A brief on strong passwords and password hygiene

Strong Passwords

While I could go on about the math behind creating a strong password, I’ll skip that and cut to the chase.

FourZeroThree

So, what's the big deal with passwords?

Passwords are the most common and fundamental means of authentication in most services on the internet. You provide your password, let’s say, to a web application in order to verify who you claim to be. But let’s get real, how many passwords are you going to commit to memory…

Read more

4 years ago · Sanketh Sharath

For a password to be strong it should,

• have an increased length (number of characters) and,

• have increased complexity, that is, have as many different character types as possible - upper and lower case alphabets, numerals, and special characters.

Alternatively, you could choose to create passphrases. Passphrases are a collection of random dictionary words clubbed together. While you could pepper your passphrases with numerals or capital letters, they could do without them too. The strength depends on the number of words.

🎥FourZeroThree - YouTube

A quick shout out! Here's a “video version” of the article. If you are the visual type, I recommend watching the video. I bet you’ll enjoy it :)

Password hygiene

The idea behind password hygiene is to eliminate a single point of failure. You do not want all of your online accounts to be associated with just one password (however strong it may be). Even if one of those accounts were to be breached, all your other online accounts associated with that password are at risk.

FourZeroThree

What you could do if your credentials are breached

If you think your credentials (email addresses, passwords, usernames) were never (or will never be) breached, think again. At least, that’s what you want to think, deny the fact that bad things could happen to good people. I hate to break it to you but data breaches are happening left & right. Malicious cybercriminals are incessantly trying to find ways…

Read more

3 years ago · Sanketh Sharath

The convenience of having just a password or two protecting all your online accounts is just not worth the risk. Use unique and strong passwords for every online account you create.

Storing unique passwords

John Opdenakker tweeted he had 107 personal online accounts (at the time of the tweet). That’s a huge number. And let’s not forget, many of us may have numerous accounts too.

Numerous online accounts also means, as many number of unique passwords at your disposal. But how would you remember all of them? This is precisely why web users resort to reusing passwords. Not only is it energy-draining to create a safe and secure password for every random account you create online, but you also have an imperative to store them since it’s impossible to remember all of them and store them safely, lest some bad guy gets access to all your data.

😥Safe password practices are a big pain!

It’s impossible to remember all unique passwords for every random online account you create.

So, the paranoid person that I was, I wrote every one of them in a diary maintained solely for online accounts. Imagine the nightmare of having to write down unique and strong passwords for hundreds of accounts on the web. Though secure, this can be rudimentary and bloody frustrating.

• I would make mistakes when manually typing the lengthy password.

• I could not copy and paste my passwords.

• Let’s be honest, it’s difficult to consistently create unique passwords. As humans, we tend to repeat certain patterns. There would be times when I would have, the same set of alphabets, special characters or numbers making each password less unique.

The frustration of having to create unique and strong passwords all the time and securely store them could make you resort to your old ways of reusing passwords.

Given all the jargon I just discussed, let’s just say password managers are the way to go.

💡Password Manager

A password manager is an application that stores all your passwords for you, so you don’t have to worry about remembering them.

I’ll use a popular password manager, Bitwarden as an example.

The best part — you could also make it generate strong passwords/passphrases for every website/application you register to, and store them for you.

A password manager stores all your passwords in a secure “vault” that can be opened only with a “Master Password”. Write your master password in a diary or notebook and keep it somewhere safe.

This brilliant piece of software offers you convenience and security.

• It generates unique and strong passwords.

• It stores all your passwords.

• You could copy and paste your credentials on the sign-in fields of a website. Some password managers also give you the option of auto-filling your credentials.

• You have to remember just one password, the master password to your password manager vault.

• A good password manager encrypts and securely stores your data on its servers.

• A password manager could effectively mitigate phishing attacks. Apart from generating and storing your credentials, it also saves the URL of each corresponding website. In case you fail to recognize a fake website with a fake URL trying to phish for your credentials, your password manager has got your back. It just wouldn’t fill in your credentials in the log-in form.

  FourZeroThree

  Why everyone should know how a URL is structured - HTTPS, Typosquatting and Open redirects

  Of course, you know what a URL is, don’t you? The string of text that appears on the address bar of your browser? But do you know how a URL is structured? Wait, before you think knowing that is not necessary, let me tell you, this knowledge could help you be secure when faced with certain malicious situations…

  Read more

  4 years ago · Sanketh Sharath

The anxiety of storing your passwords in one basket

Many people distrust password managers. They are paranoid about storing all their passwords in one basket.

Well, think about this.

• I used to write all my passwords in a diary previously. What if someone got hold of it?

• Maybe you are typing all your passwords and storing them as a document in plain text on your device. What if someone got hold of your device? What if malware sniffed all your data from your device?

• Maybe you are storing your passwords in google drive. What if your google account was compromised?

• Maybe you have everything in your head. Then rest assured, your passwords are not unique and secure enough, and is a matter of time until something bad happened.

You have to store your passwords somewhere!

💡 Your tip for the day!

Whilst having all your account details exposed at once is undoubtedly a very bad thing, the risk is infinitesimal compared to the chances of having it breached via website.

- Troy Hunt

However, the anxiety is understandable. After all, these are passwords we are talking about. But the perception of a password manager being unsafe mainly stems from the fact that people are uninformed with regards to how it works. Maybe a little homework on your side would help alleviate your fears.

💡How safe is a password manager?

• A secure password manager does not store your master password on its servers. It would be a Zero-Knowledge solution. The password manager would have no idea what your master password is. Lose your master password and there is no way of resetting it. Assuming there is a breach of its servers, your master password is nevertheless safe. You must keep your master password safely stored. Lose this and lose all your passwords along with it.

• A good password manager service encrypts your data on the client. This means the password manager encrypts your data on your device itself, before sending it to the server for storage. Even the employees/engineers of the password manager service cannot decrypt your vault data. The only way your data can be decrypted is with your master password. There is no way bad guys could get hold of your passwords even if there is a breach.

• Good password managers have the option to activate 2-factor authentication for additional account protection.

• A security-focused password manager would have regular security audits and besides, may also have a bug-bounty program in place to keep its service secure.

😇I am a fan of Bitwarden

I did my research. It’s a great service. It fulfills all the above criteria I mentioned. You could learn more about how Bitwarden keeps your data safe in its “Security - FAQ” section. They also have a security whitepaper, where you could learn in-depth, about how encryption and security works at Bitwarden.

If you still feel insecure about using a password manager or find it difficult to use, I would recommend using an online password generator like Bitwarden's. Generate passphrases (not passwords, since passphrases are more readable) and write them down in your "Password Diary". I think this is a good option, provided you keep your diary safe and sound.

🏃‍♂️Where to next?

• YouTube - FourZeroThree

• Table of Contents