Journey to a more secure password strategy
Security on the internet is many things, only some of which we as end users can control.
As web-developers are evolving into a state where they are more focused on security, some bad practices are slowly but steadily dying off, while others unfortunately keep living on; such as "my site doesn't need https".
Eventually the release of Chrome 68 will hopefully move major sites over and minor sites will be following in the months to come; but we still need to tackle a huge issue on the internet; users and password practices.
I see myself as a pretty smart guy, I work for one of the biggest Companies in the world writing software; however even I had bad practices for passwords up until recently - why? I kept postponing doing something about it!
There are many myths on the internet about good and bad password practices; practices that have changed over the years - but we live in a World where one man has established a database of more than 517 million passwords either in raw or hashed form, by combining data from leaks.
I happen to have met Troy Hunt on several occasions and happen to trust the guy - but if he has the capabilities to do so, so do others with a more nefarious mindset. The old idea of passwords being strong if they are 8 characters needs to die - as odds are, that password is already in a database.
For kicks I ran a number of passwords I have used in the past through his system and...
In reality, we need to stop creating passwords ourselves - if my previously generated password isn't strong anymore, although it was considered strong 15 years ago.
Another spot-on comic by XKCD
Welcome to the world of password managers
At the moment, 1 Password has 70 password/login entries stored for me - 27 of which are currently duplicates of other entries; those I'll have to go through in the near future and get rid of.
But, with all the other pieces of information my brain has to keep track of, it is ludicrous to believe it can also keep track of 70 unique secure passwords; It will simply never ever happen. For that reason alone, you should use a password manager.
They come in many shapes, sizes and prices - some are free, most are digital yet some analog password managers do exist - it is all up to you to find what fits your needs; but here is my top three for choosing 1 Password.
- Synchronizes across my devices
- Scans for known passwords and breaches
- Easy to use and supporting Windows Hello / Fingerprint / Apple Face Id
It was crucial for me, when I took on the step of moving to a password manager, that I wanted my Wife to onboard as well - therefore it had to be an easy to use interface, that is well designed and integrates with her phone, as well as our PCs and with her iPhone supporting Apple Face Id and my Surface Book 2 supporting Windows Hello through the iris scanner; that's what I went for.
Password managers are expensive and insecure
Password managers are many things; among others is the fact that they are fairly complex pieces of software, with a strong focus on encryption to keep your data safe.
Odds are, your other solutions simply cannot compete with the safety measures of password managers.
Speaking of Price I currently pay $4.99 for a family plan with 1 Password that covers my wife and I, and in the future will cover new members of our household - Would I want it to cover my parents too? Sure - but at that low prince per month, they can sign up for one if they feel they need it.
Consider the price and time consumed, when having accounts breached, to me it's a no-brainer.
There are free password managers out there as well, I had a look at KeePass however it is currently lacking some of the important features from my top three; and as such I wouldn't expect that I could win over my wife to start using it nor would I have the advanced login capabilities with Windows Hello which is a great feature especially when on the road.
I wouldn't want to sit in an airport and type in my master password.
Research which password manager is right for you, there are a few ones I'll list here, which were all on my research list - which one suits you best? Only you can tell.
Start off easy
Rome wasn't build in a day, nor will you suddenly have changed everything to be better passwords; odds are you don't have a clue of how many logins you actually have online.
Install the browser add-ons and start adding the entries to your password manager as you login to sites you use on a daily/weekly/monthly basis, this way you will build up your database and be able to get an overview of how good/bad your current password practices are.
Is it only passwords?
Another great idea while reviewing your password database after some time, is to consider adding 2 factor auth where supported - but bear in mind - if you loose your 2nd factor and recovery keys you might have lost access to your account completely.
I managed to do that once - as a combination of changing phone, phone number and being lazy; but alas - Password managers are here to solve parts of the problem; storing the recovery keys.
What is a recovery key?
When enabling 2 factor authentication, most sites allow you to save one or more well-known keys up front to use, when you are unable to use your app to generate keys on the fly or receive a text message from the provider.
Such recovery keys can typically be stored alongside your password in your password manager, such that you have one place to go look up the information should you need to override the 2nd factor.
In 1 Password they have "notes" and files sections to use for this case.
Starting with 2 factor apps
There are several providers of 2 factor apps out there; as many sites follow the same standard, either of them will do - however I decided to go with the Microsoft Authenticator as my primary app for multiple reasons.
- Easy to use
- I need it to protect my @microsoft.com and @hotmail accounts
- Support for various gadgets - incl. the Apple Watch for iPhone users.
Go download your favorite one from your favorite app store
|App||Google Play Store||Apple Store|
|Microsoft Authenticator||Store link||Store link|
|Google Authenticator||Store link||Store link|
Spread the word!
The internet is an amazing place, but unfortunately it is not as safe as it was in it's early days; the amount of online scam/fraud seems to be at it's highest ever and we need to educate users on how to navigate the minefield the internet has become.
Have you made your decision about which password manager to use and started using it? Showcase it to your friends and family members - Teach them how to get started.
Not sure which password manager to use? seek advice with your friends, family, co-workers. A solid discussion of which one to pick is healthy and might spark an interest with others!
Have a great tip to share? Comment below!