The Password – Simultaneously The Best and The Worst Form of Cybersecurity
Passwords. We are all familiar with them. We use a password to login to our computer, another for our phone, another for Facebook, another for e-mail, the list goes on and on. Every account you own is probably protected with a password. Some of the earliest computers in the 60s used passwords. For over 50 years we have been using passwords to keep us safe. However, they are inherently insecure. Yes, that’s right. The password in itself is not very safe.
The problem lies with the format. A static string of letters, numbers, and sometimes symbols. Anyone that can figure out that string can login to your account or device, and because it doesn’t change on it’s own, they can maintain access to that account until they are discovered or (if) the owner eventually decides to change it. You probably heard the rules some many times by now – don’t use any personal information, don’t tell anyone your passwords, don’t repeat the same password, blah blah blah. But do you actually follow these rules?
A 2012 study done by CSID shows that a whopping 61% people use the same password across multiple websites, 54% of users admit to having five or less passwords, and 44% of users only change their passwords once a year or less. Yet, 89% of users say they feel secure with their password habits. But here’s the thing – if you repeat password and you don’t change them every now and then, you are not as secure as you think you are.
Here are some easy password tips that everyone should follow:
- Never use the same password twice. Never.
- Don’t use personal information in your password. Not your pet or child’s name, your favorites, special dates, nothing. Make it random.
- Use uppercase and lowercase letters, numbers, and symbols
- NEVER EVER EVER give ANYONE your password(s). It doesn’t matter if they are close friends, family, or even your spouse. Don’t do it. Even if you trust that they won’t mess with your account, letting them know your password also means that you have to trust them to develop good cybersecurity practices in order keep it safe as well.
- Be weary of phishing attempts (I will make another post on the “phisherman” later)
- Periodically check for breaches, use haveibeenpwned.com
- Use a password manager
Wait, what? A password manager?
The problem with following the above tips is that it’s way too hard! I know, there is no way you can remember a password like “47wT)q\9%>g’->c5zKyZ,*[email protected]” using just your head. Maybe you seen this XKCD comic before:
The idea is simple – use long random words in order to come up with a tricky password, you don’t even need to use characters or numbers (however I would still advise it, they make it more difficult for a hacker bruteforce your password). Coming up with such a password is much easier to remember, but can you do that for every single website you visit? Probably not.
However, what you can do is use a password manager. All you need is one very difficult to guess password, such as the one in the above comic, throw in a few numbers and symbols, and you have yourself a great master password. That is the ONLY password you will ever need to memorize. The rest is saved in the password manager.
How do password managers work?
Password managers store all of your passwords in a heavily encrypted database, secured by a single master password. The password manager may stored locally, on your own devices or a flash drive, or it might be stored in the cloud. Most password managers also support multi-factor authentication, which I will more into in my next post. When you login to your password manager, you are given access to a list websites with their correlating usernames and passwords saved.
Password managers make your life easier in a few different ways. For starters, you only need to remember one password, and that is your master password. After that, you can use very strong unique passwords for every site you visit without having to force yourself into memorizing them. Secondly, a lot of password managers have an autofill feature (if they do not, it’s most likely copy and paste) meaning you no longer have to type them in every time. This is significantly more secure than your browser’s built-in autofill (WHICH I HIGHLY SUGGEST YOU DISABLE), and saves a lot of time if you are a slow typer. Lastly, some password managers even provide security features such as random password generation, password checkups, and more.
So, let’s look at some password managers, shall we?
- Completely free
- Open source
- User-made addons, such as browser extensions, mobile apps, etc
- Bonus features such as random password generation, simplified two factor authentication, and more
- Not the “user friendliest” password manager
- Not the most convenient
- No native support for applications, web browsers, etc often means relying on addons
KeePass is a great password manager, but keep in mind that it is geared towards more advanced users. It is completely free and is open source, but the native KeePass application is missing a lot of features commonly found in popular password managers. This means relying more on 3rd party add-ons, which can cause possible compatibility and security issues. It can be used on the cloud by syncing it with Dropbox or another cloud platform, however it’s biggest strength is that fact that it can be used entirely offline. This is major bonus when it comes to security.
- Free version has everything you need to get started
- Native mobile application and browser extensions
- Supports various multi-factor authentication methods, including FIDO U2F
- Bonus features such as security checkup, random password generation, one time passwords, secure notes, and more
- Premium account is required for some features
- Cloud-based, not locally stored
- Extremely popular, making it a larger target
LastPass is one of the most popular password managers, and for good reason. While it’s popularity is double-edged sword, on one hand it means a large budget and more eyes looking for bugs, it also means that is a larger target than the rest. However, rest assured, it is still very much secure. LastPass offers browser extensions that will automatically fill in your passwords, add new passwords as you create accounts, and even warn you if you use duplicate or weak passwords. LastPass also offers a mobile application making it even easier to take your passwords on the go. However, LastPass is entirely cloud based, which means that your passwords are stored on someone else’s server. This may sound scary, but keep in mind that everything is heavily encrypted and the LastPass team takes cybersecurity very seriously.
- Mobile Applications
- Breach Alerts
- Free Version
- Password Generation
- Comparable to Lastpass
- Syncing requires premium account
- Two Factor Authentication requires a premium account
Dashlane is another good option if you need a password manager that can be taken with you on your mobile device(s). It’s very similar to Lastpass in terms of ease of use and amount of features. Just keep in mind, syncing between devices and two factor authentication requires you to pay for a premium account.
- Simple to use
- Browser plugin
- No free option available for desktop
I can’t speak for this one, as they did not have any offers for a free trial. But like the rest on the list, its still a very good password manager and will serve all of your needs adequately.
A Study Of Password Habits Among American Consumers, and September 2012. CONSUMER SURVEY: PASSWORD HABITS (n.d.): n. pag. Web.