Generating and managing secure passwords
Secure passwords are essential if you are frequently active on the internet. This can be quite a challenge; whether email account, web forums or social media websites: Each service you are using requires a username and password. How to manage all those credentials, let alone how to remember them all?
With the right tools and a good strategy for password management this challenge can be mastered quite easily. We have assembled the most important methods and tips for you so that you can keep track of all your passwords without compromising security.
How strong should passwords be?
It is common advice that a password should be adequately long (ideally 20 characters or more) and contain a mixture of upper and lower case letters, numbers and special characters. This is not wrong as general advice but usually not workable. Especially if you are using a lot of different login credentials you need a feasible strategy.
When you are using many differnt passwords you should definitely consider using a password management software. There are a variety of programs that can manage and store passwords (and other credentials of all kinds) encrypted. One of the best known software for this is KeePass (Linux/Windows) and KeePassX (MacOS). This password tool is open source and is generally trusted. KeePass can also generate secure passwords using custom templates.
For many password managers there is also browser integration available (such as KeeFox for Firefox) but you should be careful with those: While based on current knowledge there are no known critical security issues, the browser as such is a potential problem: Should someone discover a new vulnerability in the browser, the password manager extension might be affected as well even if it has no vulnerabilities itself.
If you do not want to trust password managers you can also use a simple text file to store your passwords. Of course, in this case you should make sure that this file is encrypted (such as saving it on a fully encrypted thumb drive which is only plugged in when needed).
Whether you choose a password manager or a text file, you will either need a private key and/or a master password to access your database of passwords. When using a password, you should definitely write it down on paper and store it in a secure place. Even if you are confident that you memorized the password this might not always be the case, especially if you don’t access your password safe for a few weeks.
You should also make sure to always have a current backup of your password database. A complete loss of your passwords is one of the most annoying scenarios (but not the worst).
Another method to contain the complexity of many login credentials and passwords is the categorization into different security classes. Not every password protects really sensitive data and thus does not have to meet the highest security standard. For example: In many web forums you can only read after you signed up. In many cases you don’t even want to post anything but just lurk passively in the background.
Passwords for such sites do not need to be secure since you will not care should the account get compromised (you can simply make a new one). In such cases a short and easy to remember password will suffice. But careful: Even if the data it protects is not important, you should never re-use the password on other unimportant sites but always some kind of deviation (like including parts of the URL). If multiple accounts are compromised it can have much more dire consequences than single services alone, as possibly data can be correlated.
Then of course there is data that must never be comrpomised. This includes every password protecting financial services like credit card information or the password to your bitcoin wallet but also other sensitive personal information. This kind of data should always be encrypted with a strong passphrase.
We say “Passphrase” instead of “Password” here to emphasize on the fact that regarding the length it should rather represent a sentence than a word – more on that shortly.
Before choosing a password you should consider how bad the consequences in case of a compromise are. If in doubt you should always choose the longer but more secure password.
What exactly makes a password secure? It is a common misconception that exchanging letters for numbers and special characters increases the security. This is only partially correct: Todays algorithms and software to crack passwords are much more advanced than just simple guessing (“brute forcing”). Modern software utilizes datasets from previously leaked password information – and there is massive amounts of data available. A breach at Adobe in 2013 resulted in 130 million leaked passwords in a single attack. Cracking software uses this data to find the most common patterns which in turn makes it much faster to crack new passwords.
Another disadvantage when using numbers and special characters is the increased difficulty in memorizing the password. The password “S3CurE*p4%%w0rD19” is very difficult to remember, especially when not having used it for a while. When using a password manager this of course is not relevant but in this case you should rather use a generated password from the software – in almost all cases these provide better security than made up passwords.
But some passwords, like the previously mentioned master password, you want to be able to remember without making a tradeoff with the security. An easy and secure method was described by Randall Munroe in his webcomic xkcd:
Instead of using hard to memorize passwords with numbers and special chars you should simply increase the number of words without constructing any meaningful sentence (so the password becomes an actual passphrase). You can then associate the words with a sequence of pictures or even a storyline to memorize them easily.
While it is correct that such words are prone to dictionary attacks but with a combination of four or even five words there is enough entropy that brute force attacks are not feasible. Additionally you can mix languages or even make up non-existing words to render any dictionary based attack ineffective.
How difficult it is to crack a password by brute force depends on its entropy. There are generally two ways to raise entropy: Either by increasing the number of used characters (upper and lower case, numbers and special characters) or the total length. Increasing the length is the better approach for passwords that you want to remember. For generated passwords neither length nor memorability is important so than the full character set can be used in a long password.
For whatever method you decide: With good passphrases and secure password management you can avoid a lot of risks on the internet. Additionally, with a VPN from Perfect Privacy you can also protect your Anonymity at the same time.