Most of us know security is important, but still choose the lazy option when it comes to password security. Of course it’s bad to use the same password for every website. But it’s not even good enough to use a strong password; we now live in a world where so much is tied up with our online lives that hackers are doing more and more to break into online accounts.
So, we’re going to look at the whole subject of password security, and hence online account security, how we can choose better passwords, how we can make our lives easier but also safer, how we can increase protection beyond passwords, and how hackers attack and use your account details.
Some of this advice you’ll have probably heard before, some of it is hopefully new, but by the end, you’ll be suitably terrified that you’ll overcome your human propensity for laziness, get up off your ass, and protect your passwords!
Let’s start by scaring the heck out of you. There’s been a host of research on password security, made much easier by the huge number of database breaches in recent years. One of the widest-ranging research efforts was by Google, published mid-2017 in its “Data breaches, phishing, or malware? Understanding the risks of stolen credentials” paper.
Some sweet nuggets from that little cache include the fact that the researchers swept over 1.9 billion non-unique account usernames and password credentials. These were taken from a variety of leak sources, but mostly blackhat security forums. An insane 76 percent of these could be (or already were) easily converted to plain text (best practice is to hash and salt stored credentials). The researchers were able to reverse an impressive 36 percent of hashed passwords, using a suitable keyword attack.
Of those stolen via phishing attacks, 49 percent were from Americans. When it came to pure security leaks, 39 percent of credentials were linked to Americans. As for credentials stolen via keyloggers, Americans were targets in 8 percent of incidents; Brazil accounted for the highest amount in this group at 18 percent.
Credential leaks appear to happen regularly these days. The largest ever remains the initially hushed-up Yahoo leak, back in 2013, in which pretty much every Yahoo account ever was leaked, totaling 3 billion. Adult Friend Finder topped 412 million, the 2017 Equifax breach hit 143 million Americans, while MySpace, Adobe, LinkedIn, Dropbox, LastFM, NexusMods, and many more have all had their leaks, each individually releasing millions of users’ details.
These leaks show the basic issue with password reuse: If you are using the same password across all of your online accounts, it just takes a single leak to contain that password, and all your accounts are compromised.
Science save us!
So the logical next question is: What makes a secure password? Entropy. That means the level of randomness in a system. By randomness, we mean true randomness. It’s not enough to have a long password, it has to be long and truly random. We stumbled across a lovely analysis of poor passwords by WPEngine, which you can read here.
It’s worth a read—as well as being funny and interesting, it highlights a lot of general failings of humans when it comes to creating passwords.
The obvious beginnings are the standard bad passwords: “123456,” and any variation thereof, “password,” “qwerty,” and again any variation of those. Obvious stuff. Another issue is that many password guidelines are bad—forcing upper-case letters, for instance, because people tend to just capitalize the first letter; forcing at least one number, because people just put “1” at the end; or demanding a password of at least a certain length, because people use a pattern on the keyboard. For example, the seemingly random “ADGJMPTW” is actually people typing 2–9 on a smartphone number pad. This is what happens; it doesn’t make for strong passwords, because they’re easier to guess with a much lower entropy.
It’s that human nature thing. One group wants to protect a system, another wants an easy life, so it circumvents the rules, a third group is attempting to break in. So, how do we make stronger passwords?
A few years ago, a Dropbox engineer, Dan Wheeler, wrote a blog post referencing Randall Munroe’s classic XKCD correcthorsebatterystaple cartoon on password entropy, alongside Mark Burnett’s earlier research. Dan’s post is long and complex, and focuses on what makes a strong (high entropy) password, alongside how that can be easily measured and communicated to the user. Conversely, Randall’s point was part password strength, but he was largely extolling the need to make password systems human-friendly.
We don’t want to get into the nitty-gritty too much, but effectively a good password is a long password. Simple. The XKCD approach is to use a memorable series of words or phrase, usually painting an odd scene, such as the classic example of a “correct horse battery staple,” but it could be a phrase such as “basketball on a unicycle flying high.” From a memorable point of view, this taps into techniques used by memory experts. Of course, throw in some numerals and symbols, and it’s even stronger.
None of this addresses the core issue, though, that we now have a seemingly endless number of online services to use and try, each with their own password and login. Even making passwords memorable wouldn’t solve the innate issue of having to remember them all. The solution to that is a password manager.
The open-source way
We like open source; it might not always produce the most polished-looking software [cough] GIMP [cough], but for security software, its publicly scrutinizable code tends to provide peace of mind, while largely ensuring a project can continue even if the original organization or developer packs up their bags, as the source code stays open to be picked up by someone else.
We’re going to highlight two strong opensource candidates. The first is the well-known KeePass.info. Don’t confuse this with the largely defunct KeePassX.org that hasn’t been updated for two years. There is a fork called KeePassXC.org, which is up to date, but we’ll stick with KeePass as it has many unofficial respins for Android and other devices that make it easier to use.
KeePass isn’t as straightforward to use as the commercial alternatives; the main hoop you need to jump through is for multi-device synchronization, where a third-party cloud service, such as Dropbox or Google Drive, needs to be roped in. But the breadth of support, custom options, and feature set is unmatched, with no fees to pay.
The other strong open-source option is Bitwarden. It offers an excellent free model, a $1-a-month family subscription that supports up to five users, a basic business version at $5 per month, plus enterprise options. It’s a modern, slick, open-source application supporting macOS, Windows, Linux, all the major browsers—including Opera, Tor, and Brave—plus Android and iOS devices. If you’re a fan of open source, we suggest you give it a look.