Monday, November 20, 2017

How and why use stronger passwords


Passwords are probably the most sensible aspect of our lives today. With more and more leaks happening every day, it's strongly recommended to start thinking about stronger passwords for our personal online accounts and our applications.

Tips for Everyone

If I were to recommend for the regular user, I would start with the list below:
  • Use passwords with at least 8 characters;
  • Use complex passwords that include numbers, symbols, and punctuation;
  • Use a variety of passwords for different accounts or roles;
  • Use a secure password tool;
  • Do not use dictionary words as passwords, e.g. apple;
  • Do not use sequences of characters, e.g. 3333, abcdabcd;
  • Do not use personal information in passwords, e.g. your birthdate;
  • Never reutilize a password;
  • Avoid setting the password as the associated service, e.g. Gm@il or Dropbox123;
  • Combinations of those above;

Other interesting tips would be:
  • Avoid storing passwords on devices that you take out of home;
  • Use a password manager to securely keep track of your passwords (see the section below);
  • Setup MFA/2FA when available (see the section below);
  • Use a secure password generator to generate stronger passwords (see the section below);
  • Never remember a password!

Use Password Managers

Utilizing stronger password demands a better memory. In case you don't have one - as me -, I would strongly recommend the utilization of a password manager like 1password, KeePass and it's forks KeePassX and KeePassXC. That's why I never remember my passwords! =)

Because I share my passwords between Linux and Windows boxes, I'm currently using KeePassXC but the other versions also have ports to it. I also advocate for files on disk instead of services like LastPass because you cannot trust anyone else nowadays =). How safe is LastPass data for example? Well, they were hacked before...

Using KeePass

Since KeePass is one of the most familiar out there, let's provide a very quick introduction on it. The rest, I'm pretty sure you can figure out. Also, if you're using one of its forks, should be the same, just varying the visual look and feel.

Step 1 - Create your password database

The first step is to create your password database. Launch KeePass, 

Step 2 - Start adding your passwords


See? KeePass not only manages our passwords but also helps us generating a very complex passwords for us (103 bits). We will cover that below.

Step 3 - Keep using it!

Yes, keep using it! Add all your accounts to this file and keep it safe on your disk, doing periodical backups. And sice KeePass is remembering your passwords for you, you have no excuses for sharing passwords or using simple passwords. Which takes us to the next tip...

Recycle your passwords

Yes, you should recycle your passwords every 3 months or so. It helps against data leaks. Or, if your service has something like a password expiration policy, even better:
Source: Outlook.com

Generating stronger Passwords

Most password managers have a very useful tool to generate passwords. After getting familiar with KeePass, I suggest getting acquainted with the Password generation tool. 

To access it, do: Tools -> Password Generator... (Ctrl + Z):


Lots of nice options here:
  • You can set the length of the generated passwords;
  • You can set/unset multiple options (I would recommend checking at least 4 of them);
  • You can provide patterns, certain characters;
  • You can strengthen entropy by clicking on the "Advanced" button
And, by clicking on the "Generate" button, KeePass (or your password manager) will generate a password for you. It will even tell you how strong your password is (92 bits in this case).

Enable multiple-factor authentication

Multiple-Factor Authentication (MFA) and it's simpler form Two-Factor Authentication (2FA) is a way of logging in that requires more then a password. Example: a text message or a verification e-mail with a random code on a different email account are sent and the user will only be allowed access if she enters the right code..

MFA adds a very strong security component to our online accounts since it reduces dramatically the chances an unauthorized user can access our accounts. Many recent hacks such as the celebrity hack could have been avoided if MFA was enabled.

Apple, it seems have learned from the episode and now advise users to protect themselves:
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
Source: apple.com 

Example 1 - Enabling MFA for an Apple ID

The majority of the most used websites currently offer MFA. As an example, here's what you need to do to enable MFA on you Apple ID.

Source: https://support.apple.com/en-ca/HT204915

Example 2 - Enabling MFA on GitHub

In GitHub, go to your profile -> security, and click:
Source: GitHub.com
Then you choose one of the options below to get your code:

How Secure is my Password?

Speaking of strong passwords, how secure is a  92 bits password compared to my own password?
  • your simple password like "Apple123" is broken instantly;
  • a complex password as that one generated above would be broken in 52 quadrillion years;

Source: https://howsecureismypassword.net/
Spot the difference? Few hours x 52 quarillion years. But wait! There are techniques to speed up this process but we will not cover them now. The objective of that was to illustrate the importance of creating and using stronger passwords.

Conclusion

On this post I presented many suggestions on how to create strong passwords, store, transport and additional protection layers such as MFA. Please, start use them all and make your information safer.

As a final note, consider using stronger passwords and enabling MFA on all your accounts.

See Also

Security and development: how much is being done?
Security is only as strong as the weakest link
The Laws of security
Privacy and Ethics
Security Boundaries
Securing our front-end
Integrated security vulnerability alerts on GitHub - Why it matters
For more security posts on this blog, please click here.


Update [Mar 13, 2018]: There is a very nice description on why you should consider migrating from LastPass here.