Passwords have been in the news a lot lately, mostly due to various breaches at an assortment of online service providers.
I want to briefly touch on four topics:
- Best practices: what makes a good password
- Storage strategies: how to securely keep track of it all
- Two-factor authentication: protection against breaches
- The possible death of the password as an security identifier
Become a Patron of Ask Leo! and go ad-free!
The definition of “good password” has changed
It used to be that eight random characters was considered a secure password. That’s no longer true; 12 characters is the minimum. I use 20 characters when possible.
Random characters are considered best. But — and this is often not well understood — length is more important than complexity.
Increasing the length, even by just a character or two, exponentially increases the time needed to crack a password. While the password “password” is horrid, “1234 password 1234” isn’t that bad, being many orders of magnitude more difficult to crack (or guess).
Just as important as using strong passwords is that you never, ever, use the same password for more than one purpose. When passwords are discovered, hackers absolutely try them across the various services they’re attempting to hack into.
Use technology to remember and enable
With completely random characters as the gold standard, this leaves us with lots of unique, long passwords that are impossible to remember.
For 99% of all users, password vaults are the solution. Tools like LastPass, Roboform, 1Password, KeePass, and others collect, retain, and often enter your login credentials for you. They all strongly encrypt your collection of passwords and require that you authenticate with a master password in order to gain access.
The biggest objection I hear is, “What if the vault provider gets hacked — doesn’t the hacker now have access to all of your accounts?” The answer is simply, strongly, and emphatically NO.
LastPass, for example, stores your passwords as extremely well-encrypted data that even they do not have access to. Your data is only decrypted on your device(s), and only when you provide the correct passphrase. In the case of some of the other vaults, by default the encrypted database isn’t kept online at all, and must be accessible to you, often in the form of a USB thumbdrive you carry with you.
There is always risk for any solution you choose, but the risk of someone gaining access to your vault pales in comparison to the risks associated with using weak passwords or re-using passwords across multiple sites. Put another way, password vaults allow you to give every account its own unique, long, strong password that you don’t have to remember (or type, in most cases).
Protection against breaches
Even if I were to tell you my banking ID and password, you would still not be able to log in to my account. That’s because of something called “two-factor authentication”.
When I log in to that account for the first time on a new computer (or after clearing cookies) my bank sends me a text message with a code I must enter. That proves I am in possession of my second factor: my mobile phone.
Another approach uses an application that displays a cryptographically synchronized number associated with your account that changes every 30 seconds. Entering the number proves that you are in possession of the device running that application. There are also hardware devices such as the YubiKey. It’s is a USB device that, when inserted, provides cryptographically synchronized information, proving you’re in possession of the key.
If long and strong passwords are the gold standard, two-factor authentication is the platinum standard. Even if your passwords are discovered, hackers still can’t get in. I can’t recommend it highly enough for accounts that support it.
The (slow) death of the password?
We’ve gone from one factor (a password, or something you know) to two (adding proof of something you have). Now we’re seeing some services drop back to using only that second factor.
This could be the first step in the death of the password.
One example is accounts where you log in by providing only your email address. They then send an email with a link that, when clicked, logs you in. Your ability to access your email account and click that link proves you are who you say you are.
More recently, some providers are pairing up with apps on mobile devices. For instance, I recently logged into my Microsoft account on my PC by providing only my email address, at which point a notification popped up on my phone via a Microsoft app installed there. Authorizing that notification with a single tap completed the login on my PC.
My ability to respond to that notification on that device proved it was in my possession of it, and that I must be who I said I was.
I expect more progress in this arena. Password-based log-in is, after all, upwards of half-a-century old technology.
But until then, long, strong, and unique is the order of the day.
And use a password vault to make all that possible.