Passwords are a fundamental element of our digital life, but few people treat this topic with the attention it deserves. It’s not unusual to come across users who use the same password for all services or who have their year of birth as their phone pin. In this post, I’ll explain what a good password is, how to create it, and where to store it.
What are the characteristics of a good password?
The main characteristic of a password is uniqueness. You can’t have two passwords that are the same; this rule allows for no exceptions. Using the same password for two different services irretrievably compromises security. Unfortunately, data breaches are becoming more and more common and very often include passwords in plain text. If you use the same password for all accounts, all it takes is for one account to be compromised and like a domino effect all the others will fall. I already know what you’re thinking: “It’s impossible to use a different password for each service and remember them all.”; rest assured there is a solution, just continue with the reading of this post.
Another fundamental characteristic for a password is randomness. A good password is random and should not be tied to the user using it in any way. Birth dates, anniversaries, pet names; all bad ideas. But don’t worry, it’s not your fault, humans are a bad source of randomness. It’s stronger than us, we can’t think of something truly random, but again, the solution exists.
Lastly, a password needs to be long, but really long. Anything under twenty-five/thirty characters is to be taken and thrown in the trash.
You are probably wondering: “But how, doesn’t a password have to be complex? “. Well the answer is trivially no. Imposing constraints on the presence of numbers and/or special characters only makes passwords harder to remember and more complicated to type. Furthermore, forcing the user to include certain classes of characters also reduces the search space1 and therefore makes the password less random and easier to guess. In other words, a complex password is very often an insecure password.
What is a passphrase?
The word password is derived from the English terms pass and word. In the previous section we said that a good password must be long and therefore composed of at least twenty characters, but hardly a word is so long. For this reason it is more correct to speak of passphrase. A passphrase, then, is a sequence of (random) words generally separated by a space or another non-alphabetic character.
The advantages of using a passphrase instead of a password are many:
- A passphrase is easier to remember.
- A passphrase is easier to type.
- With a passphrase it becomes harder to confuse two characters2.
- A passphrase constrains us to use a large number of characters.
Have I still not convinced you? Probably this vignette from xkcd will clear up any doubts for you.
No need to have an iron memory
Ok we’ve figured out that we need to use long passwords and that the best way to get them is through the use of multiple random words. Let’s also assume that we are able to generate random word sequences, perhaps by randomly opening a vocabulary. Well, have we solved the password problem? Well not quite, we still need to figure out how to store all these passphrases.
Here we have two ways:
- You’re a fucking genius: You have an iron memory and can remember the passphrase used for every site and service you use. What can I say, lucky you. You already have everything you need so you can close this post and get back to more fun activities.
- You’re a normal person: you can’t even remember what you had for breakfast, let alone hundreds of passphrases. Don’t worry, you’re in good company, people like you (and me) need a password manager.
A password manager is software, or as is fashionable now, an app that allows you to store all of our passwords. Wanting to use a metaphor, a password manager is the digital equivalent of a safe. Inside this safe will be stored all our passwords and to open it you’ll need to enter the master password which is the only password we have to learn by heart.
I know, you are probably already using something similar. Maybe you’re the analog type and you have a notebook or a diary with all your login information, or you’re digitally saving passwords within the notes app on your smartphone. Or maybe you’re the creative type and have saved your card pins as phone numbers within your address book. Does it work? Yes. Is it the right choice? Absolutely not, it exposes you to a lot of risks3. For goodness sake you are absolutely free to tighten a screw with a hammer, but at least allow me to introduce you to the screwdriver.
How to choose a password manager
Let’s start by saying that just as there are many screwdrivers, there are also many password managers. There is no such thing as the ultimate password manager, each one has merits and demerits. In addition, each of us has different needs, so what works for me does not necessarily have to work for you. That said let’s look at the most important features.
Local or cloud-based
The first distinction we can make is with respect to where the data is saved. In the case of local password managers, the data is saved on the device we are using. This means that if I save a password on my PC it is automatically not visible on my smartphone. Data synchronization between multiple devices must be done manually by the user, as well as the backup of credentials. While in the case of cloud-based solutions this synchronization is transparent to the user and everything is more immediate. Surely this last solution is more suitable for inexperienced users.
Due to the above, it would seem that cloud solutions have only advantages, but this is not the case. The disadvantage concerns the possession of the data. In local solutions they are in our possession, while in cloud-based solutions they are in the hands of the service provider. This is not necessarily a problem, but it still needs to be taken into consideration.
E2E Encryption
E2E encryption is another buzzword for a very simple concept. Besides me, are there other people who can read my passwords? The answer is no if the service we are using uses E2E encryption, in other cases it is yes.
The presence of E2E encryption becomes particularly relevant in the case of cloud-based solutions. In fact, as mentioned earlier, in cloud-based solutions the provider has access to our data, but actually what does it see? If E2E encryption is used they only see a meaningless sequence of symbols, if it is not used they see our passwords in plain text. From this it is clear that cloud-based solutions can only be chosen if they are E2E encrypted.
License
A software license is the document that tells us what we can and cannot do with that software. Licenses are divided into two families, closed licenses and open licenses. Open licenses allow us to access the source code, see what it looks like and modify it if necessary.
I know, you’re thinking that you don’t understand anything about programming, and therefore you don’t care to have access to the source code. That’s not the point. Having the code open and accessible is a matter of transparency which gives us more protection and security. So always prefer open source solutions.
Cost
A very important factor is also the cost of the service. In this area, the most popular solution is the freemium subscription model. That is, software that provides basic functionality for free, but a monthly/annual subscription is required to access premium features.
Bitwarden
The password manager that I recommend, especially if you are a beginner is Bitwarden. This service is open source, cloud based, uses E2E encryption and offers a very comprehensive free plan. In addition, in case the basic plan should go tight you can upgrade to the premium plan for less than ten euros per year.
Single point of failure
One last note before leaving us. Using a password manager introduces what in computer science is called a single point of failure. This means that if an attacker manages to access our password manager he also has access to all our passwords. For this reason it is essential to use a very strong master password. This means using a passphrase composed of many words (7+) that are not tied together. Also it is a very good idea to use two-factor authentication4 at least for the services you consider critical and for the access to Bitwarden itself.
Pro user
Are you an experienced user and want to try something new? Well here are two experiments for you.
- Self-hosting Bitwarden Bitwarden can also be self-hosted so you can take back control of your (encrypted) data. If you want to go ahead I suggest you take a look at the vaultwarden project, but be careful, in this case the security of the data and its backup is in your hands.
- Local password managers There are several local password managers, pass is one of them.
This is a simpler concept than it might seem. Assume we have a combination lock with two digits between zero and nine. Such a lock can take any value between
00
and99
. So, an attacker, in order to know the password with certainty will have to try all hundred combinations. Now let’s assume that there is a plus version of this lock. This new version seems to be more secure than the previous one, in fact it makes it impossible to use a combination consisting of two equal digits. For example, the combination55
is valid for the first lock, but not for the plus version. An attacker would have to make at most ninety attempts to open this new lock because he already knows that00
,11
,22
etc. are invalid entries. So the plus version below is a minus version. ↩︎Have you ever confused the capital i (I) with the lowercase l (l)? Or confuse o with zero? ↩︎
The previously mentioned solutions generally don’t allow you to make backups so you risk locking yourself out. Also, passwords stored on a diary or in the notes app are not encrypted so anyone with access to the device can read your credentials. ↩︎
Two-factor authentication, often abbreviated to 2FA, refers to a two-factor login process. The first factor is usually the password, while the second is usually a numeric code that can be used only once. Surely you have used a 2FA mechanism to access your web bank. ↩︎