A Study of Password Security, Part 1

Everyone knows password security is ‘A Thing’ [citation needed]. And everyone knows why: online sites, stores, and personal computers get compromised (hacked, broken into, or have data stolen through other means) all the time. Identity theft can ruin reputations and bank accounts. Worst of all someone could steal all of your level 80 character’s gear. So what does ‘everyone’ do about it?

My family contains a fairly typical cross-section of computer users today. Between us we have:

  • The Online Socialite; heavy social media use, with a dash of book clubs thrown in
  • The Gamer; consumes media and bandwidth without diving into how it all works
  • The Unwilling User; intimidated by technology, but required to use it for work and keeping up with friends
  • The Former Power User; on top of things in the 90s, but hasn’t kept up with the latest trends
  • The IT student with network security ambitions (I won’t tell you who this one is)

All of us know how passwords are *supposed* to work. Despite that, one family member simply uses the same password for everything—absolutely everything [pro tip: don’t do this for obvious reasons]. Another writes their passwords on post-it notes on the computer screen. Yet another defines passwords by category—banking, social, etc—and reuses passwords across categories (added bonus: he uses his birth year in the password). Heck, in my own case at one point I had all of my passwords in a document buried in a folder on my computer (unencrypted!  Tsk, tsk).

Credential management—managing usernames, passwords, and other authentication methods—is probably the area in which security and convenience are most at war with each other in our daily lives. You’ve heard the litany of security precautions before: use strong, complex passwords.  Have a different one for every site. Don’t write down your passwords at your computer desk, or anywhere someone could find it. Don’t keep them on your desktop, or unencrypted anywhere on your drive. Use two-factor authentication where available. Use word phrases instead of 8 (or even 12) digit passwords—but still a different one for each site.

The average Joe is going to balk at all these requirements [citation: I know a Joe. I also know an average guy. Not the same person, but both agreed with me]. Short of a Sherlock-Holmesian mind palace you won’t be able to remember all of the passwords they produce.  Fortunately, a piece of software called a password manager can remember them for you.

 

Password Managers

A good password manager allows you to have very secure and otherwise hard to remember passwords, stores them in an encrypted format, and only permits programs/sites/users to access them when a master key is provided. Most allow you to set this master password specifically (with the notable exception of Chrome’s built-in password manager which uses your Windows account’s password). Here are a few of the more popular password managers:

Password managers are also included with most browsers as well, though they may not have the features of dedicated software.  This article isn’t concerned with which platform or product is superior—do the research and figure out which works best for your price point, ease of use, and level of paranoia (This article is a good place to start.  Or you could always start here). One last note: whatever option you choose, find out how these password managers work—most of them have a page on how they secure your data. Know what to expect from them, and understand the backend as much as possible before making your decision.

So you have selected your password manager. The first step following installation is creating a master password. I strongly recommend using a long phrase with punctuation and letter transposition—perhaps a phrase from a book (but not one used verbatim).  My go-to example is ‘Y0u sh@ll n0t p@ssw0rd!’. Whatever passphrase you pick should be even longer and more obscure—and not be an example posted in a public article. Never use this password anywhere else.

Now your password manager is helpfully offering to import your data from your browser. Or perhaps you are entering that information by hand. Either way, scrolling through the list you realize you have violated every tenet of good password security known to man or machine. This simply will not do!

Starting with a new password manager is a great opportunity to change your passwords, if not for all of the sites you use, then at least for the ones visited most often or that store sensitive data. Social media, banking, insurance, financial, any site that stores credit card data or personally identifying information—all are good candidates.

Many password managers will offer to create new passwords for you. For the average user this is sufficient, so long as you do not mind tying your password security exclusively to that program (one reason for doing thorough research on the program before choosing it). For advanced users, or those using password managers without this feature, check back next week for part 2 of this series. We’ll discuss how to create good, secure passwords that can be recovered even if your password manager goes kaput.

 


Lucas Gallagher is a WCTC student who enjoys technology, cybersecurity competitions, and long walks in state parks.