Why should I have a password manager?
Passwords are not fun. Creating a new password is an annoyance, and remembering more than one password is difficult indeed. So… how do you do for remembering every single password for every single service you use? What is more: how do you make them more secure?
In this post I will:
- Explain briefly the passwords: first things first
- Talk about two password managers: show me the cool stuff
Par excellence authentication method
First things first: why do we use passwords? The password is the most typical authentication method that many services use for verifying someone’s identity online. Before you ask: yes, there are other authentication methods, like digital certificates (as I explain in this post), your fingerprint or hardware security keys.
Created by rawpixel.com - www.freepik.es
How do passwords work? Hash functions
The thing about passwords is that you “only” have to remember them. If you keep them secret, then it should be a proof that you are the identity behind a login in a service. So the question now is: how does Facebook check my password if I am the only one knowing it?
That’s a good question right? Well, I don’t know how Facebook stores data :D but usually what services like Facebook use are hash functions. A hash function is a way to translate your password into another text (we call it string) which has nothing to do with your password.
The fun part about hash functions is that they are not reversible, but they are deterministic: they produce the same output for the same input. Therefore, we can use them like this:
- You tell Facebook your password
amazing-password - Facebook computes the hash:
bcrypt('amazing-password') = $2a$10$3SuvGQgRycZxOcOUaTH27.dOurPADTRxeFYDaBZgJqexiG2cjRtqe - Facebook stores the hash
$2a$10$3SuvGQgR... - You go to the login page and provide again your
amazing-password - Facebook computes the hash and compares the stored hash with this new hash
- If they are the same, you are in!
Image: Python code as an example of a hashed password authentication.
How secure is my password?
Wait. Do you have just one password? Having the same one for different services has a risk: if one of the services is compromised, the password can be leaked and suddenly all your services will become insecure.
The first rule is having, at least, more than one password.
Creating strong passwords: build phrases
We agreed that hash functions are not revertible. In fact, nobody can directly get your passwords from the hash, but the bad guys can try to guess them. How?
The most famous attack for guessing the password from the hash is by using dictionary attacks. The attacker has a dictionary of different combinations of characters and symbols. With this, they compute the hash of every word included in the dictionary and compare it to the hash of your password. If they are the same, they have your password.
Therefore, a secure password is the one that is less probable that an attacker would test in a reasonable period of time. Of course, a single word or your birthday date is not a secure password.
Here’s my tip on how to build strong passwords: build phrases. For example, a good passwords are: ihave!NOIDEA!building10Passwords or 2020wasTHE-WORST-YEARever:D.
Image: How secure is the ihave!NOIDEA!building10Passwords password.
- Check how secure is your password here: https://www.security.org/how-secure-is-my-password/
Changing your password frequently
Let’s image now that your Facebook password has ben compromised but you do not know it. First, we will assume you are a smart user and you won’t have the same password for Facebook and your connected email account.
The problem is that this password will be valid until you change it. Whoever has your password will be able to access your Facebook account for this period of time. If you have a policy for rotating passwords, the time the attacker has access to your account will be limited.
Password managers: you need them
You need password managers but you did not know they existed. Rotating passwords frequently, building and remembering more than one strong password is difficult. How about a secure system that aids you with this? I will show here two options I think they are the most convinient for most users, both Open Source.
These applications save all your passwords somewhere for you, so you don’t have to remember every service and password you use. What is more, they can create secure passwords and establish a renewing policy. How do they protect your passwords? Well… with another password.
TL;DR: Password managers save all your passwords so you only have to remember 1 password.
Online: Bitwarden
Bitwarden is an Open Source, web and desktop application. What is the benefit of having an online password manager? Simple: having all your passwords everywhere, so you can access them from every device and they stay synced.
Image: Bitwarden dashboard https://bitwarden.com/.
You can create an account and download the software from their web page: https://bitwarden.com/. After that, you can use their web application or their desktop solutions available at their website. Bitwarden allows creating folders, use two-factor authentication codes and add attachments to your entries. Moreover, you can share with someone some of your passwords by creating an organization.
Image: Edit a password in Bitwarden https://bitwarden.com/.
Online alternatives to Bitwarden:
Keep it in your computer: KeePassXC
Although having the passwords everywhere and synced can be useful, it is not the most secure way of using a password manager. KeePassXC is an offline password manager that stores all the password database in a file stored in your computer.
Image: Opening the KeePassXC database (https://keepassxc.org/).
Of course, this file is encrypted and can only be opened with a strong password you have to remember. The main benefit of this is that you have the complete control over your passwords. What is more, KeePassXC also allows you to secure the database further by using a hardware token or a digital certificate. For using it, you only have to open the file with the desktop application and your master password.
Image: Encryption options of the database file (https://keepassxc.org/).
KeePassXC has many features, from using TOTP codes to serving as SSH key store. However, two of the most interesting options are the Auto Type feature and the Browser Extension support. These allow you to avoid copying the username and password in the clipboard. Although KeePassXC clears the clipboard for you in a short period of time, it is more secure that KeePassXC performs key strokes to type your password in the login form.
Image: Your passwords at KeePassXC (https://keepassxc.org/).
Browser extensions:
- Firefox: https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/
- Chrome: https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk
Conclusion: what is this all about?
Passwords are not fun but we need them, at least for now. My tip here is to start using a password manager.
The best option is to use an offline password manager like KeePassXC (my favorite).
Their main benefits are:
- Strong, long and secure passwords.
- Knowing every account you have.
- You will not mind about changing a password: you do not have to remember it.
- Only have to remember a secure password.
Obri! Hope you learnt how to keep your passwords secure from now on :D