World Password Day: Healthy Password Etiquette 101

World Password Day is dedicated to reminding people about the importance of protecting themselves online using strong passwords. Founded in 2013, it’s also a day to commemorate security researcher Mark Burnett’s book, Perfect Password: Selection, Protection, Authentication, who was an advocate for people to use stronger and smarter passwords.

So, in honour of today we’d like to share with you our tips for choosing and managing your passwords more securely so that you’ll be safer online. Remembering a multitude of passwords for our various accounts can be frustrating and many of us resort to simple, easy to remember passwords that we reuse everywhere online, from our social media accounts to our banking sites.

This is a recipe for disaster in the form of identity theft or an account takeover. When you reuse passwords, every account that uses the same password becomes vulnerable if one account is compromised. Hackers use a multitude of techniques to crack well known passwords. Fortunately, a tool called a password manager can create and keep track of robust, unique passwords, helping you to avoid identity theft and other forms of online fraud.

Why you should join the 20% who use a password manager

A password manager can store all your passwords securely, so you don’t have to worry about remembering them. Password managers can generate complex, random passwords for all the unique sites you visit. They store these credentials encrypted in a secure virtual ‘vault’, so that when you return to a site, the password manager will automatically fill in your login details for you.

Your password is stored using a unique key that only you can access using your “master” password, so it’s vital that you use a strong “master” password to control access to your password manager. They can also synchronise your passwords across your different devices, making it easier to log on, wherever you are, and whatever you’re using.

Password managers also let you know if you’re re-using the same password across different accounts and notifies you if your password appears within a known data breach so that you know if you need to change it.

As with any technology, password managers aren’t perfect. In the chance you forget your master password, you’ll be locked out of the password manager’s database, forcing you to reset the password for all your accounts. But security researchers would argue that the benefits you get from a password manager outweigh the drawbacks of the possibility of there being a vulnerability associated with the password manager.

Why password managers are trusty

The main reason there is much advocation for password managers is that they are cryptographically secure. They may seem like you are introducing a single point of failure, especially if your master password is insecure in the first place. However, the systems in place are more secure than most password security in general which greatly improves the level of trust.

LastPass is one of the more popular password managers which produces a master password by appending your email and your own password and then hashing it. In a cryptography sense, this is also known as PBKDF2 and is an algorithm which iterates this process 100,000 times. This then produces your vault key which is then hashed again with your password before it’s stored on the cloud. While this process might seem complicated, that’s the whole point!

The reason behind why hashing is so important in security is that it’s a one-way function. This means that unlike encryption, there’s no way to redo a ciphertext once it has been hashed. So not only will an attacker not be able to know your password if they theoretically compromise the whole of LastPass but LastPass themselves don’t your password either! This is generally why websites will ask you to reset your password if you’ve ever forgotten your password instead of them just reminding you what it was.

In addition to its strong security however, over the years password managers have become more elegant with its usability. 1Password is an example of a password manager that’s incorporated biometrics into its authentication, allowing users to login to their account through touchID instead of their master password. This considerably improves the user experience as it eliminates the need to type out your same password with each attempt, especially as we already use this same authentication to log on our mobile phones.

1Password also provides other features that extend it beyond just a password manager, such as notifying the user whenever an account of theirs is compromised as well as offering other categories of storage such as credit cards. It even goes as far as providing an emergency kit such as that in the case you forget your master password, you are provided with a secret key to sign yourself back in. The only issue this system has however is that there is no way to recover your secret key if you lose that as well.

How to create strong passwords

While password managers can create unique and complex passwords for you, you still need good password etiquette if you decide to create your own unique passwords. As mentioned above, the consequences of a badly curated password can be severe. Cyber criminals are becoming more resourceful when it comes to cracking passwords. In the era of COVID-19 and working remote, it is more important than ever to secure not only your passwords, but your network with a strong password that can protect your sensitive information from unwanted attention.

Password length and complexity are the essentials of good password hygiene. Long and complex passwords require more effort and time on behalf of the adversary. Passwords should contain at least ten characters and include a combination of special characters, as well as upper-case and lower-case letters and numbers. It is important that you strike that balance between a memorable password and a complex one.

An overly complex password that you will more than likely forget is no use to you. Try make use of pass phrases where you can, arranging unrelated words in an odd order can curate a powerful password. Having said all of this, the rule of thumb of a strong password is that you should never reuse it. As we mentioned earlier, reusing passwords is a massive red flag and can leave your accounts susceptible to being compromised all at once.

Find out more about current cybersecurity issues on the Adarma blog or if you’re looking for more specific support then read up on cybersecurity services offered by Adarma.