Skip to main content

Words on Password Security


Picture of a locked blue lock on a background of what appears to be a blue circuit
Image by: geralt License: CC0
Update October 29, 2019 - I tweeted a link to this and realized it was time for an update.
I have switched over to iOS from Android and continue to use 1Password, it works even better on iOS. Fixed tenses/removed irrelevant/old paragraphs, and added notes about lack of sponsorship.

Update January 18, 2019 -
1Password uses a monthly pricing model primarily now. I've started using 1Password instead of Keepass due to family sharing, their Watchtower service (powered by haveibeenpwned.com), and the amazing ease of use on all platforms.

Update March 18, 2017
- LastPass has changed their business model and the mobile app does not require a subscription. I have also become aware of the Diceware passphrase generation technique. This post has been updated to reflect that.


Preamble

You can skip this section if you just want to get to the advice.

NOTE: I realized I should point out to anyone reading this that I do not run ads on my site, nor are any of the links in this post affiliate or sponsored in any way.

Disclosure:
I personally use 1Password, and received one (1) full year of the Family Plan for free from a friend during their Thanksgiving promotion in 2018.

Seven years ago, I wrote an article about an Offline Password Creator inspired the xkcd comic "Password Strength". Many things have changed in those years. For instance: hacker tools now take into account that xkcd comic.

In early 2014, Bruce Schneier wrote an article on choosing secure passwords and specifically stated the xkcd "correcthorsebatterystaple" method of generating passwords in no longer good advice.

Skip forward to 2015 (original time of posting). A friend of mine on Facebook discovered the aforementioned xkcd comic and other friends thought this advice useful. As someone with a bit of security knowledge through a university course and an enjoyment of reading security blogs (and now many years of work in the field), I felt I should help inform them. After typing a couple of hundred words in a Facebook comment, I realized I should write a new blog post to update you, my readers.

Below I will give my recommendations on maintaining a reasonable amount of security with your passwords.

Use a Password Manager
As I've mentioned before, I recommend everyone using a password manager.

A password manager typically requires you to create a "master password" that will be used to encrypt the password vault where all your passwords are stored. The manager often integrates with your web browser, making it very convenient to have a secure (long, random, unique, and a mix of character types) password for every website/application you use.


Choosing a Password Manager
So you want to use a password manager, great! Now you may find the task of choosing one to use a bit daunting so I will outline the options I recommend briefly below:

Update: Cost information updated during the October 2019 update
1Password - Cost: Paid (Free Trial) $3/mo ($5/mo for families) or for a one-time version purchase ~$50 (Last I checked you could only purchase it from inside the desktop application). They also have a 6-month free trial for students (found in a reply on reddit by their support team) - Platforms: Mac, Win, iOS, Android

1Password was the first password manager I used, and I recently switched back to its family plan. I made this change from Keepass because it made it easier to share passwords within my family and got them to use a password manager.

It has a great user interface and experience. The browser extension works very well, and across all the platforms I need (Windows 10 and Linux). The mobile app also looks gorgeous and works great, allowing for auto-fill even in applications, not just the web. (Sometimes you have to manually switch apps and copy/paste, however I've seen less of that on iOS).

I believe there's an option to sync the password vault across platforms with Dropbox, but I have opted to use 1Password's own server for this.

1Password also has a .ca domain which allowed me to host my data in Canada, my home country, which was very nice to know. NOTE: As a Canadian you should sign up on initially on the .ca address,  it's much more annoying to switch from a .com to .ca account in the future.

1Password's family plan has also been very useful for shared accounts, such as Netflix to be shared between family members.

Below is my original evaluation of 1Password:
1Password was the first password manager I used. It has a good user interface, is fairly straightforward to use, and has a browser extension. The browser extension is important to most people because it (most of the time) allows for a single click to fill in your username and password.
The password vault can be synced across platforms with Dropbox. The password vault is encrypted so this is fairly secure (always be mindful this is a relative term) but if you don't trust Dropbox I would not use this option.

Depending on how many platforms you use it can get a bit pricey, I paid for a student license for my Windows desktop and found it well worthwhile! However, I also use Linux (which is unavailable currently) and the Android client (at the time) was unable to add new entries.

If your use case is only on one or two platforms it's definitely worthwhile and is a friendly way to begin using a password manager.

Keepass 2 Professional Edition - Cost: Free (despite its name) - Platforms: Windows, Mono (Linux, Mac, BSD, etc). Unofficially on: iOS, Windows Phone, Android, Blackberry

The following review is originally from 2015 when I was currently using Keepass:

Keepass is was current password manager. I wanted a free alternative to 1Password that I could use to create new passwords on my phone (Android) and on Linux. I use Dropbox to sync my password vault. The user interface looks okay, and functions well. There is a browser extension which is quite useful.

On Android Keepass (via Keepass2Android Password Safe) I highly recommend using the Keepass2Android keyboard to enter passwords. The keyboard simply has a "user" and "Password" button. This is safer than using the copy/paste method because any application can read from the clipboard (where the copied word gets saved) without asking for permissions.

Keepass is also open source, which is something I value.

This combination of cross-platform use, open source, and free helped make this my current password manager. If you don't mind taking the time to set it up (plugins required for the browser extension for instance) then it's well worth it!

The following info on LastPass has been modified as of March 18, 2017
LastPass - Cost: Free or Subscription ($12 USD/year) - Platforms: Windows, Mac, Linux, iOS, Android, Windows Phone, BlackBerry, Firefox OS, Surface RT

I haven't actually used LastPass, but I've heard very good things about it from my peers and would recommend it based on their recommendations and from my readings on it. During the Heartbleed incident LastPass was able to inform you of what passwords to reset. It also will rank your passwords and tell you which ones are weak. The subscription adds a few features (noted on the website) including a shared family folder.

Know Two Passwords
My recommendation is to know two passwords.

Why?

1) You need to know the password for you password manager, otherwise you can't access. So this one is very important. In the event someone steals your computer or hacks your Dropbox (or wherever the password vault lives) you want it to be very very difficult for an attacker to crack your master password.

2) In the rare event of your password manager breaking, the loss of your password vault (Dropbox has lost files after all), or other catastrophic event that results in the loss access to your password you need someway to recover them.

First of all: You should always make backups of files. Preferably following the 3-2-1 rule, but most of the time a simple external hard drive will suffice. But that's a topic for another post.

Second: In the case you still can't access your passwords even with a backup you want to be able to reset them. That's why the second password you should know is your email password. Almost all services let you reset your password via email, so this is crucial.

How?
Now that you know why you need to know these two passwords, how will you remember them and how will you keep them secure?

You could:
  1. Create a Diceware password with a simple six-sided die (aka D6)
  2. Use a password manager to generate these two passwords
  3. Use something like the "Schneier scheme"

For a Dicware passphrase, roll a die 6 times and enter the number on this site which will create a word from a list. Do this for 6 or more words to create a strong password. Alternatively click the "6 Words" button.

Make them long, make them secure. Keep them secret, keep them safe. Bruce Schneier has suggested writing down your passwords and keeping them in your wallet, with your other small valuable pieces of paper (bills).

Wrap-up
With these precautions, you now have two secure passwords in case anything goes wrong, and the password managers make sure you have a strong, unique password for every website and app you make an account for.


Image Sources:
Header photo: geralt on pixabay - License: CC0

Comments