Improving your passwords

Improving your passwords
Photo by Towfiqu barbhuiya / Unsplash

The hard part of creating our own passwords is generating a truly random one. Let's not fool ourselves, humans are not good at that. Changing an 'a' to an '@' and an 's' to a '$' does not make a password more secure. Using personal data or the account name within the password does not help either. Hackers' tools are prepared to take that into account.

The worst of sins is to reuse the same password or similar with the same format in different accounts. If we use an insecure app and their servers are hacked, hackers have automated tools to test that password or its variations in all the other accounts you have. To mitigate this risk, you must use completely different passwords in each service.

Creating a truly random password, complex enough and remembering it is difficult. Doing that with more than 100 passwords is impossible. Just try counting all the services you have passwords for, you will be surprised.

The best way to create a secure password is to use a password manager. Not only will it create secure passwords for you, but it will also store them so you won't need to remember them. Everyone can have one, there are cheap and even free options.

Options

hands holding sticky notes
Photo by Kelly Sikkema / Unsplash

My favorite is 1Password, the family plan starts from USD 1/person/month (USD 4.99 for families of up to 5 people) and USD 3 for the individual plan.

If paying less than a Netflix account for the tool that protects all your accounts goes against your principles, you can use bitwarden which is free for individuals or USD 3.33/month for a family group. Although in my experience the usability of 1Password has no rival, bitwarden is a great option. They also have a free plan for teams of up to 2 people, that's an amazing option for two-person families.

The team or family plans allow the members to have individual private vaults but also shared ones. This makes it much easier to share services and also documents securely.

How does it work

To use a password manager, all you have to do is create a very secure master password. That password will unlock your password vault, protecting all the others and thus becoming almost the only one you will have to remember.

The passwords for your other accounts can now be super complicated and difficult since the password manager will do the dirty work of remembering them for you. In fact, it does 3 difficult tasks for you:

  1. Creating passwords. Much more secure than those that can be thought of by a human.
  2. Remembering passwords. Now that we have different and difficult passwords for each account, it would be impossible to remember them all.
  3. Auto-completing passwords. The passwords created are not only difficult to crack but also to write, so password managers allow you to auto-complete your credentials on websites and phone apps or even copy and paste when the app does not allow auto-completion.

With last point something very useful they do is to validate the site or app in which you are asking for the password to be auto-completed. This way it prevents phishing if you are trying to auto-complete your home banking password on a very similar site but which is actually not from your bank.

Creating a good master password

1Password app window
Photo by Volodymyr Kondriianenko / Unsplash

The important thing about a password is not its length but the origin of its components, assuming their selection is truly random.

For example, if I create a 30-character password but the list of characters I use to choose them is "a, b, c", the password will not be very good. If instead of those 3 letters we use as a dictionary all the letters of the alphabet, numbers and some special characters, the situation improves even if the final password has the same number of characters.

The problem is that remembering such a combination involves arduous memorization. In practical terms it is impossible.

This is where pass-phrases come in. This type of passwords use words as components instead of characters. If the words are chosen from a sufficiently large set and in a truly random way, we get a secure but also memorable password.

Obtener un diccionario como fuente de palabras

We need a dictionary of words from which to choose the ones we are going to use in our phrase. The more words we have to choose from, the stronger our password will be with each word we choose.

The Electronic Frontier Foundation (EFF) is a non-profit foundation that defends digital privacy, freedom of expression and innovation. This foundation created several lists of words in English that can be used for this purpose. Here you can find the post in which they explain its functioning. Its main list contains 7,776 words.

For those of us who'd rather use a different language, we can find here lists of equally secure words but in other languages. The only drawback is that these lists were not filtered to remove similar and uncommon words. While this does not make them less secure, it does add a bit more difficulty when it comes to remembering words that we do not use daily.

For Spanish speaking readers, I am researching how to generate a new list in Spanish that solves this problem. In the meantime we can use this one which is as good as the English version but in our language.

How many words to use


It's recommended to choose at least 6 words, although 7 is better. 6 words should protect us from almost all attacks except those from government agencies. 7 words already puts us beyond. It might sound like too many words to remember, but since this will be almost the only password we will have to remember, it is worth the effort.

Security measures

  1. Before starting the process, make sure you are in a safe place: no cameras and nobody who can see what you generate.
  2. When you write the words on a paper, make sure the paper is on a hard surface instead of on another paper. This is to avoid leaving traces of the password on the paper underneath the one you are using.
  3. Don't write anything on any digital device, always use something physical. This way we avoid the password falling into the wrong hands in case of a hack or loss of the device.

Really random - Dice

Looking at one of the lists and choosing the words we like the most, not random. We already established that humans are not good at generating random things, so don't even try. To do it right we need 5 six-sided dice, although it can also be done with just one.

To choose the first word we must roll a die 5 times or 5 dice at the same time. Then we go to the list to look for the word associated with the 5-digit number generated by the dice and write it down on a piece of paper. This is the first word of our master password.

Let's repeat until we get the desired amount of words and that's it, we have our new master password.

Really random - Cards (Alternative)

An alternative, if we don't have a die, is to use cards. Dice are easier to use, but if you only have cards and need to generate a password right away, just make sure to shuffle the cards well. The deck should have only 6 cards, one for each number from 1 to 6.

Shuffle the 6 cards very well and take the one from the top. Take note of the number and put it back with the others. Every time you put a card back in the deck make sure to shuffle it well. Repeat this 4 more times to get 5 numbers and look for the associated word in the list of words. Write it down.

Repeat until you get the desired amount of words.

Backup

The inside of a hard drive is exposed.
Photo by benjamin lehman / Unsplash

Using a password manager implies having a single point of failure. If we forget the master password there is no way to recover anything. This is what makes them so secure, not even the company providing the service can recover the data, if they can then you should look for another password manager and change all the passwords.

The amount of backups, their type and location will depend on the risks that each person wants to mitigate. It is very important then that we have a backup of the master password in at least one safe place.

The backup can be stored in a locked drawer, a safe in your house or a safety deposit box at a bank.

One form of backup is the emergency kit, it includes everything necessary to be able to access the password manager. Think about who the recipient is. If it is for you, perhaps the account name and the master password is sufficient. 1Password offers a way to download and print an emergency kit template. Remember to protect the kit very well according to your risk profile.

Unexpected events

Another thing to consider is what we want to happen in the event of death or incapacity. Would we want someone we designate to be able to access the vault? Or are we okay with the idea of everything being lost?

Lawyers offer services to store documents until you die and then pass the documents to whoever you indicate. Some password managers also have mechanisms to, in case of eventualities, allow someone access to all or part of the vault. This way you don't even need to give a lawyer a paper with the master password that can be stolen.

If they go for the option of delegating access to someone through the functionality of the password manager itself, make sure that the person or people are aware. It is important that they know what you have planned, what instructions they should follow to access the vault and to manage the accounts that you leave in their care.

This is particularly important if the delegated people are not familiar with password managers. This would be a good opportunity to share the article and explain to them the importance of using one.

Conclusion

Password managers are very useful and provide the necessary security for credential management. They make many things easier, although it also requires a bit of work to get it going. I assure you it's worth it and you won't look back.

Choose one: 1Passowrd or bitwarden.

Create a free or trial account and try it out for a while with a couple of passwords, then let me know.

Don't forget to backup!

Also don't forget to subscribe to stay up to date with new posts and follow me on Twitter.