We’ve already missed the celebration of this years international “password day“. However as it is still May and since there was a news item today about the spread of malware/adware of a software that I have used and liked, it felt like a good day to lift this topic, passwords.
It is hard to remember passwords and if you choose one that is easy to remember, erll then it is also most likely easy to guess as well. Nowadays, with all de stolen and leaked password databases circulating openly on the internet, the chances of your super secret and excellent password already being out in circulation is pretty high.
There is an excelent service availalbe to check if your email is present in any of the stolen/leaked databases, Have I Been Pwned, where you can also search using a current or new password to check if a password you are already using or plan to use is already in circulation. However, this is not a guarantee, new software uset to “crack” passwords is now “smart enough” (with user input) to check for minor variations so if you’ve had a password leaked and you switch a letter for a number or adding an exclamation point, making your new password not pop up when using the search service, well this password can still be pretty much useless even if you “changed it” and it does not get labelled as “pwned”.
To make account highjacking harder a good first step is to have a strong and unique password for every separate account. In this way, if any single site has their password database stolen, only that page is compromised and nothing else, unless it is your email account as this account can regularly be used to reset and change your other passwords. However, remembering all passwords you need is basically impossible.
What to do then, get yourself a password manager. A password manager is basically an encrypted database, protected with a password, a bio-ID (fingerprint, face…) or a security key which help you generate and store unique and strong passwords for every account you might have so that you do not have to remember them seperately, only your “master password” unlocking your database. Come time to login to a page, you simply unlock your database, retrieve the password for that page/service and logg on/in. Even if this is a great service and function it is not without problems, putting all your eggs in one basket (so to speak) has its own risks. Make sure you read the entire entry before jumping the gun on setting up a password manager.
There are endless options for this and I’ve elected to only present three that I have personally tested at some point in time and that worked well.
KeePass is an open-source and free password manager. You can download or find a good source to download a working client for your plattform via keepass.info. Do not download from keepass.com as this page has been caught distributing malware and/ir adware. This is an (of not stated otherwise) offline and local version of password storage. I prefer this solution as it is only your computer and/or cellphone that has to be attacked or stolen and cracked to get a hold of your database. It does also have its downside as well, as you are responsible for having backups and updating the database across different units including backups. Making sure that it does not get damaged or corrupted or the wrong version overwritten, and so forth. From the alternatives available I have tried KeePassX, MacPass and KeePass2Android which all work well int their respective platforms (macOS and Android).
LastPass is an “online” version of a password manager. The passwords are encrypted on you local unit (according to the provider) and should hence only be stored in encrypted format on any servers. They provide clients for most platforms and do provide browser plugins if a client is not available for your operating system. What this means is that even if someone would steal your database they cannot see your passwords and neither can the people at lastpass, only the encrypted version. That the database is stored online means that if you cellphone/computer breaks or get stolen you can install the client or log in through a browser and get access to all your passwords and the ability to change them and your master password. This is also a potential security risk of course. This is however a really easy to use and well tested solution with countless helpful functions such as password generation, unlocking databases with bio-IDs and autofilling fields in browsers without a need to copy and paste. It is a very simple to use and good alternative for the less technically gifted. There are both free and paid version where the free versions.
1password as a service works the same way as LasPass. There are differences though I will not go into details here. I have tried this service in my iOS days so I am missing newer experience as I opted for another service. The fact that their webpage refuses to load in firefox while writing this with a warning about unsafe connections might not provide the best confidence in the service however this is another highly recommended and well tested service which you should be able to rely on.
Using any of the above solutions (or any other secure alternative) is better than using one password for everything. Just remember, once you save all your passwords in one place, regardless of the level of encryption, make sure you have a strong master password. Use many words/characters, numbers, special characters and mix both upper and lower case. There are services you can use to generate a secure password, for example via the GRC webpage where you can secure a string password for use when setting up your password manager. Write it down on a piece of paper and save in a secure place, a second copy kept in a different secure location. Possibly with someone you trust.
When everything is in one location that location needs to be extra secure, remember that many services uses your email to recover/reset a password lost. It is therefore imperative that the email you are using for these accounts is really secure so that no one can use your email to gain access to most of your accounts.
This is just a first step, the next step is to activate other authentication solutions, so that you have multi-factor authentication so that one need more than just a password to log in. This provides a buffer if someone gets a hold of your information as they would also need this “second factor” to be able to log into your account. This will, however, be adressed in a later post.