When I browse the internet I see so many bad security practices when it comes down to passwords. Enforcing periodic password changes, very low amounts of maximum characters, companies denying data breaches and much more. In this article I will go over my own thoughts on passwords and security practices everyone should start doing now!
First, let's take a look at what makes a password strong:
- Long passwords with over 16 characters
- Complex passwords using lowercase and uppercase, numbers and special characters
- Passwords that are unique to every service
- Passwords which are changed frequently
However we as humans are not as intelligent as we think we are when it comes to passwords. It is impossible for almost anyone to create passwords which are as strong as possible while still remembering all of them. I am sure everyone has already seen the image below which was created by xkcd:
The image was created many years ago but it still holds true:
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
When it comes down to calculation power of computers, a long password is way more difficult to guess then a short but complex password. That is exactly why my recommendation for everyone is to use a long passphrase over a short but complex password. Of course, this is still a compromise: Even better would be to have a long and complex password, which is also unique and changed frequently. That is where a password manager comes in to play.
A password manager is a digital safe for all your passwords, which you would ultimately create passwords for you that are both complex, long and unique. Over the years I've heard a lot of people complain about the security involved with password managers, because you are putting your passwords online. While this is partially true, a password manager does not have to be 100% safe. They just have to be more safe then the alternative. The alternative being remembering all your unique, long and complex passwords which no human can do (and thus you will end up making a compromise on your security which will end up in being hacked at some point).
We will have a look at how to protect your password manager but for now I would like to give some personal recommendations of password managers which are considered to be very safe and trustworthy:
Yes, even password managers have bugs in them and yes, you do need to trust the vendor of which you are using a password manager from, but this is better then trying to remember unique passwords for each website which are both long and complex at the same time. The only secure password is the one you can’t remember! The strength of a password is calculated by it's entropy, which can be calculated with the following formula:
E = log2 (RL)
E = password entropy
R = pool of characters
L = number of characters in password
Password entropy is based on the character set used (which is expansible by using lowercase, uppercase, numbers as well as symbols) as well as password length.
Password entropy predicts how difficult a given password would be to crack through guessing, brute force cracking, dictionary attacks or other common methods.
Password entropy is usually expressed in terms of bits:
A password that is already known has zero bits of entropy; one that would be guessed on the first attempt half the time would have 1 bit of entropy.
Let's compare the two passwords used in the example image above, correcthorsebatterystaple and Tr0ub4dor&3. For the first password, the pool of characters is 26 (it only uses lowercase alphabet) and the number of characters is 25. Therefor, the password entropy is 93.6 which is considered strong. For the second password, the pool of characters is much bigger (adding to the complexity of the password), namely 72 (it uses both uppercase as lowercase alphabet, numbers and special characters) but the password length is just 11 resulting in a password entropy of 51.8 which is considerably lower.
Why entropy is so important is because it measures the unpredictability of a password, which is very important with the calculation power of computers nowadays. At the moment (and this will change in the future!) it is my opinion is safe when it has an entropy of at least 60. Any password with a lower entropy should be considered unsafe. Aim for a password entropy of 90 or above, which is very safe to use and can easily be achieved by using a password manager that generates passwords for you.
Now, let's talk about how to protect your password manager. First off all, contrary to the rest of this post, you will need a good password to login to your password manager. This has to be a safe password, but because you only have to remember one password from now on we can achieve that very easily. The best solution is to compromise on the list above once, because we are going to create a very long but easy to remember password by using a passphrase. A passphrase is basically a long string of words you can easily remember. For example, during our high school we sang a song which had lyrics which sounded like Crazy Elephant Weird Kangaroo and we can easily turn this into a very secure password: CrazyElephantWeirdKangaroo (which has a password entropy of 122.4 bits and has 52 characters!). This password I can easily remember because it has a meaning to me and it is still very secure.
Secondly, make sure to use two-factor authentication (2FA/MFA) to protect your most valuable accounts, including your password manager. When using two-factor authentication, you'll most likely receive an additional code you need to enter after logging in with your password. If you use two-factor authentication, logging in will be based on:
- Something you know
- Something you have
- Something you are
This can be a pin code (something you know) in combination of a bankcard (something you have) for example when you use an ATM. The same principle applies to online login forms.
Using two-factor authentication protects your account even when your password is compromised. It is very important to protect your password manager and other important services (such as your online banking, PayPal, e-mail etc.) with two-factor authentication. Yes, I listed e-mail in there and yes I know this is difficult to protect with two-factor authentication, however for most people their e-mail is a way for them to recover lost passwords which means that any adversary that has access to your e-mail, has access to all accounts which are not protected with two-factor authentication.
Let's talked about credential stuffing and why it is important to use unique passwords as well. The most obvious answer is of course that when one password is compromised and you use this passwords for multiple services, all of these should be considered compromised as well. Wikipedia has a very good explanation of credential stuffing:
Credential stuffing is a type of cyber attack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
I have seen an increased amount of credential stuffing attacks lately so be aware of the consequences of not using two-factor authentication or even reuse passwords. It is a very bad security practice.
Then it leaves us with the mandatory periodically change of your passwords. This is something which is not as important if you use secure passwords and because of the practical problems is actually advised against by NIST in their post recent publication (SP800-63b). This is of course because of the human aspects of changing your passwords: It often leads to less secure passwords because people will simply increase a number for example, which makes passwords more predictable (and decreases it's entropy). In theory changing your passwords is more secure, but because of the practicality I'd advise against it.
For companies this means you should enforce longer passwords, check for compromised passwords by using a service such as Have I Been Pwnd and don't enforce a periodical password change.
To wrap it all up, here are my key takeaways if you're reading this rather quickly:
- Use password managers (they don't have to be 100% secure, only more secure then the alternative)
- Focus on unique and long passwords (by using a passphrase) instead of shorter passwords with lots of different type of characters
- Sign up for a data breach service like haveibeenpwnd.com
- Use two-factor authentication
- For companies: Do not enforce a mandatory password change regularly in according to the NIST guidelines