How to password

Introduction

Maybe you can relate with one of our two protagonists:

Okay mum, we are nearly done! Now, all I need is your Google account password.

Instead of an answer I see a short rush of panic flush over my mum’s face.

I am in the middle of family tech-support duty, restoring a beat-down smartphone, during the Christmas holidays, at the coffee table.

Let’s talk about password management - Yay!

This article will teach you the technical basics, problems and solutions for proper password handling.
For broader audience appeal, I will try to simplify the technical details as much as possible - I promise! 😉

If you now think:

But I am using this password(s) since forever.

or

I never had any problems with my system.

Congratulations, this article is for you!

In case you are here, just looking for my advice, and you don’t want any further details

Kurzfassungs (TL;DR)

1. Use a different, unique password for every user account you have.
2. Helpful: use a Passwort-Manager. My favourite: Keepass
3. Use 2-Faktor-Authentifizierung with token generation when ever possible. For important services is 2-FA with mobile number legit as well.

Password basiscs for the technically challenged

What does Wikipedia say about the topic?

Wikipedia.com

[...] A password, sometimes called a pass-code, is a memorized secret, typically a string of characters, usually used to confirm a user's identity [...]

While the concept of passwords is definitely (way) older than the internet or the age of computers, it is the World Wide Web which agonizes its users with “safe” passwords and remembering them.

How do passwords work?

Modern websites and services usually use passwords to identify and authorize their users.

The simplest way to identify a user is to remember the username and the users pass-code. When the user comes back to your website, simply ask for their credentials and compare them with the values you have stored before. If a match is found access is granted.

This system evolved slightly over time. Today, it is common practice to not remember a user’s password. Instead, the service provider only stores a so-called hash of the password.

What is a hash you ask? Well, to keep it simply you take your password and mangle it through a mathematics function which transforms it reliable into a second value.

Ooh, that sounds complicated. Well, it kind of is, but no need to rack your brain about it.

Okay, okay, if you insist 😉 - one can say three things are especially notable about hash algorithms:

1. No matter how often you use a hash function on the same password, it always creates the same result.

For example, every time I use my super-hash-function on the password “password123” I will always receive “43RS6G8XS21”.

2. A hash does not tell you anything about the initial password. Neither length nor content.

As an example, “password123” generates “43RS6G8XS21”, while “password1234” would generate “6ZS131PP”.

3. The hash of a password is easy to create, but it is really hard to get back to the initial password from the hash.

Think about it as a playground slide. You can very easy and fast get down (to the hash), but it is really hard to get back up to the top (the initial password). This - just with numbers. 😝

But why are we talking about hashes again? Good question! This leads us directly to the next topic.

Pitfalls of the system

Unfortunately, using a password to identify users is far from being a fail-safe solution. These are the main problems:

Clear view

Imagine a website owner stores passwords for all its users in plain text (as it has been done in the dark old days). This means with access to the database, one could just read all passwords stored in it. This would allow any technician, administrator or hacker to simply read all the passwords for every user in the database.

Thus, it is current practice for website maintainers to store passwords as hashes only! The website maintainer should not even know the password, never ever!

That is the reason why you have to set a new password in case you have forgotten your old one. If the system is properly build, they do not know your old one. This means also, if the website just sends you your old password straight away, they are doing it very wrong, and you should leave as fast as you can.

Crawling up the slide

Remember the slide analogy?

Even when the website owner does everything the right way, “state of the art”. Just as one could get back up the slide, it is possible to revert hashes back into passwords. Even though it is not easy to do and takes time.

The 123456 million dollar question:

Which hash will be decrypted first? Exactly! The one that is used by the most users.

Remember rule no. 1 from the hash algorithm above. In the worst case, if 100 user use “123456” as their password all 100 user will have the same hash, making them all at once a delicate target.

You are in danger!

Okay, so why is this all a problem for the user?

The problem is that a certain type of user is put in danger here. The ones which use the same password for most (lets be honest, all) of their user accounts. Attackers go around and try to break in every website and database they can find.

Once an attacker has access to the user data, they automatically use them on other websites. This is especially problematic as most services do also store the users email address.

Imagine that your local guinea-pig-breeder forum has been compromised and the attacker has access to your password and email address.

If your email inbox uses the same (or even a similar) password, getting access to it is fairly easy.

Now imagine what this means for all other websites you use this password or email address on. What about your payment info on Amazon? What about your private pictures on cloud services. Once the data is out there, these attacks on other accounts happen synchronized, fast and automated.

Many services are under fire

But how often really are sensible data, such as password or hashes, stolen?

Well, pretty often, and not only small websites are vulnerable.

From big internet companies like yahoo.com over software giants as Adobe, technology companies like Sony or even antivirus creators as Avast haven been heavily compromised in the past.

The website haveibeenpwnd.com allows you to check if one of your user accounts has been exposed in such a breach. Go on, check yourself if you are one of the over 10 billion accounts tracked by the website. If you are not it does not mean you are safe at all. Although 10 billion is a big number the site only knows about breaches which have been reported or the data has been leaked.

The next problem is, even when website owners handles user passwords responsible, and even when the decoding of a hash takes a lot of time, it still can be done. How fast? See it for yourself on Kaspersky website how secure is your standard password (do not use your real one 😝)

Thus, there can be only one sane solution - use every password only exactly for one user account or service, and use proper passwords.

Indeed, I wrote sane :)

What are secure passwords?

To put it simple here are my rules for secure passwords. Obey, and you won’t have many problems:

• You need a workflow for password handling. Stick to your workflow, practice it, use it on every account and become confident with it.
• Use each password for exactly one account, only for one account.
• Use a proper structured password.
  • do not use words one can find in a dictionary
  • do not use names or numbers which are related to your person
  • use at least one small and one capital letter
  • use at least one number
  • use at least one special character (*,+.= etc.)
  • the password should be longer than 8 characters

A good idea is to take a sentence and use only the first letters for your password. As for example:

Password from a sentence

It was a bright cold day in April , and the clocks were striking 13.
Will generate: “IwabcdiA,atcws13”

Well, not bad!

Additional security

Use [2-Factor-Authentification](https://en.wikipedia.org/wiki/Multi-factor_authentication) with token generation when ever possible. For important services is 2-FA with mobile number reasonable as well.

My recommendation for password organization

Now you understand the basics, risks and a possible solutions. The last question unanswered is:

How on earth shall one remember all these passwords?

The answer is: You use a password manager!

Use a password manager

Website owners and service provider should not know my real passwords, remember? Well, you know what? You should not need to know your real passwords, either.

A password manager is a tool which stores all your user accounts and passwords. It can generate new and unique passwords, and let you access them from multiple devices.

It can be accessed via a master password. The master password has to be strong. It can for example be a really long sentence. Including white spaces, special characters, numbers and proper punctuation to unlock the password manager. It makes my life a lot easier. Personally, I really do need only two passwords:

1. The user password for my computer
2. The master password to my password manager

You can do the following tasks with a password manager:

• store account entry information
• generate passwords for accounts
• open and search for existing accounts
• copy and paste the values from the password manager into the web browser during the login process.

Keepass

This is the gold standard from my point-of-view

I use an open-source program called Keepass2.

Keepass works exactly as other password manager services, but is not part of an external service.

Keepass creates a so-called “database” file, which will store all your user accounts and passwords. The database file is protected by your strong master password. The database file can be transferred to all of your devices, you want to access your passwords from.

A good idea is to use your cloud to sync the database file to other devices. If you do not have your own cloud solution, you could instead use a commercial cloud provider such as Dropbox, Microsoft OneDrive or Google Drive to bring the database file to your devices.

As the software is open-source, Keepass apps do exist for all devices and operating systems.

But wait! You wrote that I shall trust external services with my passwords. Now you are recommending to store all my passwords in the cloud?

Good point - but yes one could do this. For a start, with the very long and diverse master password, the password database file is pretty secure. On the other hand, you do not have to use a “public” cloud provider at all. As always it is pure convenience. One could easily copy the database file by hand to the devices you want to use it on.

Read the Keepass article for details.

Keepass - Advantages

• You do not need to remember more than one password
• You do not have to trust a single service.
• The tool is open-source. This means:
  • One can verify what is happening inside.
  • The tool is available on a lot of platforms
• The solution is practically for free
• You do not have to rely on a single provider if do not want to. Copy and sharing the database file does not have to be by cloud sync, but can be done by hand as well.

Keepass - Disadvantages

• The database file is pretty secure and stores all user accounts and passwords. Is the database file lost or broken it gets tricky. Backups of the database file are mandatory.

Bitwarden

The still okay solution, plus you do not get your hands dirty.

If you read the above part about Keepass and think “That is too much hassle for me.” be unworried. Several commercial password manager services exists, which offer similar functionality.

I can only recommend Bitwarden, as it is well respected, open-source and the free tier is perfect equipped for most use-cases.

It can be used on all major operating system (i.e. Android, iOS, Windows, macOS, Linux) and has integration solutions to all conventional web browsers.

Bitwarden - Advantages

• You do not need to remember more than one password
• The tool is open-source. This means:
  • One can verify what is happening inside.
  • The tool is available on a lot of platforms

Bitwarden - Disadvantages

You still have to rely on an external service to store your passwords. You have to trust them with not one password, but all of your passwords. You have to trust that they secure and update their infrastructure properly. That they handle your data properly. Thus, being open-source is a real plus for the password manager, here.

If you ask me, use Bitwarden if you are to lazy or to overwhelmed with the Keepass workflow. It is an excellent and save bet.

Alternatives to a password manager

This is a save compromise, a.k.a. the grandma version

The good old book! Yes I mean it, get yourself a real nice (bright-colored) paperback book and put it somewhere special.

Write all your accounts down and use it every time you use the internet; but remember it is important to:

• use different passwords on each and every account
• you should at least memorize the password to your main email account, in order to reset passwords (in case you lose the book)

Book disadvantages

Well, obviously you only have one book. So if you don’t have it with you, you can not access your accounts. Also, you do not want to lose it somewhere, as all your accounts are stored in it. Thus, I would not recommend taking it outside with you.

What happens when you lose the book? If you have misplaced it. It is not good, as you now have a lot of work to-do, but not to bad either. You can still access your email account and reset all your passwords. If you lose it somewhere else and somebody finds it the problem is indeed big. All your accounts and passwords written down in the hands of a stranger is not good.Just keep it at home!

Additions

Some people let their web browser manage and autofill their passwords. I can not recommend this.

Well folks, that’s it! 😉 I hope my mum will read this article, too 😘