Passwords are the most common way we identify ourselves to services online.But not done right, they can be a real security weakness, and people can and do get hacked because of poor password choices.
Passwords protect our e-mail accounts, our banking, our access to work, and even our social lives (like Facebook). They protect a vast amount of our personal information, so if they fail us, the results can be horrible.
There’s lots of advice out there about how to have strong passwords, but we see over and over again that people don’t understand that traditional password advice, or they find it overwhelming.
It doesn’t help that a lot of that adivce is actually quite wrong. And interestingly, the US National Institute of Standards and Technology (NIST), in their Digital Identity Guidelines publication this year, have pointed out that the overwhelming nature of traditional strong password advice actually undermines the point – people use predictable patterns of satisfying the traditional list of requirements. And attackers know this.
This is usually how it plays out: You’re asked to create a password that contains capital letters and/or numbers and/or punctuation, and are likely to have capitalised the first letter of your pet’s name and added the number 1 to the end, right? Boxes ticked, but Ginger1 is a terrible password. And relatively easy for an attacker to guess, especially if you’ve posted about or mentioned your cat Ginger a couple of times on Facebook.
However, a truly strong and random password like zcABzSwc0gmawPCbO-MZ2A is going to be absolutely impossible to remember and frustrating to enter..
There are solutions to this – we outline our favourite methods and tools below.
But first, a summary of what you need to do to minimise the chances of (a) getting hacked, and (b) having that hack spread:
- Have different passwords for every online service
- Make all those passwords strong
Now without help, that will lead to the impossible situation of being able to remember dozens of strong passwords. So we need help from some tools:
- Use a reputable password manager to store and remember those strong passwords for you. There’s both local (like Keeper and KeePassXC) and cloud based password managers (like Dashlane and 1Password)
- Then concentrate your efforts on making just a couple of strong passwords – one to get into the password manager, and a few more for logins that you can’t use the password manager for (like logging on to your computer in the first place, passwords that require frequent direct entry like iCloud, and for work).
And finally, to further protect your most important accounts:
- Use multi factor authentication (“MFA”, also known as two-factor authentication or “2FA”) wherever you can. MFA ensures that a stolen password is not enough for an attacker to get into your most important accounts.
We cover 2FA in more detail below.
How to choose random, yet somehow memorable passwords
The key is where to focus on the randomness. Random characters are hard to remember, Random words, however, are somewhat easier.
The comic XKCD has a good strip explaining strong passwords versus memorable passwords:
But for this to work, the words need to be truly random. Sentences aren’t strong enough – “Fred and Wilma live in Bedrock” for example, isn’t random at all. Given the first word “Fred” is a proper noun, if it’s a sentence then only a limited number of words could follow it – a conjunction, a verb, or an adverb, but unlikely an adjective, and not a preposition, another noun or pronoun. For an attacker, this means fewer possible combinations of words to need to try to crack such a password.
So, we go for a collection of words that are random. And to make sure they really are random, we need to choose at least half the words in a truly random fashion.
Enter “Diceware”. Diceware is a list of words associated with five digit numbers. The digits in the numbers are all between 1 and 6 so you can choose them by literally rolling a dice.
And while online tools do exist (like here) to generate random passwords using that list, the safest way to choose one is offline, using physical dice, and look up the resulting numbers.
The above comic says a four random word password can take as long as 550 years if an attacker makes 1000 guesses a second. However, in some circumstances, attackers can run guesses at 100x that speed, so we recommend choosing five words, at least three of them from the list. To aid in remembering your new password, you can choose up to two familiar words (don’t make them obvious).
To aid in remembering them, you can write the password down, for example on a slip put in your wallet, but don’t write down what it is for. We recommend burning the slip once you are satisfied you have committed the password to memory. This should happen if you use it frequently, you’ll have likely memorised it within a couple of weeks.
Use a password manager
A good password manager helps you create strong and unique passwords for most services you need to log in to, and does the job of remembering and entering them for you. It in turn is locked and encrypted with a strong master password that you choose above, and optionally a second factor such as a one-time-password from an authenticator app on your phone, a fingerprint scan, or a security token.
There are two password managers that we recommend, which one is best for you depends on circumstance, and we are happy to assess your situation to make a recommendation.
Our two favourites are Dashlane, a cloud based service, is best for ease-of-use, and KeePassXC, which can be more secure and is lower cost (the software is free).
We are available to guide you through setting up a password manager, and making sure it is well secured and backed up, as well as a reasonably secure way of delivering passwords from your password manager to your mobile device.
The strongest password in the world is still not going to help you if it is stolen anyway. To protect services that contain your most important data, we strongly recommend turning on multifactor authentication (MFA, also known as two-factor authentication or 2FA) wherever possible.
This ensures that a stolen password is not enough for an attacker to gain access to these accounts.
In authentication, a factor is a means of showing you are who you say you are. These are the most common factors:
- something you know (such as a password)
- something you have (such as your cellphone, a one-time-password generator / security token, or security key)
- something you are (a biometric such as a fingerprint).
The idea of multifactor authentication is that you present two of these to log on. (Some services will only ask for both if you are logging on from somewhere new or haven’t logged on for a while.) This makes things much more difficult for a potential attacker.
Unfortunately, these things tend to make things more difficult for legitimate users too. Trying to get people to use things like those six-digit Authenticator codes usually results in eyeroll and protracted resistance, which defeats the point.
Enter Yubi and Fido
Nope, not cute names for pets to use as passwords! FIDO stands for Fast IDentity Online – and it comes to you in the form of something that looks halfway between a USB flash drive and a key – and it is indeed just that, a USB key. Yubico are one manufacturer of these keys, and have deluxe models with extra features (good for people who have access to more sensitive information such as organisational financials or admin stuff, but that gets technical, so we won’t go into it here).
What makes these keys different is its simplicity to use. It’s very similar to your house or car key – you put it on your keyring alongside your house and car keys, and when it’s time to use it, just insert and turn (or in this case, insert and tap the button).
Google and Facebook are now supporting FIDO U2F (Universal 2nd Factor) natively – you can set up your account with one of these keys to secure it, stopping hackers in their tracks, even if they have somehow obtained your password.
You can pick up one of these devices directly from Nicegear, or we can get some for you as part of a managed setup.
Keep a spare key (it doesn’t have to be an actual key)
You do need to be careful not to lock yourself out though – but you can achieve that by setting up a “spare key” like most people do with their house keys – it could be in the form of another physical FIDO key, kept safe with a trusted family member, or it could be a “virtual spare key”, like using another second factor like going back to those six-digit authenticator codes on your phone as a backup. Exactly what you can do here depends on each service provider, and where you want to balance the security-versus-convenience tradeoff.
If you’re in New Zealand, we offer professional assistance to get up and running with stronger passwords and a good password manager setup, with useable, practical multifactor authentication, and backups. Feel free to get in touch with us if you would like some assistance.