Protect Your Passwords the Right Way

1 February 2023

An image of some scattered keyboard keys and a padlock to suggest computer security

Photo by FLY:D on Unsplash

Introduction

The second in a series of introductory articles written for a local community newsletter to help my neighbours stay safe online.

In the last post, amongst other things, I mentioned using a password manager to create and secure strong passwords. This time I want to briefly dive into some of the details and explain how they work.

As usual I’ve only scratched the surface and you will probably want to use the various resources I’ve linked below.

Why Passwords are important

With so much of our lives now online (banking, social media, government services, and so on) access to our personal accounts and data needs protection from bad actors. Criminals accessing your online accounts is one of the biggest risks when your personal data is exposed on the Internet, and it can take years to mop up the after effects. This short article from the The Guardian newspaper makes sobering reading, and we will return to it in the next post.

The usual account credentials (username and password) are the standard way to protect that information, but have shortcomings. We need to be very careful in how passwords are created and managed in order to help protect ourselves and our data.

What Does “Good” Account Security Look Like?

Good password management is a three step process.

  1. Make sure that the passwords you create (generate) are a long random string of characters with a good mixture of character “types” (upper and lower case letters, digits, and punctuation symbols). I like to use passwords that are 24 characters long, however not all websites allow such long passwords, or even support using punctuation symbols, so I take the best options I can on each website. If the password is truly random and long enough it’s very, very, hard to crack even with modern computers
  2. Every account you use needs a different password (if one password leaks, you don’t want to give free access to any other accounts)
  3. Make sure that all your password records are protected and secured from external access

(Next month we’ll extend this with 2 factor authentication and the correct management of “security questions”)

The result of this advice is that it’s impossible for you to create and manage your passwords manually. Hence the need for a password manager

About Password Managers

  1. A password manager can generate unique, strong, passwords for each online account you use
  2. Each password is stored in a password vault. Passwords in the vault never leave your device unencrypted and can only be decrypted using your master password, which only you know
  3. The password manager can fill in your username and password for the various websites you visit. In the worst case you can copy and paste your password from the vault into the sign on page
  4. The password vault may be able to store a variety of information. In most cases this is a minimum of the website address, user name and password. But it’s also useful to store other information. For example:
    1. Payment card details to perform online shopping
    2. Any other information that you need to keep secure (e.g. your passport number), but secure documents will need to be stored elsewhere.

As mentioned above, the information in the password vault is protected via a “master password”, which needs to be a well chosen password. As an example, recently LastPass, one of the most popular password managers, suffered a data breach and users with a weak master password are potentially vulnerable to having their passwords exposed. Bruce Schneier, a well regarded security researcher, provides some good advice on generating a good master password:

…take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m” Bruce Schneier

To help you remember your phrase you can select text from a favourite book (maybe not the 1st sentence from the 1st chapter), song (again not the 1st line), or some other source unique to you.

NOTE: If you already use LastPass then please review this advice from Deakin University.

How password managers work

A password manager can work locally on your computer (the password vault is stored on your local computer), or are cloud based (the password vault is stored in a cloud service), usually provided via a browser plugin or directly by an auto-fill feature.

Browsers like Firefox, Google Chrome, and Apple Safari provide basic password management (and usually credit card payment support), often referred to as auto-fill. If you use the auto-fill features in your browser, then

check

the security settings.

For example in Google Chrome you should consider setting up “on-device encryption”:

Prompt for Google on-device encryption

Prompt for Google on-device encryption

All of these browsers require that you also use the corresponding cloud synchronisation service, and that you use the same browser everywhere. However they are often very convenient, free, and work across your mobile device and computer (provided you use the same browser and account everywhere)

A number of third party cloud based password managers are also available – the two most well known are 1Password and LastPass, and several others are available. These products provide more features, but may require payment. Features include:

  1. Support for a wider range of data storage (e.g. answers to security questions or backup 2FA codes), not just usernames and passwords
  2. Support for different browsers
  3. Direct support for mobile devices, not just browser based applications
  4. Family or group password sharing

More information on specific password managers here.

If you are interested in the technical details of how cloud based password managers work then this video will probably be interesting, although some details are fairly technical these can be ignored.

How Can I Help Stop my Passwords being exposed?

If your information is exposed in an illegal data dump and you have followed these guidelines you should be safer than 90% of other people on the internet. However don’t be complacent and make sure you change your credentials on any affected websites as soon as possible

As well as data dumps Your passwords can be “sniffed” off the network as credentials are transmitted to the remote computer service, when you type into your computer. This makes it important to make sure that all websites you use to enter personal data use HTTPS security (the little padlock to the left of the address bar)

The Address bar in a web browser with the HTTPS padlock highlighted

Address bar showing the HTTPS padlock

You passwords (and other information) can also be stolen if a virus manages to install a key logger on your local computer. Passwords and other data can be stolen as you type them, and then transmitted to criminals. You can help protect yourself by never clicking on a link or running a program unless you are confident about the source. This includes links in emails and SMS messages.

Finally passwords can be stolen through various social engineering attacks, i.e. Getting your to enter you information into a fake website or using voice based attacks (phone calls claiming that urgent action needs to be performed on your computer). This is referred to as a “phishing” attack and this article and video from Microsoft contains good advice.

Other Resources

About the writer

Alec has been in IT for over 40 years and using the Internet since the 1990’s. He has an active online presence and uses Google, Mastodon, and LinkedIn (amongst many others). You can find more about him by Googling “alecthegeek”, or looking at his website (which does have a padlock symbol). He does not claim to be a security expert.

This work is licenced under a

Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License