According to several surveys, the average person has over 20 passwords (via Sophos, TechCrunch, GCHQ). Remembering them all is, well, a pain in the neck, to put it mildly.
We do a lot of risky stuff to keep ourselves logged in. 14 percent of people have only one password for all their online accounts, Kaspersky Lab recently announced. Another 36 percent reuse passwords across different accounts, while 12 percent make slight changes, writing for instance 1 instead of 2 at the end of the character string that’s supposed to keep them safe.
Remembering all the passwords has become so annoying that most internet users prefer to forget the “safety first” rule in order to simplify their life. The good news is that you can have both. Here are some insights that you might find useful.
Use good passwords
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." - via xkcd
IT geeks advise people to use passwords that meet several complexity requirements. They should:
- Have more than 12 characters
- Have lowercase characters (a-z)
- Have uppercase characters (A-Z)
- Contain at least one number (0-9)
- Have at least one special character (such as $ or ! or ^)
They shouldn’t contain:
- The login ID
- English words
- Slightly modified English words, such as “p@ssw0rd” for “password”, or “w0rk” for “work”
- Strings of 3 or more identical characters, such as “qqqq” or “111”
Changing passwords on a regular basis is advised. At least for the most important assets like your main email account, online banking/PayPal etc.
All the above, if done correctly, would increase the password entropy (or "quality").
But what is entropy when it comes to passwords? It is the measurement of how unpredictable passwords are. Mixing random characters or words would increase the entropy. Good passwords managers will display the entropy measured in bits when you are using their build-in password generators. Our recommendation is to use only passwords with over 100 bits of entropy. High entropy makes the passwords virtually immune to automated bruteforcing.
Here’s a good one: rf$s6A(whz@}-9Tg(K+
Multiply it by 20, the number of passwords the average person has, and you’ll find yourself in hell. No one can be expected to remember that many passwords. It’s unpractical.
But, what about fingerprint authentication instead of passwords?
Well, fingerprints aren't passwords. Fingerprints, just like any bio-metrics, are meant to be used for identification, not authentication.
Lately, fingerprints are used for authentication as a result of being pushed by mobile makers, such as Apple, and the rest who follow. That is wrong.
Biometric passwords, such as the fingerprint scanners our laptops and mobile phones use, aren’t reliable. It only takes 5 minutes and an inkjet printer to break them. Fingerprints are just usernames, not passwords. We leave our fingerprints on hundreds of objects such as glasses or door knobs over the course of a day. Also, one can be easily forced to "put his finger" on the fingerprint reader, legally or not.
Recently, the LA Times revealed that the US government wants citizens to use fingerprints to unlock iPhones, as this method will make breaking a smartphone an easy task.
Are you sure it’s a good idea to use fingerprints for authentication? We think not.
Use a reliable and secure password manager
The smart thing to do is to let a password manager do all the work. You only need to remember a master password - a really strong one - and it’ll take it from there. It’ll generate strong, secure passwords and will remember them for you.
However, there are good password managers, and there are bad ones. The worst are those embedded in the browser as addons, as browsers have vulnerabilities and the data is stored by third parties. LastPass, for instance, has been hacked before, and has urged users to update their passwords.
We advise you to use KeePass as your password manager (or KeePassX which is cross-platform for Linux and Mac). Its database is an encrypted file, stored locally, protected with a password or with an encryption key. You can store it in the cloud or on a thumb drive, as you prefer.
KeePass is easier to use than you might think. You simply open it, search for a keyword, and then double-click on the username and password you were looking for. This only takes 5 seconds of your life and is your safest option. Sure, browser-based addons can be more convenient, as they can automatically fill-in your credentials. But if security is absolutelly important for you, it's better to use Keepass and then again, it only takes a few seconds to authenticate by copy & pasting the credentials. What's even better is that you don't even see the password, you can just double-click on it while it's displayed as "*****".
We use it ourselves for hundreds of logins and it works as it should. We never had any problems with it, also we simply don't know the passwords that we are using. All of them are randomly generated, with a strength of over 140 bits.
Your smartphone is not that safe
Many cybersecurity experts believe smartphones are not safe to be used for storing critical information. They don’t make mobile payments and don’t use their primary email accounts on mobile devices. Their advice for maximum security is to only keep less important passwords on smartphones. A mobile phone is easy to misplace. It can be stolen, it can be lost. Plus, downloaded apps are more or less secure and might leak your data.
We don't recommend to sync your password manager database across mobile devices. If you care about your security on-the-go, then use the mobile devices like you know that you'll lose them. Be cautious.
Speaking about mobiles, this is where two-factor authentication comes in handy though. We advise you to use it as often as you can, with all the online services that support it, like Gmail, Yahoo, Twitter. App-based two-factor authentication such as Google Authentication is a better option than SMS two-factor.
How to check if your password has been compromised
Major data breaches happen almost every week. If an account is compromised and the same password is used for others, they all become at risk. Which means, you’re a bit safer if you use the terrible password 12345 for a website, and then 12346 for another one, than if you use 12345 for all of them.
To put it short: it's worse to use the same "secure" password for several services than simple passwords, but unique for all services. Re-using passwords is just terrible.
Still, if you care about your money, your data and your online identity, please use a reliable password manager.
You can see if your accounts have been compromised in data breaches on Have I Been Pwned
Summing up
- Reusing passwords is worse than using simple, yet unique passwords.
- Don't bother generating and remembering dozens of passwords: use good password managers.
- Don't write them down and don't store them in .txt or .xls files. Again, use password managers.
- Good password managers are open-source, let you keep local databases.
- Use two-factor authentication with any important service, if available, especially with those email accounts used as the same login for most online services.
- Fingerprints are usernames, not passwords.
- Don't store passwords of important accounts on mobile devices.
- Passwords' entropy should be over 100 for anything that is important.
- Did we mention that simple thing to do that makes passwords safer by orders of magnitude? Don't reuse them.
if you have any other tips, let us know!