How long is the average password you use? Eight characters? Ten? Are you one of those rare few who fit my recommended minimum of twelve?
Chances are, your passwords aren’t secure enough. A saying I’ve seen often in cybersecurity articles is this: “The only secure password is the one you can’t remember.” This seems paradoxical, but there’s solid reasoning behind it, which we’ll discuss.
So, let’s look at passwords. What makes a strong password? How do hackers get passwords? How can you make your passwords more secure?
Storing a password securely is surprisingly difficult to do. Websites (and other types of software) need to act under the assumption that their databases will be breached and that anyone can see their code. Otherwise, they might not take the proper precautions and everyone’s passwords could be breached when one of their mistakes is discovered.
People make mistakes, and that’s okay. A website, though, should make sure that its mistakes have the least possible effect on users. If their database’s security is the only thing protecting people’s accounts, it does not matter how secure the passwords people choose are.
So, how do websites protect passwords?
Your first thought might have been encryption. While storing encrypted passwords is better than unencrypted ones (what we call “clear text” passwords), it isn’t the best we can do. With encrypted passwords, anyone who has access to the database can access any password with an encryption key, including the company’s employees.
As I said, we’re assuming that the attacker has access to all of the website’s code, which means they’d find the encryption key in the same place the website gets it from.
Instead of encryption, websites should use hashes.
“Hashing” a password is taking it and running it through a complicated formula that spits out what looks like a random set of letters and numbers. While running the same password through this formula will always achieve the same result, in theory there is no way to take the result and work your way backward to the password.
Some hash formulas are more secure than others; the difference basically comes down to how long it takes to check your password. If it doesn’t take long, computers can make hundreds of thousands of guesses, hoping to get the right password by chance. (This is called a brute force attack). With a more secure hashing algorithm, each guess takes more power and time, raising the cost for each guess, making it extremely difficult to brute force your passwords.
There are other ways to more securely hash passwords, such as adding salts, but I won’t cover them in this article to keep things simple. If you’re interested, I highly recommend you do some of your own research on this.
Even if most websites you have accounts on follow best practices, a chain is only as strong as its weakest link. Most people who memorize their passwords only have a few, which they reuse on multiple different sites. I used to be guilty of this too, though my passwords were usually multiple dozen characters long.
The problem with reusing passwords is that hackers can often get a list of usernames and passwords from a website that uses insecure practices. Once they have those, they can try to login on multiple different websites with the same usernames and passwords (this is called credential stuffing). If an insignificant account you own gets hacked, and you use the same password for your email, hackers now have access to your email. Every time a password is reused, it becomes more of a liability.
Let’s go back to that saying: “The only secure password is the one you can’t remember.” Most people won’t understand this at first glance—if you can’t remember a password, what’s the point of it?
We’ll look at the solution to this paradox in a moment, but let’s examine the truth behind this statement first. Any password that you can remember is inherently one that can be predicted in some way. It might contain your birthday, it might be the name of your high school science teacher, or it might even have part or all of your own name in it.
There are various levels to which a password can be predictable, but any password you think up is less secure than a random one. For example, if your six-digit pin code is a date, that eliminates 63.5% of possible pin codes.
Well, what about random passwords? They’re possible to memorize, if difficult. In the past, I’ve advocated generating a series of four or five random words and using that as your password.
The problem comes down to password reuse. As I mentioned, people who memorize passwords tend to reuse those passwords on multiple websites, which puts them at risk of credential stuffing.
What people need are password managers. The idea behind a password manager is that it keeps all of your passwords in one place, protected by a single, extra-secure master password (the only one you need memorized). Because you no longer have to remember your passwords, it can generate long random passwords that are unique for every site. If a site gets hacked, you simply change the password and update your password manager. There’s no danger of your other accounts being affected.
It might feel like a hassle at first, but I’ve found it to be worth the extra effort.
I used to take pride in coming up with the longest passwords of anyone I knew. The last one I created before switching to a password manager was 59 characters long, and I used it for anything that I felt needed more security. I had multiple passwords, and I would choose which to use based on how much I trusted the website and how important the information it had was.
A pretty solid system, and, to my knowledge, it hasn’t caused me any problems.
I’d heard about password managers, and a friend recommended one to me, but I never made the switch, confident in my own method and worried that it would be too much effort.
Recently, I became aware of how many companies have data about me. I looked back through my emails and found ones from websites I’d signed up on years ago and forgotten about, some of which I don’t trust anymore to keep my data safe. I have no way of remembering which passwords I’ve used on each of those sites, so I finally decided it would be a good idea for me to at least try out a password manager.
I did; I downloaded KeePassXC (I’ll talk about that later) and have been slowly transferring all of my passwords to it over the course of a couple of months. Some of it has been a hassle, but it hasn’t been nearly as bad as I originally expected, and I’ve found a ton of things that are far simpler now that I have a password manager:
- I no longer need to worry about remembering which passwords I used for each account.
- I now have a list of all the websites where I have accounts, so I’ll notice if there’s one I’m not using anymore.
- I can easily change my master password at any time without having to change my password for any individual account.
- Creating a new account may not be simpler, but it is certainly simple. I generate a password in my password manager, copy it into the website, and I’m good to go. With KeePassXC, I can install a browser extension that helps autofill usernames and passwords, and also includes a button on password fields to generate a new one. If it detects that I use a login that isn’t in my database, it helpfully offers to save it.
I got hacked. What next?
It’ll happen, don’t worry. Some way or another, someone will get information about you they shouldn’t. In the worst case, this will include your password. Either way, here’s how you should continue.
I have a password manager.
Congratulations, this is easy; simply generate a new random password and update both your password manager and the website. Since you’re not reusing passwords (if you are, you’re doing this wrong), you shouldn’t need to worry about hackers accessing your accounts on other sites.
Sadly, the hackers will have access to other things from the hacked account, but you can’t do anything about that. Once your data is leaked, there’s no shoving the toothpaste back into the tube. I would check Have I Been Pwned to see what data hackers might have gained from the breach and what other accounts might have been hacked. (If you don’t find information on that site, check the source you found out about the breach from.)
I would, though, reconsider whether you really need this account; the people behind it obviously aren’t doing enough to keep your data safe.
I keep all my passwords memorized.
Change the password for every account you’ve ever used this account’s password on. Any account that continues to use it is at risk of credential stuffing. (And, of course, change your password for the original account.)
It’s situations like this where you’ll probably wish you had a password manager, if only to remember which accounts use which passwords. Besides, passwords generated by a password manager will almost always be more secure and impervious to attack than anything you can remember. Password reuse is a serious security problem.
I write all of my passwords on a piece of paper which I periodically move to a different place in the house.
Why you think this is a good idea I can’t imagine. Get a password manager now, it’s actually easier than what you’re doing, besides being more secure.
While websites have serious responsibilities when it comes to storing our passwords, we can’t rely on all websites to follow those best practices. Any single website that reveals your password to attackers can give them access to other, more important accounts you own.
To best protect your accounts, you should use a password manager to generate and manage unique random passwords for every account.
IfWhen something goes wrong and one of your accounts gets breached, you can then easily change your password without any other account being at risk.
So, what are some good password managers?
I only recommend open source managers, even though there are some quality closed source ones. In my experience, software is more secure when anyone can look at the code and make sure it is secure, which open source allows. (I’ll be talking about what Open Source is soon.)
I personally use KeePassXC for a few different reasons:
- It stores your passwords in a file rather than uploading them to servers, so there’s no need for an internet connection, and no one else has all your passwords on a server that is out of your control. I use Syncthing to sync and back up this file between devices without the need for a central server, so the only person with a copy of my password database is me.
- It’s available for Linux (on Flathub for any distro), Mac OS, and Windows, as is Syncthing, so I can access my passwords on any computer.
- Syncthing doesn’t work on my phone, but KeePassXC allows me to generate random lists of words as passwords, which are easy to copy over if necessary. (I also rarely use my phone.) Syncthing might work on Android, so that’s worth checking.
- Even if someone gets the file, they can’t decrypt it without my master password. I picked one over sixty characters long which I don’t use anywhere else and set the database to use the most secure encryption it offered, which means each guess at my password would take five seconds to check, slowing down anyone trying to figure it out.
I’ve also heard BitWarden recommended, so that’s another one to look into. It’s also open source, but it allows you to store your passwords on its servers, which makes syncing them between devices easy. It’s available for all operating systems, and should work on your phone as well.
Many people choose to use a password manager built into their browsers. While this is a valid approach, I’d think very carefully about it; how much do you trust the people who made your browser to keep passwords safe? I certainly don’t trust Google Chrome, and though Firefox is better, I’m uncomfortable trusting my passwords’ security to an app that doesn’t specialize in password security. As I see it, an app completely dedicated to passwords is likely to be higher-quality than one that has it as a side feature.
Whatever you pick, be sure to choose the most secure master password you can, because if anyone gets into your password manager, they now have your passwords for every account.
Take a look at these options, and pick one that fits you well. Then, start changing your passwords to secure, random ones. Trust me, it’s worth the time now to make sure that your accounts will be secure in the future.
This article is part of a series on digital citizenship, the way we live in a technology-saturated world, which you might enjoy reading in order from the beginning.