Passwords 101: My guide to password management
If you use the internet and the different platforms it offers, then you understand how annoying it can be when you have to create a separate account to be able to fully access those platform which means you have to keep track of another password slowly leading to reusing old passwords or similar combinations. You take convenience over security as did I. Stick around so I share with you a solution to still maintain that convenience and be secure at the same time.
Please do tell me if I’ve made a mistake somewhere so I can update it.
This is a long read so please jump ahead to different sections if you get bored.
Table of content
Data breaches in 2020
I’m going to list a few data breaches that occurred in 2020 along with some details to be able to convince you why you should be worried about your passwords.
As you can see, the reasons as to why the data was breached are varying but at least one is very concerning. Do you really want to trust companies to store your data securely or continue to use the same passwords and find out later that you account was breached? If this doesn’t convince you, let’s move to the next section.
Have I been pwned?
I really hope this section convinces you. HaveIbeenpwned is a website which checks to see if your email or passwords were pwned (or breached in other words). I recommend going to this website and typing in your email address to see what data breaches your email address was involved in. What I wouldn’t recommend is you entering your current password in the Passwords tab until after you have reset them and don’t intend to use them at all. Maybe try an old password you don’t use anymore and just because your old password wasn’t breached doesn’t mean it’s not susceptible to social engineering attacks so please use randomly generated passwords as I’ll share below.
Once your password is breached, it could be available on the surface web which is the web that we all normally browse on but it is unlikely. What is likely is that your password hash is available for free or for sale on the dark web. With the use of computers, all of this can easily be automated to try all the email and password combinations (to an extent) which makes the hackers job easy because all he needs to do is gather the list of credentials, start the attack and let the computer do the work. Attackers can search your email here and then go hunting for those data breaches for and then try to hack their way in.
How do companies store passwords?
Encryption is a two way function where we can make use of a key (commonly a password) to encrypt (jumble your data to form a random stream of data) and be able to decrypt (work your way back from the jumbled form to the readable form) using the key.
This is mainly used for securing sensitive data but when it comes to websites, the most common method of storing user password is to store the password’s hash.
I have skipped out on a few things like salting but this should give you a basic overview.
A hash is computed when an input (password in this case) is run through a one way function and the computed output, the hash, is then stored on the company’s database. There are different hashing algorithm/functions but given 1 hashing algorithm, the password hash will always remain the same so when a user is signing up, the user enters a new password and once confirmed, the hash is computed and is stored on the company’s database. When the user wants to log in, the user enters their password, a hash is computed using the same algorithm and then compared with the one on the database. If they match, the user is logged in.
It is usually these hashes that are taken from the company’s server. As stated before, you can’t put a hash in the hashing algorithm in hopes you get a password, you’ll get another hash instead since it is a one way function. But what you can do is try different combinations of passwords to “crack it”. Hackers pre-compute large tables (also known as rainbow tables) with passwords that they know from previous attacks and create hashes of new passwords as well. They then compare these hashes with the hashes they found from a new breach and if they find matches, they have a password that matches a hash.
Cracking a hash
Almost anyone can try to crack a hash and all tools are easily available online but do this at your own risk. (Disclaimer: You take full responsibility for anything illegal that you do with the information that I have provided. I’m only sharing this for educational purposes and to convince you how easy the process is to get passwords from hashes). I’ll be showing a demo of how easy it is to get passwords from previously cracked hashes that almost anyone can do.
Obviously the password is very weak but you get the idea. There are other ways too (like JohnTheRipper and Hashcat) but this seems to be the most accessible for everyone but this is only applicable to passwords that are previously cracked so all this website does it lookup the provided hash in a pre computed hash table. The usual way a password is cracked in through using tools like Hashcat and JohnTheRipper (JTR). See my post on Crack the Hash 2 to understand how password cracking is done using a Graphics Card (GTX 1050 4gb Laptop) which I believe is a mid to low end graphics card accessible to most people. To sum it up, hackers will first find what type of hashes they have that need to be cracked. Secondly, they will use a wordlist which has common passwords. Thirdly, they can use Hashcat or JTR to create a hash for each word from the wordlist and then compare it with the hash that you provided and this process is the most CPU or GPU intensive part. If the hashes created match the hashes that the hackers provided, then they have a potential password to use.
Password managers are the sweet spot between convenience and security. I’m sure there are some of you that have started using password managers recently but there are still people who re-use old passwords. The beauty of password managers is that you don’t need to remember any of your passwords, you only need to make sure you remember 1 strong master password to be able to access all your passwords.
The best password manager that I would recommend to most people is BitWarden. It is an open source password manager (Huge plus as I’ll explain later) which can be synced across different devices like mobile devices (Android and iOS) and they also offer 2 Factor Authentication (2FA). I’m sure there are some more features in the free plan which you can check on their pricing page. If you would like to know why you should not use other password managers like LastPass, 1Password etc. and why you should move to BitWarden, please watch this 2 part video (Part 1, Part 2) as that was my turning point from LastPass as well. BitWarden is also supported in a lot of well known browsers as an extension.
Since it is open-source, it follows the crystal-box approach where anyone can see BitWarden’s code and try to find any flaws in it and this proves how confident they are in their security. You can use BitWarden’s random password generator to create different passwords for each account and then use the auto-fill feature to automatically enter passwords. I believe BitWarden also offers you a Biometric authentication method instead of entering your master password each time for convenience but I would recommend that you use the Biometric authentication as well as enter your master password manually at least twice a week just so that you can remember it and still access your account if you lose your device.
If you’re still not convinced, then I don’t know what will. You need to take security into your own hands. Yes it is a little time consuming when you have to track down all your accounts and their passwords and then to reset them to random passwords but trust me, it is all worth it. The whole point of the password manager is that since you don’t even know your own passwords (because you used a random password generator and use auto fill to enter the random passwords), attackers can’t even social engineer your password. This brings both convenience and security. Attackers also cant use huge wordlists of common password against random passwords.
Choosing a strong P@$sw0Rd
For REGULAR account passwords, you can use the random password generator in BitWarden. It is important to note that not all websites support different character types so just experiment with it and see which ones do. I would say that you should keep your password length > 16 with varying character types, (why not max it out to 128? Obviously kidding, there could be times when your auto-fill might not work so you’ll have a long day entering your passwords. Or maybe go for it if you don’t mind).
For my next demo, I chose a 16 character random password from my password manager and this password cracking estimator gave it a maximum cracking time of 420805123888006 years, 6 months. Humans have biases and this is why you leave the password generation to the random password generator. Now you might ask well how does the password generator not have biases since humans made it? Well that’s a topic for another day.
When it comes to creating a strong MASTER password, my advice is that you use a series of randomly generated phrases > 10, have a physical copy of them and store them safely in a few different places in case you forget it or lose a device and need to login again. I also recommend entering them manually at least twice on a weekly basis just so that you remember it in case you don’t have access to those physical copies (Please don’t send those passwords over platforms like WhatsApp or Facebook messenger).
How I maintain my passwords
Now I’ll be sharing why I don’t use BitWarden and the solution that I use. I don’t use BitWarden mainly for the reason that I got a YubiKey (A physical key that I can use as 2FA) and I wanted to use that as I hope to be a Security Professional (BitWarden does offer the 2FA through a physical key option but it is in the paid version). Another reason that I use an offline password manager is because security can never be guaranteed. There is still a possibility that a password manager like BitWarden can still get breached and while yes the data would still be protected, I would still like to take it upon myself and if somehow the database is deleted from BitWarden by hackers, I needed a backup.
I use KeePassXC, a free open-source offline password manager which has some of the most convenient features that others offer like random password generator, auto-fill and a browser extension. While there isn’t an official mobile app, there is an unofficial one which is open-source, Keepass2Android (I’m not sure 100% sure if there is a secure iOS equivalent) that I use and it also has the feature for syncing using a few cloud storage options. The good thing about Keepass2Android is that you have to re-enter your master password (and present the physical key in my case) if you want to get the most up-to-date password changes on the database file.
As previously mentioned, I was worried that maybe I could lose access to my cloud storage option and then my passwords are gone forever so I had to take a backup. I was doing it manually (copy pasting the password database file) but then I was able to find a way to automate it. I created a .bat file and used the Task Scheduler to automatically take backups and store it on my hard drive, separate from my cloud storage. Here’s the tutorial I followed.
If you are also paranoid like me and want to take it into your own control, you can follow the guides I followed when I setup KeepassXC with a Physical Key, Guide 1 and Guide 2. If you prefer the normal setup for KeepassXC, please follow the links I’ve shared below.