Passwords

How many accoounts do you have? I might as well be asking how many slices of bread you have eaten in your life. Any service you use on the internet seems to now require an account to access its features sometimes paying for further advanced features. You select “Sign-up”. You input your email address and then below that: the dreaded “Password” field. Passwords aren’t inherently bad in fact they are great. Passwords are the first (and sometimes only) line of security that prevents someone gaining access to your account. This may be especially serious if that account holds sensitive financial information like your mobile banking account. So why are passwords frustrating if they make our accounts secure? It links back to the every first sentence of this article. The answer to that question is a lot. So many in fact I doubt that you have even accounted for all the other accounts you have made for services that you have only used once. With so many accounts, come so many passwords.

Let’s simplify the situation. You have only one account. The only thing between an outsider and your precious account is one password. What can you do to make the password as secure as possible? Let’s firstly consider brute-forcing. This is a technique where the adversary methodically goes through every possible combination that a password can be. If this is a 4-digit PIN code, there are 104 (or 10000) different passwords that they could try. If they aren’t timed out for a number of unsuccessful attempts, this could take only a few minutes. Let’s say the PIN is now 8-digits long. This is 108 different PINs to try. Assuming no time-outs, the same method would take a few hours. It is clear that the length of password drastically increases the time it takes for an attacker to brute-force it. But a long string of numbers isn’t easy to memorise so what if we use letters instead.

For a 4-letter PIN, the number of possible combinations becomes 264 (or 456,976). And for a 8-letter PIN, a massive 268 (or 208,827,064,576) different combinations. These calculations illustrate another factor in making a good password. That is the number of possible inputs or complexity. Note that these calculations did not include capital letters.

Ideally, our password would long and complex including a mixture of lowercase and uppercase letters, punctuation, numbers, and special characters. So we now know how to make a good secure password great, but what good is it if we cannot remember the password? So far we have only considered the one account to rule them all but it is almost certain that if you are using the internet, you will have multiple accounts some of which you may have even forgotten that you had created at some point. How is it possible for so many people to remember so many passwords? The answer is simple. They don’t.

They use ONE password for multiple accounts, maybe including variations of it to match required password constraints during the creation of some accounts. While this is certainly convenient, it is extremely insecure and bad digital hygiene and here’s why. Consider that each account is connected to some sort of service. This could be a video streaming service, it could be a news website, it could be an institution that you are a member of. There are all sorts of different services. Behind service, there is a company which maintains the service. And to keep track of whose service data is whose, this company has a database of account details. This is what the service application uses to check if your details are indeed correct and displays your service data. There are many companies whom you now have an account with. Let’s say one of those companies have been hacked and the database containing all their users’ account details has been leaked. Malicious actors may use this information to attempt to login to your account before you change your password. Let’s say you were quick off the mark and altered your password since you noticed that a data breach had occurred with this company in the daily news headlines. Great! Malicious actors can no longer access THAT account. But they may try reusing those credentials including your email address and password on other popular services. If you used the same credentials for your banking account, now you would be in very hot water indeed. So should you be memorising multiple complex and incoherent passwords to mitigate this? Ideally, yes. But this is not an ideal world and human memory is more than flawed. The solution? Password Managers.

There are many kinds of password managers available out there free and less free. There are plenty of articles out there comparing and ranking them so I won’t add to that. But I will outline their advantages, the main one being you will only have to memorise one master password to access your password vault. Additionally, by storing passwords in one place, you will not have to worry about memorising many passwords and you can effectively make them as long and complex as you like for any account. This means that your credentials will be at least proofed (though technically resistant) to brute-force attacks. Now that all your passwords can be different without any need to worry about memorising them all, if one company gets hacked, your other accounts are safe! However the greatest asset of password managers is a double-edged sword since if someone were to get hold of that master password then ALL those accounts would be impacted. So how can you mitigate this? Make it a really good password and ideally never write it down anywhere. You will be accessing the password manager enough times that you will have sufficient practice to remember even the most long and complex of passwords.

On a final note, you always need a back-up solution (ideally multiple). And the answer is to write down your credentials in a book. If all else fails, this book will keep your passwords. Just make sure you hide the book in a secure environment such as a safe so no-one can yoink all your details. And please don’t write credentials down on a post-it note.

I hope this has provided some insight on how you can make your passwords better and manage them.

Until next time.


by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *