Secure passwords

Pedro Palau Developer
Secure passwords
October 30, 2019

Passwords are one of the most important tools to protect information in the digital world.

Email systems, online banking, social media and others have in common the use of passwords to protect account access. What is a password? Wikipedia defines a password as “a memorized secret used to confirm the identity of a user.” This is a general concept, if you think about it in the digital world, a password is a string of characters that allows users to access to a file, hardware device or a program.

This article discusses the issues around the use of passwords, its security today and the reason for which a significant number of people reuse their passwords. Recommendations will be then given to learn how to create secure and different passwords for each account.

In the year 2013, Bill Burr, wrote the document “NIST Special Publication 800-63. Appendix A” for the National Institute of Standards and Technology, where he explains recomendation to create secure passwords based on randomness and dificulty, and describe ways in which a greater number of combinations of characters could be used in passwords of given lengths. This document motivated the digital world to adopt certain recommendations for the use of secure passwords in the Internet such as at least 8 characters, combination of capital and lower letters, the use numbers and special characters, etc.

The following image shows the expectations of a strong password according to these recommendations:

Regular password expectations

After more than 15 years, Burr, in an interview for the Wall Street Journal, said: “Much of what I did I now regret”. This is because, in practice, it is common for people to use passwords such as “Autonomi@2019” in systems that validate the security of passwords passwords according to the suggestions mention above; but, in systems that do not validate them, they end up using passwords like the ones you can see in the following image, according to a leak of sensitive data article from the Adobe company:

Most used passwords from the Adobe data-leak

The problem is worse if you consider that Adobe is one of the many companies that have suffered massive data breaches. If you are one of the people that reuse their passwords, and the account information was leaked in one of these data-leaks; it is likely that your password could be used by criminals to access to your accounts such as social media, email or even bank accounts.

To know if you have been victim of one of these data leaks, visit the Have I been pwned site.

Passphrases

Currently, most people know what a password is, but very few people know about passphrases. These are a sequence of words, preferable random, without a correct grammar sequence, that can be separated by spaces or other characters. This makes passphrases easier to remember by users and harder to guess by adversaries than traditional passwords.

For example, suppose that you have the password: “{FjVkm;@C39=$” and you want to change it to a passphrase like “cake relax savior rural neatness autism”. In the first case, if a computer knows the size of the password and that it contains special characters, letters and numbers, then a computer that can test 1000 passwords per second could guess the password in only 3 days. This factor changes in the second case, a passphrase with random words would take 550 years to be guessed with 1000 tries per second. Visit the following link to know more about it.

The factor of complexity or difficulty of the password is due to entropy, a concept in information theory which basically refers to the amount of randomness contained in a password. That is, the more random the password, the harder it is to crack it.

Password managers

Even though passphrases can be very secure and relative easy to remember, they do not resolve the problem of having a different passphrase for each account. For this case, a password manager is the tool that helps you generate secure and random passwords/passphrases. The passwords/passphrases are stored in an encrypted database that should be protected with a master passphrase generated according to the recommendations of this article.

There are two kinds of password managers: those that are online and the offline ones. The first ones are more convenient because it is easy to sync password and users among devices (computers, phones, etc.). Nevertheless, because they are an online service, the service providers would have some control over the passwords saved on their servers. On the other hand, offline password managers are more secure, because the information is locally stored, however synchronizing passwords among devices is not as easy.

Recommendations and conclusions

The use of one password for all accounts or several insecure passwords increases insecurity for users on the Internet. This risk is bigger when there are data breaches from online providers that affect, that in many cases, include sensitive information like users and passwords.

Passphrases are the best option for most cases for systems that requiere authentication, but not all systems support this kind of passwords. For that reason, it is important to know where you can use passphrases and where you have to use traditional passwords.

The use of password managers that are protected by a secure random generated passphrase, significantly increases the security of people online; that is because you can have a secured and different password for each account.

The use of a password manager would bring other kinds of risks that should be taken in account, and that can be mitigated with common security recommendations. For example, what can happen if you loose access to the database where the passwords are stored? In this case, you should make recurrent backups of your password file. In that way, if you loose your password file, you will have a backup to start over.