try to be more succinct than that:
The comic breaks down the two common approaches to setting up a password. What it basically means is, the first password Tr0ub4dor&3 may seem more random (as in entropy) than the second password, even though it isn’t. The length of a password is far more important than its complexity. A single digit number takes 10 guesses, whereas a two-digit number takes 100 guesses, which beats anything we’ve seen in the table above. The suggested approach of the comic has been criticized, but I personally feel it spares no expense on usability and can be easily adopted. Variations of this scheme have come from Snowden and Schneier, the latter of which had actually published his scheme before the xkcd.
In an attempt to summarize the suggestions made:
| The password | Is it good? | Why? |
|---|---|---|
| correct horse battery staple | Decent | Missing uppercase, numbers, special characters |
| Correct horse battery staple!1 | Only slightly better | Starting uppercase is predictable. Uses only english words |
| 0}correcT caballO batterYstaplE{9 | Good! | Last letter uppercase is uncommon, uses non-english words, more than one number and special character. |
Using solely english words will leave you vulnerable to attackers using an english word list for their dictionary attack. Definitely combine languages in your passwords if you’re multilingual. Otherwise, you can concatenate words (as in batterYstaplE) which makes the string harder to be matched for the words “battery” and “staple”. You can maintain a consistent style, using different words for each account that you have.
Never use the same password twice
When a site gets breached, the passwords they’ve stored are ripe for the taking. Let’s say the site Canva gets breached. A hacker can simply download the list of email addresses and passwords used on the Canva site. If (by some poor fortune) the hacker decides to target you, it wouldn’t have been so easy if you had used a different password for every site.
Treat security questions the same as passwords
Recall that your Windows login screen will request that you answer these questions if you’ve forgotten your password. In the past, perhaps a classmate or neighbor will know the answer to “What highschool did you attend?”. Today, the web and social media are an attacker’s best tool. Depending on the security question, strangers with no access to their target’s information may be able to answer them too. Here are four examples from a study (see page 9) that exposes the vulnerability of the questions that participants answered:
| Security Question | Approach to obtaining the answers |
|---|---|
| Who should our next President be? | Search for Presidential candidates (spring 2008) |
| How many children do I have? | Count up from zero |
| Water or Pop? | “water”, “pop”, “Water”, “Pop” |
| Favorite TV show? | Highest rated TV shows |
(With reference to that last one, I personally think the question has been answered many times in an Instagram story.)
Never answer a security question correctly. Treat security questions the same way you treat passwords.
Use a password manager, seriously
Why?
There’s cases where you wouldn’t (or haven’t) need/want a password manager:
-
You have a perfect memory.
-
You’re 4 years old and have no accounts yet.
-
You think a password manager is dangerous and never bothered to find out more.
-
All the password managers cost money. (No, they don’t.)
-
You’ve disregarded every advice and are still rotating between 2 or 3 passwords for every account.
-
You work in a security-sensitive area where the passwords should not be saved anywhere digitally or physically.
- This is the only valid case.
Really, this is important. Just think again about the number of accounts that you have, I’ll name a few:
- Every social media account (Facebook, Instagram, Twitter, Linkedin, Tiktok?, Reddit?)
- Every work and school account (Outlook, moodle/blackboard/piazza, identity management service, etc.)
- Every video game related account (Steam, Discord, PSN, Rockstar Games, etc.)
- Every e-commerce/spending-related account (Amazon, Airbnb, Ebay, Lazada, Shopee, Grab, Foodpanda, etc.)
- The email which ties everything nicely in one location.
I’ll say it again: It only takes one of these services to be breached for your email and password(s) to be public. It’s really difficult to come up with a unique password for every single service. A password manager generates strong random passwords for you, and all you’d have to do is remember the master password.
How?
I’d rather stress the importance of a password manager, rather than how to use it, since it’s dependent on the choice you make, and how you use it. I often prefer FOSS (free and open source software) alternatives. My biased recommendations are:
Bitwarden is perfect for the average user. You store your passwords in the cloud, so they’re accessible from your desktop, laptop, and phone.
Bitwarden is free and available on Windows, MacOS, Android, iOS, Linux, and as a web service.
KeePassXC is an alternative if you want to store your passwords locally. All passwords are saved in a single “.kdbx” file (encrypted with AES-256 or Twofish/ChaCha) and can be exported to .txt, .html, .xml, or .csv.
KeePassXC is free and available on Windows, MacOS, and Linux. Android users can open the same “.kdbx” files with KeePassDX (free) and iOS users with KeePass Touch (free). A full list of KeePass ports is available here.
The passwords you have to remember
Remember all that talk about creating a good password? Here’s what you use them for:
-
Your password manager’s master password.
-
Anything else which can’t be in the password manager.
-
Your phone, if you’re not using face/fingerprint/pattern.
- The 4-digit or 6-digit pin is susceptible to brute force and should not be used.
-
Your TOTP application, this will be covered later.
-
Your OS (Windows, MacOS, Linux) user login.
- The password to an encrypted drive, if the drive is where your OS is installed.
Consider using a paper and pen for storing the passwords of devices which would never leave your home. Although paper and pen is often criticized as bad practice for use in the workplace, it has its merits for home use. Even if your device is compromised, a hacker would never be able to obtain your list of passwords.
Opt for TOTP if it’s supported
What is TOTP, or Time-based One-Time Password?
TOTP prompts the user for a second password, after the first (regular) password has been successfully authenticated. The second password changes every 60 seconds, and can be viewed with the application with which you’ve registered the TOTP on. Ideally, TOTP should not be stored together with a password manager. You should register a TOTP on a dedicated application such as Google Authenticator on Android or iOS, if you intend to use them on a mobile device. You could also store them on a separate password database, like a second “.kdbx” file or a second Bitwarden account. The Bitwarden option requires a paid version of the service for TOTP, and I’d personally recommend mobile to segregate where the passwords and TOTP are stored.
Other forms of authentication
Banking services often employ their own authentication. In Singapore’s context, SingPass is used for the authentication of (eventually) all government services. These services simplify the process of 2FA (two-factor authentication) to improve the security of the users. In areas where 2FA isn’t a default, we have to take the initiative to enable them ourselves.
Your homework (5 Minutes Only)
Find out the steps to enable TOTP, and try enabling them on at least one account that you have.
Closing notes
Good management of your passwords is a chore, and it often trades convenience for an added security that most people’s anticipations wouldn’t actualize. It’s hard to implement good practices that are done as a means of prevention, rather than mitigation. The topic of passwords itself is a rabbit hole, which involves parties such as the backend of the service we’re using and how they’re storing our passwords. Thankfully, those are the things which we (as the end user) do not have to worry about.
We should do the best that we can with our password management, because a breach on our accounts may have implications on our family, workplace, school, or any other community/organization that we’re in.
