Creating and Managing Passwords

Many people's e-mail and web accounts get hacked. You may have wondered how this is done.

  1. A password can be stolen via hacking (or legal access) to other services.
  2. Passwords can be engineered from available information and combinations can be tried endlessly.

One thing we can easily agree about is that improvement is possibly and even simple steps forward will make huge difference.

I like to explain a workable strategy to better secure access to your online services. But to do that I first tell you something about how passwords often fail to protect us.

First a note: This article is not about the passwords we use to encrypt documents. That is a whole different approach and analyses.

Stealing passwords

Many web sites are poorly protected. Sometimes we read in the news about big hacks where thousands or even millions of accounts are leaked, where people's passwords get compromised. The problem here is that most people use the same password(s) over and over again. Companies, and government agencies have access to many databases including passwords people use.

We simply have to conclude that a password that you use in any internet service can and will be compromised. So you will have to use many different passwords. Which makes it much harder for you to remember them. The only workable solution I know for this is to use a password manager.

Password engineering

The process of breaking someones password is actually very simple. Many, if not most, people make up passwords as combinations of things they can easily remember. Using names of their children, parents, pets, addresses, birth-dates, or combinations of those. And most people believe nobody will think of the specific combination they had in mind. But they don't count in how easily a combination of harvesting such information via social media, hacked web sites, and what we call social engineering¹ leads to engineering a password. With some programming code (we call it a script)  many combinations can be tried very fast to break a password. No rocket science involved.

Many Internet services (like email and web) try to force use of complex passwords. These attempts to determine password strength by length and complexity don't protect enough against the use of passwords engineered from known information. It has been tested and proved enough that these factors don't make stronger passwords.

To make stronger passwords that pose a better challenge to hackers, you can choose 2 paths:

  1. Random strings. Random strings are much harder to guess. The longer they get the harder it becomes. This again has the drawback of being hard to remember, but a password manager can solve this.
  2. Engineer a password from information you can remember but that no one else can easily retrieve from you or people around you. You can find many articles about password creation. It still won't be easy to create and remember many passwords this way. 

Using a password manager

There are many different password managers. This is not a technical or consumer test report. I will only introduce you to one. Others you can figure out yourself, if you want or need to.

✋You should not use a password manager on a device with a shared user account. Using shared accounts is a bad idea anyway. Do not even share an account with people that you trust with your life. Well intending people can unknowing and unwillingly be abused to carry malware into your device. Better to use separate user accounts.

A good password manager stores the passwords encrypted. Also a password manager helps you to fill in the account information when opening the login page of the web site.

Also you should realize that even though passwords managers are a much needed solution, also these programs can fail. So I advice a mixed strategy. Use a password manager for the bulk off websites and services, but not for the most vulnerable ones.

I personally use the password manager built in into Mozilla Firefox. But I do not use Firefox for my bank accounts and I don't store these passwords in that (nor any) password manager. Firefox simply manages my hundreds of accounts I have on the many web sites I use: forums, social media, news, web mail, etc.

The Firefox password manager automatically presents itself when it detects that you are filling in a user account and password in a web page. It offers to store the password for you. When you store the username and password it will automatically fill the fields when you return to that webpage a next time. Allowing you to login without having to remember the complex password and username combination.

Now you can start using much longer and more random passwords, and a different password for every service.

Using much better passwords and a password manager is a huge improvement over the weak passwords most people use. When you have mastered this skill there are 3 optional additional improvements that you can do, but will need a little study.

  1. Using a master password² in Firefox allows it to better encrypt the passwords it stores, making it harder for someone to steal them. For a manual go here: https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins
  2. You can synchronize your Firefox profile between devices making your password list automatically available in all your devices (I myself exclude my smartphone). Using Firefox Sync is safe if you use a master password. For a manual go here: https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer
  3. Install a Firefox extension called 'Saved Password Editor' which makes managing the lists of passwords more friendly. This allows you to also store passwords for other services (if you like).

 

Other Internet browsers like Chrome, Safari, Opera, Explorer (probably) have their own build in password managers, that work similar to Firefox. And there are numerous independent password managers with different capabilities.

Independent password managers like Keepass2 also support the storage of passwords for password protected files.

I hope you will take some time to master these skills. It is not only for your protection. When your e-mail gets hacked, your friends and relatives are often the target for phishing, and scam's, and the next hacking attempts.


 

¹ Social engineering: simply ask a person for the information while impersonating someone else. For example: call someone saying you are the service manager of the bank and ask them their bank account number and birth date. Combined with other information this might allow you to withdraw cash from their account. That simple? Unfortunately, yes!

² A master password is a special case. You should create a password that you keep for this purpose only and is not to long (because you will need to enter it each time you open the password manager) and not to be engineered from available information about you. For example: create a funny sentence: 'When I was young, Chris Smith was my neighbor' to create a password with the first chars, replace 'I' with '1' and make every 2nd char uppercase: w1wYcSwMn.


Last modified: 2019-05-02 14:41:35+00