Passwords and Password Management

Originally Posted 2/17/24

image of a cell phone on a desk with the surfshark logo on it with the word secured and a check mark on it

The Basics

What makes a good password? Well, generally, the longer the password the better. Adding in special characters, capitals, and numbers certainly help with complexity, but it's better to have a longer password with a few twists here and there, than a short password with only special characters. From a quick Google search, I've found the following graphic to help illustrate this point:

an image of a chart where on the y axis it says number of characters and goes from 4 to 16. On the X axis it's labeled numbers only to numbers, upper and lowercase letters, and symbols. This chart is showing how difficult it is to brute force crack someones password. For 4 characters and numbers only, the time is instantly. Times go from that all the way to 92 billion years if you have 16 characters and numbers, upper and lowercase letters, and symbols.

For a while now, the suggestion has been to make a passphrase rather than a password. A password would be a single word you type in to use for a password, while a passphrase is a short phrase. So, for example:

Say you have a dog named Spike. If we just used the word "Spike" as your password, according to the chart above, that could be hacked instantly by a professional hacker. Say instead we go with the typical suggestion of making a password with at least 8 characters. So we'll extend "Spike" to include our area code. Now we have "Spike802", which according to the chart above would take a brute force hacker about 7 minutes to hack. Not bad, but certainly not much time at all. We could add an exclamation point to the end and get a time of about 2 days, which is even better! But still not very long.

So let's instead use a passphrase. Say we use the passphrase "I love my dog Spike" instead. That would give us a 19 character password (Including spaces). This goes off of the chart we have above, but we can see since we have upper and lowercase letters, this would take over 173 million years to brute force hack. If we wanted to be even more secure, we could change some of the letters for numbers/ symbols. So something like "I l0ve my dog Sp!ke" would be 19 characters, but since it includes numbers, upper and lowercase letters, and symbols (the !), it would take a hacker over 92 billion years to brute force hack.

You might be asking at this point what it means by a "Brute Force" attack. This just means the hacker would be using a piece of software typically that is continually guessing your password. Putting in a random assortment of letters, numbers, and characters trying to guess what your password is.

The Problem

Most people have to remember a variety of passwords in their day to day life. At a minimum almost everyone will have an email account as well as some form of social media. If you work in an office, you probably also have a computer you need to login to and maybe some company programs you need access to, that require you to have a safe password for each of them. In a corporate environment, you probably also need to change your passwords every so often, making it even harder to remember what you used for what. This makes it tempting to use the same password for everything. However, that is a horrible idea as if a hacker guesses one of your passwords, they now have access to everything you have an account with.

The Solution

Password managers. A password manager is an app or program that will remember your passwords for you. There are a bunch out there and they all offer slightly different functionality, but at their core they remember your login information for anything. You might already be using one without realizing it - any time your cell phone or web browser asks to save your password, it's acting as a password manager for you. They're a great choice because they allow you to fully customize your password for each login you need, helping prevent the need to use the same password for everything. Also makes it easier to use longer passwords since you can typically just copy and paste your long password into wherever you're trying to login to.

Personally, I'd advise against using your phone's built in password manager or web browser as a password manager. The main reasoning for me is that if you ever want to change phone brands, or web browsers, you now won't have your saved passwords, or need to find a way to migrate them all. In general I find it better to find software that is operating system agnostic, so no matter what you end up doing you can still access whatever you need to. On top of this, if you use Google Chrome say to save your passwords, and someone manages to get into your Google account, they now have all your passwords. The other thing which I'm not sure if built in password managers have, is with a dedicated password manager you can typically have it create a random x character password, where x is however many characters you want. If you have it create something like a 32 character password, this is the most secure way to do passwords as it's a truly random sequence of letters, numbers, and symbols. And, given you're using a password manager, you should just have to copy and paste the password should you ever need it, meaning you don't have to worry about manually typing out a lengthy password.

Personally I use a password manager called Bitwarden. There are plenty of password managers out there you can choose from, and I forget exactly what brought me to Bitwarden. If my memory serves, it seemed like they were a very secure option. In general, I'd suggest just googling how secure whatever service you're interested in is, and reading a couple of reviews from people. In general end to end encryption is pretty crucial, and if you can read third party audits about a service even better. Bitwarden in particular even lets you self host if you truly did not want any of your data on their servers.

Speaking of self hosting, if you wanted to host your own password management software, KeePass is an option I've heard a lot of praise for. To get it to sync across devices you'd need to have it saved with Google Drive, or another sort of syncing software.

The Problem with the Solution

So, you know how at the beginning of this article we were talking about how long it would take to crack a password with a brute force attack? Well, those sort of attacks are... I don't quite want to say less of a concern, but there are other, bigger things to worry about. Say you've created the most secure password you can come up with. It's over 60 characters long, and it uses a combination of capital and lower case letters, numbers, and symbols. No one is going to brute force their way through it ever. You think life is good. However, you then see a news article saying that the company you used that password with has been hacked, and user data has been taken. Without guessing your password, the hacker has now gotten a list of users login information by attacking the company, rather than you individually, and now you'll need to change your password again. I've seen plenty of these sort of articles over the years - "Company X has been hacked, leaking millions of users personal information".

This isn't to say having a long password is pointless. For one, large companies are constantly trying to make their systems more and more secure, so the likelihood they get hacked is lowered. Also, if you have a different password for each website, the fact they were able to get your login for that one site doesn't matter too much, since typically you can just change your password and you're good to go. Also, if you can make a tough password to prevent someone from brute forcing it, why wouldn't you?

Now, one thing I mentioned above with using something like Google Chrome as your password manager is that if a hacker hacked your Google Account, now all your passwords are compromised. Well, the same sort of thing is possible for a password manager. If a hacker was able to guess your password managers login information, they now have access to every login you do. Typically this is why you want to make sure your password managers password is extremely secure. This, however, does not prevent a situation where the password manager company itself gets hacked. Now what do you do given a hacker has been able to just Steal all your login information from the password management company itself?

There are plenty of things good password management companies can do to help make sure that, even if their data is stolen, your information is safe. One thing I've read about online, and if my memory serves is applicable here, is password salting and hashing. Basically making the text random gibberish that you need a code or mathematical formula to make usable. So, should a hacker steal everything, they just have a bunch of useless information given they don't have the specific code/ formula to make the information usable. My knowledge on this area of security is limited though.

Another possible difficulty my girlfriend runs into, is simply not remembering to update or add passwords to her password manager.

A security debate

Working in IT, I've had this sort of discussion with coworkers about password managers, and opinions tend to vary on what to do in terms of password management. The general favorite choice for password management is using KeePass and having it back up to Google Drive or Nextcloud. When having this discussion, a big point as to why use KeePass instead of something like Bitwarden was since the information lived on my computer, it'd be safer than having that information in the cloud somewhere. When I asked though why they would back up KeePass to Google Drive then, since that is a server somewhere else in the cloud, the answer that was given is it's all about scope really. If you're a hacker, and you want to find some passwords for millions of people, what are you going to target: Google Drive or Password Management Programs? It's much more likely that someone who wants to steal your passwords would look into hacking something like Bitwarden rather than going looking through individual peoples Google Drive accounts.

I have a coworker that has said he rather users put sticky notes on their computers with their passwords for everything than use something like a browsers built in password manager. He is also very skeptical of services like Bitwarden or other places that would store your passwords for you. On the flip side, my bosses boss uses Bitwarden himself and loves it.

Conclusion

Overall, I personally think the benefits of having a password manager so that you don't forget passwords, and can make them as secure as you want, outweighs the potential downsides of one. To me it's much more likely Facebook or other big company gets hacked and has their passwords leak rather than a company whose entire existence depends on keeping passwords safe. Also, as I mentioned previously, a password manager has allowed me to have much more diverse passwords, meaning even if some place like Facebook is hacked it's just one password I need to change rather than all of them.

But what do you think? Did I miss anything? Do you have a favorite password manager? Feel free to leave a comment or reach out to me at steventanzimedia@gmail.com