In today's digital world, our online accounts hold a treasure trove of personal information: emails, financial data, social media profiles and more. Protecting this data is crucial, and with the ever-growing threat of cyber attacks, the first line of defense is a strong password.
The question stands: How to manage these keys to our digital presence in an effective and secure way, without getting lost?
Let's dive in!
First, let's look at ways our passwords can be broken or stolen:
- hackers can use automated tools to guess weak passwords through brute-force attacks (trying all possible combinations of characters with some rules)
- if the password is too simple and common, chances are it can be guessed using dictionary attacks (usually using prepared lists of already leaked passwords) or our online information
- using phishing techniques, we can unintentionally provide the password to an attacker ourselves
- lists of user passwords can be leaked when account providers get compromised in a hack (this happens quite often)
Furthermore, cybercriminals use a technique called credential stuffing. Once they obtain a password from a data breach on one website, they try it on other accounts you might have.
π‘ Check if your user account data has been leaked at Have I been pwned?
What makes a password strong?
- having a unique password for every service, so when there's a leak at one provider, our other accounts stay safe
- length is crucial, an 8-character password can usually be cracked in a few minutes with modern computing power by anyone
- the minimum recommended length is somewhere around 16 characters or more, which dramatically increases the bruteforcing time
- tip how to easily remember a long password is to use a passphrase: a sentence composed of multiple words
- complexity of a password
- avoid using your personal information or anything too common (names, popular phrases), which can be easily guessed
- using special characters and numbers is a good bonus, try to be unpredictable
- but remember that a short complex password is always more weak than a simpler significantly longer one
Beware of usual password requirements like using a special character and a number in your password and regular changes, these are outdated and weak:
- usually the required length is too short, considering modern bruteforcing capabilities
- when the length is not enough, using numbers and special characters won't save the password, especially because people tend to follow patterns (e.g. special character at the end of password)
- regular password resets make people create very similar passwords (e.g. only changing the number at the end)
β Using uniqueness, length and complexity we can defend against credential stuffing, brute-force and dictionary attacks
π‘ NEVER repeat your passwords!
π‘ Create a long but memorable passphrase, preferably 16 or more characters, with some complexity as a bonus
π‘ You only need to change your password after a leak occurs - get notifications using HaveIBeenPwned or Mozilla Monitor
π‘ Think about the risk - your Netflix password does not need to be as strong as your e-mail or domain password
Juggling multiple complex passwords can be a nightmare. This is where password managers come to the rescue.
These secure applications store all your passwords in one place, encrypted and protected by a master password. Password managers also offer features like secure password generation, auto-fill and alerts for password leaks.
- it is not recommended to use browser built-in password managers (e.g. in Chrome, Firefox), since misconfigured or outdated browser can be vulnerable
- since password manager puts all your passwords into "one basket", be careful when choosing one
- good indicators are being open-source (so experts can verify the code) and audited by independent authority
- choose offline or synced managers, with synced you can access all your passwords on multiple devices easily
- some examples: Bitwarden, KeePass, NordPass, Proton Pass, 1Password
β Good password manager helps you create, store and use strong unique passwords easily
π‘ Consider using a reputable, up-to-date password manager with very strong AND memorable master password
Now that we have a secure password, what if we added another obstacle? Enter Two-Factor Authentication (or 2FA).
Think of 2FA as a double lock on your door. Even if someone manages to guess your password, they still need a second piece of information to gain access.
- there are multiple forms: SMS, email, time-based codes, push notifications, hardware keys
- SMS and email are weaker, because they can be compromised without physical access to a device
- time-based codes (or Time-Based One-Time Password, TOTP) are probably most widely used, and more secure than SMS or email
- the best way is to use a push notification or a hardware security key (Yubikey, Trezor, etc.)
Remember that when you have multiple forms of 2FA set up, it is only as secure as the least secure one of them. For example, having email and push notification 2FA set up, attacker could always target the email 2FA.
However, any 2FA is generally better than none.
To avoid being locked out when you lose the 2FA method (e.g. losing a phone), remember to back it up immediately after setup using instructions provided by service.
β 2FA helps defend with all kinds of attacks, functioning as a second layer of defense when the password is compromised
π‘ Enable strong 2FA for all your critical accounts (primary email, phone account (Google/Apple), etc.) and don't forget to back it up
All of this discussed earlier seems like a lot of work to reach reasonable level of password security. What if there was a more convenient and secure way? It turns out, passkeys might be it.
They are a new way to secure your online accounts using cryptographic keys instead of passwords. If interested, you can read about how cryptographic keys work.
What are the benefits?
- passkeys replace the need for both passwords and 2FA
- you use your device's unlock functionality to login (fingerprint, face recognition or PIN)
- passkey is generated and stored on the device, so it cannot be leaked from the service
- passkey is tied to a user account and a website or application, so it cannot be entered to a fake app or website
- passkeys can be synced between devices, eliminating the need to remember logins everywhere
How does it work in real life?
- Registration - when creating a new account, you can choose an option to create a passkey, which will get securely stored on your device
- Login - during login, you can choose an option to login with passkey, which will prompt you to unlock your device to use the passkey stored there
- When logging in on device where you don't have passkey stored or synced, you can use another device with the stored passkey by scanning a QR code to complete the login
Or, you can watch this short video explanation.
You can store passkeys in:
- Windows
- Chrome (synced)
- iOS, macOS (synced)
- some password managers like Proton Pass, 1Password, Bitwarden (synced)
- hardware security keys with FIDO2 support
Can I use them already?
Big names like Google, Microsoft, Apple and others are already pushing the adoption of passkeys. You can currently use them also on Amazon, eBay, LinkedIn, PayPal and many other sites, and the list is expected to grow.
For now, traditional password login will still work for you even when you set up a passkey, but in the future it is expected that only passkeys will remain.
Therefore, you still need to have a strong password until the password login is phased out.
β Passkeys are phishing and brute-force resistant, prevent data breaches entirely and eliminate the need to remember passwords
π‘ You can try setting up a passkey for a supported service you use to be prepared for the future :)
- security vs. convenience - generally the more secure you want to be, the more inconvenience you must put up with
- sort your digital life into multiple categories of risk, and put stronger protection on your most critical assets
- having a strong password is just one part, think about your digital behavior:
- check if you are visiting trusted websites
- avoid free public WiFi networks
- keep your apps and devices up to date and encrypted
- be wary of suspicious emails and messages which might want to trick you into revealing your personal information