Many people believe they are capable of coming up with secure passwords. While that would be great, the truth is they all overestimate their capabilities. As security expert Troy Hunt aptly puts it, the only secure password is the one you can’t remember.
Fact: humans are terrible password generators¶
In 2013, a Google Apps survey with 2,000 participants revealed the following top 10 of most used passwords:
- Pet names
- A notable date, such as a wedding anniversary
- A family member’s birthday
- Your child’s name
- Another family member’s name
- Your birthplace
- A favourite holiday
- Something related to your favourite sports team
- The name of a significant other
- The word “Password”
These all share a common trait: they are easy to guess or obtain.
SplashData is an Internet security firm that publishes a yearly list of most used passwords, based on data extracted from millions of data breaches. You can find the lists, dating all the way back to 2011, on Wikipedia. In the 2016 edition, the 25 most common passwords made up more than 10% of the surveyed passwords, with the most common password of 2016, “123456”, making up 4%. The lesson to learn from this is that we are simply terrible at coming up with secure passwords. Not convinced? Try answering the following questions:
- Do you use the same password everywhere?
- Do you use a variation of the same password for all your accounts by changing a letter or number, or by adding the name of the service you signed up for?
- Do you use a fixed set of a few different passwords, such as one for your “bogus” accounts, one for your “important” accounts, …?
- Do you ever forget which usual password you went with, or which variation you opted for when creating your account?
- Do you still use extremely simple passwords, such as “123456” or “[email protected]$$w0rd”?
- Is your password strategy characterised by the fact that they must be easy to remember?
If you answered positively to either one of these questions, go check HaveIBeenPwned to see if your credentials have been compromised (you can check your email here and your password(s) here). If, by chance, they haven’t been compromised yet, I can guarantee it’s only a matter of time and it might also just be that data breaches containing your data are simply not public knowledge yet. Many leaks and data breaches are only discovered years after they happen.
The only secure password is the one you can't remember. Tweet this
Although having superpowers that allow us to generate and store random passwords comprised of more than 25 characters including letters, numbers and special characters would be wonderful, we are unfortunately still human; we’ll need to extend our brain in some way to generate and store secure passwords for each of our accounts. That’s what it takes for our accounts to be properly secured: each of them being protected by a unique, long, complex and, above all, random password.
Fact: using unique passwords greatly enhances the security of our accounts…¶
…and sometimes the security of other users as well. You might not deem it necessary to have a unique password for each of your accounts, but it vastly improves their security with the added benefit of a certain peace of mind. For instance, if a site on which you have an account gets hacked, or an employee of the service accesses data they shouldn’t have access to, or you fall victim to phishing or something else, the breach remains confined to the affected account. This means you only need to change a single password. It’s like having several houses: if your keys get stolen and all your houses share the same lock, you will need to go through the hassle of changing all your locks. However, if you installed different locks, an incident like this becomes pretty insignificant, since you would only need to change one lock for all your houses to remain secure.
In 2012, 68 million Dropbox users had their accounts compromised due to a single employee reusing their LinkedIn password for their internal Dropbox account. The hacker first targeted LinkedIn, which used to store passwords in a very unsecure way1; retrieving the password of the aforementioned Dropbox employee as well as those of the 117 million other affected users was therefore a trivial task for the hacker. According to Motherboard, 90% of passwords were found in the 72 hours following the hack.
Once in possession of the employee’s LinkedIn password, the hacker was able to access Dropbox’s internal network, where he was able to steal the user account database. Let that sink in: 68 million people affected because of one reused password. But it gets worse: the hack was only discovered four years after it happened. Later that year, Best Buy accounts were also compromised using credentials obtained through the hacking of other vulnerable websites. This kind of incident happens very frequently, as evidenced by Troy Hunt’s HaveIBeenPwned.
68 million people affected because of one reused password. Tweet this
Using a unique password for each of your accounts is therefore not only about protecting yourself; it can also protect other people. You might think this only applies to employees of large companies, but think again: imagine the myriad of information that can be gathered about you and your loved ones by scouring through your inbox. There is certainly more than enough to greatly facilitate the writing of a credible email to trick your loved ones, not to mention all the other information that can be found in there. This is just one example; hackers certainly have far more use cases for your inbox.
All this is why having unique and secure passwords is highly recommended. Given the ever growing number of accounts we have, it is impossible to create and remember a unique and secure password for each of them. In my case, I would need to create and remember over 400 passwords. Note that before I started using a password manager, I didn’t realise I had so many accounts. Had someone asked at the time, I would probably have guessed around 50.
Fact: the security of the services we use is beyond our reach¶
Another big problem with passwords is the security of the hundreds of services we create accounts for. Ideally, these services should do everything in their power to ensure that a user’s password is known only to them; passwords must never be accessible by anyone else, directly or indirectly, be it the creator of the service, its hosting provider, your Internet service provider or your government.
If, at any time, a service is able to provide you with the password you used on their platform, consider that password compromised. This includes services that send you your password by email when you forget it, instead of asking you to create a new one. A feature like this indicates that your password is stored in a way that allows the service to retrieve it, which is either in clear text, or encrypted if you’re “lucky”. If it’s encrypted, it means the service also holds the decryption key, so they might as well be storing it in clear text as far as security is concerned. Storing passwords encrypted is the equivalent of storing your valuables in a safe with the key taped to the door. The only acceptable way to store passwords is to hash them, which is a mathematical process that generates a fingerprint of the password. Unlike encryption, which is bidirectional, it is impossible to retrieve a password from its fingerprint2, much like you cannot figure out the exact recipe used to make a cake. Even though you hold the finished product—the fingerprint—and the way to make cake—the mathematical process—is public knowledge, it’s virtually impossible to create the exact same cake without the exact recipe—the password. Any method of storing passwords other than hashing will allow a malicious person who has or gains access to the servers of a service to retrieve the users’ passwords very easily. This is why there are certain standards to adhere to when storing passwords: they provide a way to store them in the safest possible way, while also guaranteeing their confidentiality.
If, at any time, a service is able to provide you with the password you used on their platform, consider that password compromised. Tweet this
Solution: the password manager¶
Although it is impossible to protect ourselves from improper password storage or the inevitable leaks of our credentials, it is however possible to limit the extent of the damage these cause by making our passwords:
- Strong so they cannot be guessed, by either a human or a machine.
- Unique so that one compromised account does not automatically lead to other accounts being compromised.
You guessed it: the easiest and most secure way to achieve this is to use a password manager. The way they work is pretty straightforward: a password database, encrypted using a Master Password known only to you. This means you only need to remember one long and secure password. Some people argue that storing all your passwords behind a single passphrase represents a single point of failure, since anyone with that passphrase gets instant access to all your accounts. The important thing to keep in mind is that the biggest threat to your passwords doesn’t lie on your physical machine, but rather on all the platforms, networks and databases your passwords sail through. In short, the vast majority of risks are distant and not local. From a hacker’s point of view, they would have to choose between:
- Hacking a random user, which may net them a few hundred accounts that are all linked to a single user.
- Hacking into a centralised system, which will net them anywhere from a few thousand to a few million accounts, which can then be sold in bulk and used to look for accounts on other platforms (this widespread practice is called credential stuffing).
I don’t know about you, but if I were the hacker my choice would be pretty clear cut.
The biggest threat to your passwords doesn't lie on your physical machine, but rather on all the platforms, networks and databases your passwords sail through. Tweet this
In a nutshell, using a password manager allows you to greatly improve the security of your accounts. Usually, it will also allow you to store credit cards, secure notes, bank accounts, Wi-Fi passwords, license keys, … In addition to all this, many of them offer additional features. Here are some examples from mine:
- Two-factor authentication integration, which requires you to enter a unique temporary code in addition to your password on supported sites.
- Detection of accounts for which two-factor authentication is available but not enabled.
- Detection of reused passwords.
- Detection of accounts for which the URL is using HTTP when the associated website is available over HTTPS.
- An integration with HaveIBeenPwned, which allows you to easily get an idea of which accounts or passwords have appeared in a leak, without revealing any of your credentials.
To pick your password manager, head over to my comparative.
For more technical readers, an unsalted SHA1. ↩
It is possible to find the password, just not directly from the fingerprint. The process involves generating random passwords or using a list of known passwords, which are then hashed to compare the resulting fingerprints with the one of the targeted password. A good password hashing algorithm is deliberately slow so as to make this kind of attack extremely expensive, or so slow that there is basically no point in trying. ↩