Protecting yourself online: A short beginners guide – Passwords (1/3)

Passwords

Weak passwords or reusing the same password are the easiest ways for YOUR accounts to be broken into. A weak password is like using a shoelace to lock a door, it’s not going to work.

Without going into too much detail, it can take less than a second for an attacker (using a computer) to guess the top 10 most used passwords (like passw0rd and 1234) meaning they can get into your account pretty quickly.

The “old” criteria for a good password is:

  • Should be at least eight (8) characters long (Most important).
  • A mix of letters, numbers and symbols.
  • Each account should have a completely different password (if one website gets breached then an attacker could have your password for other websites if they are the same).

The ugly truth is that a 8 character password like U5Tsg^37 (which fits all criteria) is technically less secure than Dog////////// for MOST kinds of attacks, this is because the latter is longer and for making passwords LENGTH IS KING. But the password “Dog//////////” still has weaknesses:

  1. Dog is a common word in the dictionary so it could be picked out quite quickly.
  2. If everyone started adding a bunch of slashes at the end of a password, attackers would pick this pattern up pretty quickly.

There is a solution: Passphrases! A passphrase is not only a lot easier to remember, but also a lot more secure as it is longer in length.

 

Which one would you rather remember?

 

So keeping this in mind the new recommended criteria for a good passphrase (therefore an effective password) is:

  1. Use at least 5 words (This will ensure the length is long enough)
  2. Make it memorable TO YOU, making it easy for you to remember but hard for others to guess. For example “My dog Fido is a Poodle and was born in 2012”.
  3. Add in at least one number and symbol (you can do this by adding punctuation) “My dog Fido, is a Poodle & was born in 2012”.
  4. Don’t follow a pattern when making passphrases, such as making all of them about your dog Fido.
  5. Use a different passphrase for each account, website breaches WILL happen, this just limits the damage done.

 

Checkmate, try getting in now (Insert Crime Syndicate/ Shady Government Agency / Super Villain here)

The downside is that, making unique passphrases and remembering them for the many online accounts you can have will become an issue.

So an alternative is using a password manager. A password manager not only generates strong passwords but also remembers them so you don’t have to. This allows the passwords to be huge (like 64 characters) and a lot more random, making them close to unbreakable.

So if you want secure passwords (therefore secure online accounts) you have two options based on some factors

  1. If you have only a few online accounts, have a good memory (NEVER WRITE DOWN PASSWORDS) and you are good at making hard to guess and unique passwords (be honest with yourself): Use passphrases
  2. If you have many accounts, not a fantastic memory or you find yourself making up similar passwords: Use a password manager

So if you are confident with option 1, then you are done here. Go forth and secure your accounts with passphrases! If you are like me then option 2 is a much better fit.

In the section below I will go over 3 password managers that do the same thing but with different approaches, they are: Master Password, KeePass and LastPass (Still a work in progress oops!)

Overview of Master Password

Master Password

A password manager I use daily is “Master Password” which has served me well.

“Secure your life, forget your passwords”  is what the developers of Master Password promise you and they deliver, quite well if I say so myself. Master Password generates your password on-demand using a master password ( that you create), your name and the website URL.

This means that passwords are not stored on the device, therefore no backups or internet access needed. It is available on IOS, Android, OSX, Windows, Linux (as a C program) and in your browser. Here is a nifty promotional video they did giving a summary of Master Password.

So what are the benefits?

  1. Passwords are generated on demand – This means that if your device is stolen an attacker would have to guess your master password, name and website URL to get your login.
  2. No need to sync or backup a password vault  – As the password is generated on your device you don’t have to backup or synchronize them meaning that they are available on any device with or without Internet access.
  3. Generates strong Passwords – Master Password will generate a strong password based on you master password, name and website URL.
  4. Can use it as a typical password manager – If you’re forced to use a certain password, you can store it in the Master Pass app and it is encrypted securely (with AES using a large key from you master password, for those interested)
  5. Can use the IOS version of the app to store impossible to guess answers to password recovery questions – This allows you to set nonsense to password recovery questions, making it impossible for an attacker to guess. (only on IOS as of 15/4/18)
  6. All open source – The algorithm used to generate the password is completely open for inspection and well documented.

There are some downsides to this solution which mostly involves the master password, if your master password is weak an attacker will be able to generate your password for every website/service you use. This is a huge single point of failure but can be mitigated by having a very strong master password.

If your master password fulfills the above “criteria” then it will be near impossible to guess you passwords. This can be taken further by not using your actual name (maybe a made up name based on your initials) this would mean an attacker would have to guess a correct name AND master password.

Here is a quick demonstration of how it works:
Your master password, name and the website URL are used in an algorithm to create your password.
If you change any of these  (lets say your master password) a different password is spat out. Meaning that to get your password, an attacker must know 3 variables to generate the correct password.
Below is a demonstration of using the web version of Master Password

Using this manager will enable you to create strong passwords without having to remember all of them. The key is use a STRONG password for the master password, try a pass phrase like DoHorsesHaveWings?No!

If you pair this with a memorable fake name, you have a strong system for generating and storing passwords.

Leave a Reply

Your email address will not be published. Required fields are marked *