Password Management:  A User Guide

Password Management: A User Guide

Users often hear rules left and right about the shape and content of passwords: so many characters; must contain this or that character or kind of character, or not too many of these in a row; don't use common passwords, sports teams, personal identification like birthdays or names; and so on. However, users rarely hear much about managing their passwords. How do you remember that 130 character bank password that probably is both unspeakable and halfway untypeable? How do you keep access to each of these on all your devices? And how do you store these passwords securely? Certainly it's not a great idea to just write them down and leave them in an insecure location, where they also might get easily lost.

Password Managers

There exist numerous options for storing your passwords and keeping them secure. Each password manager is a bit different, and some cost money for more advanced features. 1Pass, Lastpass, and Keepass are a few of the more popular options. For anyone not afraid of the command line or a FOSS interface, Pass, the Unix Password Manager, is an excellent option that is utterly without cost. Password managers usually often interact with your browser to allow you to directly enter and update passwords for each site you visit. This way, users can transparently create new login credentials on the sites they visit and have them automatically saved and later re-entered when they visit the site. Most password managers also detect and update passwords when new ones are created.

The password manager will store your password in encrypted form and typically (depending on its features) back up this encrypted database and sync it between devices. Some managers require the use of a third party syncing program like Dropbox, or for users to pay for the syncing function. (They've got to make money somehow, right? Also, syncing between devices does require some costs in terms of servers.) This syncing is essential not because it keeps the passwords backed up, though that is a benefit, but because it keeps users from having to insecurely move passwords between devices. Having them synced in encrypted form is the only method that passes muster from a security perspective.

However, this guide is not a user manual for password managers; rather, we're here to urge users to use them. Password managers are necessary to keep all your data secured and readily available. They allow you to create longer passwords that you might otherwise forget or be unable to type. They allow you to more easily change passwords because you can sync those changes across devices. They allow you to more easily create passwords that match the security policy of the site you're visiting, sometimes offering a generator to create them for you. All of the requirements for keeping passwords secure are made easier and smoother by using a password manager.

Two Factor Authentication

"2FA" as it is often called may be a confusing subject for users. Why is my bank asking me to play weird number games? Is my phone spitting out random numbers for logging in? What's going on with this feature? As weird as it may seem to have a second, seemingly random, semi-password, this feature actually makes your logins much more secure, even when it's poorly implemented, and it often is.

2FA works on pseudorandom number generation; computers generally cannot generate truly random values--indeed, it's a matter of metaphysical debate as to whether truly random values even exist! However, computers can use very complicated mathematics to generate numbers that are not easily predictable--numbers that might as well be random. These are pseudorandom numbers. The formulas that generate them would be practically useless if everyone used the same one, since then it might be guessed from setup or infrastructure. For instance, if the only unique input is the time that makes it much easier to crack. So they usually have a second input, called the seed, to make sure that it's possible to generate a fresh, newly unpredictable formula each time it's used.

When you set up 2FA, typically you will have a device that generates codes for you, usually an app on the phone. The service the user wants to log into will share some seed information with your phone to generate a unique pseudorandom formula, and the phone and service will coordinate the input either on the basis of time or some other constantly changing value. This will allow the phone and service to both know a mostly unpredictable number, and noone else. That way, when you enter your password and 2FA code, it's very unlikely that anyone other than you can log in without your knowledge.

It is possible for 2FA to be breached if the device that generates codes is stolen--but the idea is that a user will usually notice very quickly when their phone is missing, and can act to have passwords reset, or in the case of very important logins to have those logins disabled completely. Additionally, many services use an inferior form of 2FA in which the service will send you a message containing the code to enter. When possible, we recommend using a code received by email on an email account that requires 2FA via phone app for this style of service. When the user instead receives a text message this is very, very insecure because text is by its nature an insecure method of communication. Text messages are easily intercepted, and so it's possible for a malicious actor to initiate some special form of login (like a password reset) and then obtain the 2FA text message to successfully gain access to the user's account. Even if temporary, this kind of access can potentially be disastrous, especially for accounts containing sensitive information or allowing otherwise protected actions such as balance transfers or changing pins.

While the shared seed pseudorandom generator method in a phone app or other device is best, any form of 2FA adds some security and should be favored over only a password.

Staying a Step Ahead

While two factor can provide some extra protection, and the password manager greatly improves your ability to use and keep passwords, the best feature of the password manager lies in the convenience it provides for changing passwords frequently. Requirements for keeping secure passwords include not reusing passwords both for different sites and at different times. Ideally, your passwords for every site should be different, and you should never have the same password again after you have changed it. Because of this, passwords multiply out of control. Users need access to sometimes hundreds of difference services, and keeping those passwords different as well as regularly changing them becomes a major todo item.

Why must you change your password? Well, the longer a password remains the same, the easier it is for them to be cracked. Often this comes not because someone personally targets you and a service you use. Rather, services have security breaches for a number of reasons (sometimes because an admin used a bad password or failed to change it), and these breaches can expose passwords you have used. When these passwords have not been changed, have been reused across multiple sites, or have similarities to your current password, that compromises your login. By regularly changing passwords and keeping them unique, you prevent breaches from exposing your credentials.

By removing some of the tedium from changing your passwords, password managers help you to do this more frequently, and thus significantly help you increase your login security. Many managers also support convenience features like a reminder to change certain passwords when they've gotten stale, or can even automatically change passwords for you on a schedule for sites they can support.

The Future

Password management isn’t easy, and storing information securely, especially information that is a high priority target like passwords, is hard. Password managers aren’t perfect, and no system for managing passwords is perfect. However, by taking some fundamental steps like using a password manager, changing your passwords regularly, and using two factor authentication, you can make sure you aren’t an easy target for attacks compromising personal information.

Every year new technology both makes cryptography harder to break and also presents new tools for those seeking to break it. Eventually, quantum computers will signal a completely new frontier in this ongoing struggle, but even then good password policies and practices will continue to be effective in keeping your logins safe.

Dec 16th 2019 David Thomas

Recent Posts