When I say I have a lot of passwords, I mean I have a lot of passwords. If you were to take a peek into my password manager, you’d see that I have close to 550 saved passwords.
It's safe to say that I am a prolific internet user, so this is not representative of more standard browsing habits. Even so, according to research by Nordpass, the average person has around 100 passwords for everything from services they use daily to accounts they’ve used once to access a webinar. That’s a lot – and every day that number grows.
In honor of World Password Day 2021, I’ve put together some of the considerations and steps I take to keep my passwords as secure as they can be.
Password managers: sin or salvation?
You might have expected me to delve straight in with the cardinal rules for creating rock solid passwords. But the truth is, if it’s hard to hack, it’s hard to remember, and when you have to store 100 of them in your already saturated mind, you’re fighting a losing battle. Most people – maybe not you, but most people – will fall back on what’s easy to remember and easy to crack.
Enter the humble password manager.
Used properly, password managers are an invaluable tool for any internet user. They’re great at creating long, complex passwords that you don’t have to remember. They also integrate easily into your browser and mobile device so you can create and store unique passwords at the click of a button.
Used without due care and attention, however, and they can end up spelling disaster, because they place all your proverbial eggs into one basket. If your master password – that one password to rule them all – is compromised, then everything else will be too. It’s a risk, but one that can be significantly mitigated by having a few additional measures in place.
Your password should contain...
Now we get to the bit about creating strong passwords. I won’t go into crypto-analysis, talk about keyspaces, or get dragged into an argument on password strengths. Instead, this cartoon sums up the obsession with “your password must contain…” better than I ever could:
My go-to solution for creating a hard-to-hack password is actually by using a passphrase, like a line from a book or a song complete with punctuation and capitalization. It’s easy for me to remember but very difficult to crack unless you’re specifically targeting me and know exactly what’s on my playlist or bookshelf.
I also change my master password (as well as my playlists and bookshelves) multiple times a year, just to add a bit of jeopardy to it all.
Layer up your security with multi-factor authentication
Now that you’ve figured out a strong master password for your password manager, I highly recommend adding another layer of security by using multi-factor authentication. This means that if your password is compromised, leaked or cracked, an attacker won’t be able to use it unless they also have access to your MFA.
The most common form of multi-factor authentication is the simple SMS code. Some would argue that SMS as MFA is broken and inherently insecure, but some protection is better than no protection if this is your only option. Ultimately, it still moves the goal posts for those with nefarious intentions. With any kind of MFA set up, an attacker would need to invest significantly more time and effort into specifically targeting you before accessing any of your accounts.
Software-based MFA like Google Authenticator is a good alternative. It can be installed on most modern mobile devices and provides a good level of security, again making it harder for an attacker to compromise your accounts without taking extra, highly targeted steps. However, if your mobile device is stolen, lost, dropped down the toilet or compromised, then so is your MFA method.
A more favorable but less readily available option is a physical security key. An attacker needs physical access to the key to gain access to the password manager or account. There’s a very low risk of interception and it provides a much higher barrier to compromise. The downside is that most reputable password managers require a subscription to their premium tier to enable hardware MFA. For me, it’s worth it to make sure my digital world stays as secure as it can be.
Haveibeenpwned: know your vulnerabilities
A great service that both individuals and enterprises can benefit from using is haveibeenpwned. It’s free and will allow you to register your email address or a domain (if you can prove you own it). This means that any time the email or domain is found in a public breach, you will receive a notification on where and when it took place, giving you (or your employees) the chance to change passwords and, hopefully, halt any compromises before they go further.
A note for developers: helping users stay secure
Finally, let’s switch perspectives. There are a number of things developers can do to ensure the authentication flows in the applications they’re building are as strong as possible.
The most obvious would be to select algorithms that are difficult or time consuming to brute force. Bcrypt or PBKDF2 are both good options here. You should also salt the passwords, and never store the cleartext versions in logs anywhere.
It’s also worth implementing the haveibeenpwned password API, which will stop users entering known compromised passwords, and allow them to enrol an MFA provider like U2F or Google Authenticator. These small behavioral nudges could pay dividends when it comes to password security.
I did it my way...
It doesn’t seem fair to give you all this advice without covering what I do to keep my passwords safe, secure and unique. I’m a fan of LastPass in combination with an NFC YubiKey. They work across all my browsers on all my devices and the NFC means I can still enforce MFA on my mobile using the same key.
These are not the only possible combinations. Remember, what works for me might not work for you. When looking for password solutions, I considered price, security, usability, integrations and features. You should do the same: don't trust me blindly, and do take the time to research the solutions yourself.
Immersive Labs has a number of labs on passwords from hashing to cracking. If you already have a licence, log in here to check them out. If you don’t yet have a licence and would like to find out more about the platform, book a demo using the button below.
6 May 2021
Director of Cyber Threat Research
Latest Blog posts
An investment into the cyber skilled workforce of the future
11 June 2021
Patch Newsday – 8 June 2021
9 June 2021
Frustrations of an AppSec Engineer Part 2: Lost in Translation
21 May 2021
Welcome to the DarkSide: where IT and OT Collide
20 May 2021
Frustrations of an AppSec Engineer Part 1: Collaboration, Collaboration, Collaboration
13 May 2021
It makes you WannaCry: Anti-Ransomware Day 2021
12 May 2021