Password Basics

PASSWORDS SUCK, SO DON’T MAKE THEM WORSE. Remember the days when we used the same password for every site? Was it yesterday? It’s time to get serious about managing your access tokens for everything. This isn’t going to be as easy as typing your dog’s name into every password prompt, but it will give you peace of mind.

Seems like every week we’re hearing about another major website getting hacked and losing their password database. This is because attackers are getting more sophisticated all the time, and many of these sites were designed with flaws in the first place. Sure, they’ll get fixed, but in the meantime you’re left changing passwords everywhere again. If you haven’t already, there are some things you can do to make this less painful to deal with, and give yourself a little more security when someone does get their hands on encrypted passwords. We’ll also cover those pesky security questions, as well as multi-factor authentication (ooh, big words!)

Good passwords are pretty easy: at least 18 characters long, completely random, with a mix of upper case, lower case, numbers, and symbols. And never use the same password twice. So we’re done, right?

The human brain doesn’t store information like that very well. We need a helper, something to manage our passwords for us. There’s a lot of choices out there to do this, and there’s a lot of problems with many of them. You may have heard of LastPass and their multiple breeches over the years? This doesn’t mean they’re bad – they’ve fixed the problems as they come up – but it does mean you need to be careful of your choices. My preference has always been 1Password. They use strong encryption, they offer multiple ways to synchronize information between devices, and their integration with web browsers works well. It’s not free, but it’s definitely worth it.

Some of the features you’re looking for are:

  • A good random password generator built-in
  • Everything is encrypted before it leaves your device, not on someone else’s system
  • Strong encryption, like AES-256

When you’re generating passwords, make them as long as you can. 30 characters is great if the site will accept it. You’ll run into a lot of password policies that are not spelled out before you submit a password, so you’ll end up getting an error that it’s too long, or it only accepts certain types of symbols. Why does this happen? Usually because programmers are short-sighted. Start with long secure passwords, and work backwards if you have to. And make a habit of changing passwords periodically, at least the ones you use frequently.

If you have a password that you need to type frequently, a long random string may be difficult to use. An option here, though it’s definitely less secure, is to use 5 or 6 random words separated by symbols. For example, “allocate,hassock,acoustic,province,spurn”. Password managers like 1password offer this as an option when generating a new password, but you need to use a long string here, not just 1 or 2 words. You’ll find it’s easy to remember what the words are after a few tries. This isn’t perfect, but it’s better than using a simple password. Whatever you do, don’t come up with some clever scheme for your passwords. “Clever” is the same as “pattern”, and we already talked about that. If you think it’s clever, so do a hundred other people, including at least one attacker.

The next thing you’re confronted with on a lot of websites is a set of security questions. These are used to validate who you are when you log in from a new system, or when you forget your password and need to reset it. They’re always things like “What was the name of your first pet?” or “What is your mother’s middle name?”. At this point, you should already see the problem with these. They all ask for information that is relatively easy to figure out, given just a little bit of data. There’s a couple ways you can handle this.

The first way is to just use a randomly generated string as your answer to these questions. Given that you’re already using random passwords in a password manager, and these are in case you lose your password, you’ll want to store this somewhere else. You can use a different password manager. Or you can write them down and keep them somewhere safe (like, I don’t know, a safe? You have one, right?). Obviously this will be the most secure option. The other way to answer them is to have answers that are wrong. If the question is “Where was your first kiss?”, maybe your answer is “Utopia Planetia”. But no patterns. The answer to “What is your mother’s middle name?” can’t be “Wiymmn”.

The last thing we should talk about is multi-factor authentication. This sounds big and scary, but all it’s describing is using multiple things to identify yourself. There are, generally speaking, three ways you can authenticate yourself: something you know, something you have, and something you are. A password is something you know. It’s what we call a shared secret: you share it with the thing you want to authenticate to. Because it’s just knowledge, you can give it to someone else and then you can both use it. Skipping ahead, something you are is a physiological or behavioral trait. This would be a fingerprint, or a retinal scan, or even a signature. Ignoring the signature (which can be somewhat subjective), some very secure systems will use this type of authentication. It’s usually expensive, because you need specialized hardware to work with it. It also has a risk because you can’t change it; if it gets compromised, like a recording of your voice for a voiceprint, it’s useless.

The third way of authenticating, something you have, is often used in conjunction with one of the other authentication methods to provide “two-factor” authentication. Something you have is exactly that: a company badge, a security token with a rotating number or a challenge/response mechanism, or a credit card. You probably already use two-factor authentication, because that’s what you’re doing when you use an ATM. The credit card is something you have, and your PIN is something you know. Credit card transactions, especially prior to chip cards, are a weak form of something you have (weak because duplicating a magnetic stripe is trivial) and something you are (weak because validating a signature is subjective).

Many websites and other services, especially financial services, have been introducing two-factor authentication as a choice, and you should take advantage of it whenever possible. Most of the time it will be an application on your phone, or a small physical device with a rotating number, that you need to have. It’s usually free for you to use, and it will protect you against someone figuring out your password. Just remember that you can’t use the same device/token if you are creating an anonymous entity (back to paranoia – no connections).

One final note… We are all told the dangers of writing down your passwords. IT workers share the horror stories of post-it notes stuck to monitors, or under keyboards. The truth is that writing down a password is OK, as long as it is not in the same place as the thing it is being used to authenticate to. This means that your password for your work network can’t be stuck to your work computer. But storing it in a safe at home is OK. This can be especially important when we start talking about encryption. You may have an encrypted device, and a key for that device. They should never travel together. If you have to write it down, that’s better than using a simple password. Just make sure you treat it with respect.

For a little more light reading on this topic, you can check out the EFF’s post on creating strong passwords, which has a lot of useful information.

Up Next: Web Browser Basics

Todd Palino


I'm a dad, a small business owner, a systems engineer, a developer, and any number of other things.

You may also like...