Password tips

Some people are on what appears at times as a crusade to eradicate passwords, replacing them with the latest and greatest novel idea.

Realistically, however, I believe that the concept of passwords will remain a fact of life with computerized devices for a long while still. We may be able to rid ourselves of them in specific situations, but the concept seems likely to remain for the foreseeable future.

Given that we’re likely to be stuck with passwords for some time, how to handle them is another subject of opinionated debate.

These are my tips on how to live with and handle passwords. While I do hope that they will be useful to others, don’t take them as gospel.

Executive summary

• Use a password manager
• Use randomly generated, unique passwords for each account
• Make your passwords at least 15 characters long whenever possible
• For passwords that you must memorize, use Diceware, and accept that they will be a fair bit longer than 15 characters for reasonable security
• For important accounts, including e-mail accounts, turn on multi-factor authentication where available

Use a password manager

A password manager, by itself, will not do anything to improve the security of your accounts. However, it is a stepping stone that will make other ways of improving your password security far easier.

In fact, much of what I propose here is impractical without some kind of password manager.

There are many different choices for password managers with different trade-offs between integration into other software, ease of use, cross-device synchronization, fully locally hosted versus cloud-based, desktop versus mobile versus both, and many other aspects. However, they all solve the same basic problem: secure storage and retrieval of account credentials.

Using a password manager is akin to putting all of one’s eggs in a single basket. Doing so can be beneficial, but only if the basket is carefully guarded. Therefore:

• Before deciding on a password manager, look up whether there have been any security issues relating to it recently, and think thrice before using one that is brand new
• After deciding on a password manager, make sure that you choose a secure, memorable master password, because the security of all your credentials will be critically dependent on the security of that one passphrase

If you can’t decide on a specific password manager product or service, consider asking a computer-savvy friend or colleague. It’s likely that they have spent some time looking at various options and can help you choose a solution that meets your needs.

There are drawbacks to password managers as well, such as password managers being attractive targets on their own (which is why whether there have been recent security incidents relating to your chosen solution is an important question to answer before making a decision as to which product or service to use). The UK National Cyber Security Centre lists a few such downsides in their position article on password managers. Even so, their general advice remains to use a password manager, as for most people, the advantages of using one outweigh the downsides.

Use randomly generated, unique passwords

Poor passwords generally fall into one or more of three categories: weak passwords, reused passwords, and predictable passwords.

Conversely, good passwords will be strong, unique and unpredictable.

Assuming that a password is randomly generated, strength comes from length and character set.

Unpredictability simply means that someone who has perfect knowledge of you should not have any advantage in guessing the password; this rules out things like phone numbers, birth dates, family member names, childhood pet names, and so on, even as just parts of a password.

Using randomly generated, unique passwords addresses the uniqueness and unpredictability criteria. Making them sufficiently long, taking into account the size of the character set, addresses the strength criteria.

Once you are using a password manager, there is no reason why any of your passwords (with very few exceptions, such as the password manager master password) should need to even be possible to remember. It isn’t any more difficult to use a password manager to store the password “tai2saev2teegoothai6che3AiG9wo” than “Kitten.0”.

The natural way to address all three categories of poor passwords is to make each password randomly generated and sufficiently long to be reasonably guaranteed to be unique simply by virtue of having been picked at random.

Every password manager worth its salt today includes a feature to generate a random password that will be virtually guaranteed to be unique to that one account. Use it! If the generation settings feel overwhelming, the defaults are probably reasonable.

Since you are using a password manager anyway, it will actually be more complicated to reuse a password that you are using elsewhere, since you will need to somehow copy it from where you are already using it into the account for which you want to use it. Just generate a brand new one instead, and stop whole classes of attacks dead in their tracks.

Make your passwords at least 15 characters long

No, there is nothing particularly magical about 15 characters.

However, a 15 characters long, randomly generated string made up of letters and numbers, is sufficiently hard to guess to ensure that the password will almost certainly not be the weak link even if it isn’t generated perfectly at random.

Such a password is also both long and short enough that most services that restrict passwords based on arbitrary length rules should allow it.

As long as the password is generated at random, it’s also sufficiently long that the odds of anyone else using the same password by chance are basically nonexistent. It will therefore not be in any previous password breach corpus.

For services that allow it, there is no reason why you can’t increase the password length even further; once you are using a password manager and thus don’t need to enter them by hand, passwords 30-40 characters long are not unreasonable for services which allow that. However, going beyond 50 characters is extremely unlikely to provide any benefit in practice unless the character set is highly constrained (for example, passwords consisting only of digits), in which case there are other problems which are out of your control.

Keep in mind that these specific lengths apply only to fully random passwords. For situations where there is some kind of pattern to the password, such as with Diceware passphrases, while the same general principles apply, the result of applying those principles will be different.

For passwords that you must memorize, use Diceware

Diceware is a method of generating passphrases that are possible for ordinary human beings to remember, yet are quantifiably secure. The same principle is also popularly known under the term “xkcd passwords“, after a strip published in 2011 in the webcomic xkcd. The UK National Cyber Security Centre refers to them as “three random words“, but the concept is almost identical.

The idea is to choose, at random, actual dictionary words from a word list, and to string together a sufficient number of randomly chosen words to provide the desired level of security. Given that the size of the word list is known, and that the words are actually chosen randomly, the absolute security of a passphrase consisting of a given number of words can be calculated; and because the passphrase consists of actual words, even though the sequence of words will be nonsensical, such passphrases tend to be easier to memorize than a traditional password of similar strength.

The typical recommendation is to use physical dice to introduce true randomness into the process, but deterministic processes such as those implemented in computer software can also be used, as long as their limitations are recognized. A simple mitigative strategy is to simply increase the length of the passphrase by one word compared to the theoretical case.

The Diceware web site provides multiple word lists in different languages. More recently, the Electronic Frontier Foundation has published another set of word lists in English that may be more appropriate and/or easier to use.

The fact that such a passphrase is made up of words does not detract from its security, provided that the words are selected at random. Also, as long as there are no duplicate entries, there is no difference in security between Diceware word lists with an equal number of entries (distinct words). The security of Diceware passphrases follows only from the size of the word list from which the words are selected, the number of words selected, and the fact that the words that make up the passphrase are selected at random from the word list.

A six word Diceware passphrase, generated using any of the typical Diceware 7776-entry word lists, provides the same level of security as a 15 character alphanumeric password, and is therefore an equally reasonable choice.

This is because, by a remarkable coincidence of mathematics, (26+10)¹⁵ = 7776⁶ (where 26+10 is the number of character possibilities when selecting among the letters of the English alphabet plus digits), which are both approximately equal to 2⁷⁷. Thus, such a password is sometimes said to have a work factor of approximately 77 bits.

Said otherwise, a typical, classical password like “rieleebeith2eng” or “zaiv3thaes7lah1” has roughly the same level of security against an attacker as the Diceware passphrase “dean unissued mystified comfort everyday chokehold” or “dribble pusher swipe defiling mocker clobber”. While the latter come out about three times as long in terms of number of characters, they are arguably also easier for most people to remember and type. This makes Diceware passphrases especially suited for situations where a password manager is unsuitable; for example, password manager master passwords.

There is nothing magical about the number 7776 in the context of Diceware passphrases, either: it’s simply the number of possible outcomes of rolling a standard 6-sided dice five times in a row. (6⁵ = 7776.)

For important accounts, turn on multi-factor authentication

Not all services provide support for multi-factor authentication (MFA, sometimes called two-factor authentication or 2FA), but an increasing number of major services do.

Turning on MFA is especially important for accounts that can be used to compromise the security of other accounts. For example, many services offer the possibility of resetting one’s password based on some kind of e-mailed validation of such a request, which makes the associated e-mail account an important account even though one might not consider anything in that account particularly important.

Although implementations vary, the general idea of all MFA solutions is to greatly increase the attack complexity for an attacker, while keeping the burden on the legitimate account holder as low as possible. Primarily, it turns an attack on what would be a single, static secret – the password, since the username is often trivially guessable – into an attack on both the password and the associated MFA solution.

Turning on MFA can often transform what would be a practical bulk attack into one that is far more difficult to pull off and, in many cases even more importantly, needs to be targeted. Since so many services go to great lengths to reduce the impact on the user of activating MFA, and many users already have devices that can be used for MFA purposes (such as a smartphone that can be used to run an authenticator app), activating MFA for an account often serves to greatly improve practical security at minimal cost.

Even relatively low-security MFA solutions, such as codes sent via text message or e-mail, or minimally intrusive solutions such as “did you perform this login?” prompts on a second device such as a smartphone, can still turn the table on an attacker by requiring them to target their attack instead of simply trying for any account they can get into. Although theoretically insecure, as long as you don’t answer “yes, allow this login” when you aren’t actually trying to log in to the service, this vastly reduces the risk of your account being compromised.