Why and how to improve your password management

According to multiple sources, almost 55% of people use the same password across multiple online services. I used to be one of them. I was fairly confident my password was too complex to be hacked… Well, guess what, I was wrong.

Business vector created by jcomp — www.freepik.com

Fortunately my “No one can hack my password” mentality had no grave consequences, but it could have.

Back in 2015 (or 2016, not sure) I got an email from Steam informing me that someone had logged in into my account from a suspicious location. At first, I thought this was another phishing mail trying to get me to fill out my credentials on some obscure website, but after double-checking, the email seemed legit.

I was somewhat concerned because my Visa card was linked to my Steam account and the person that got into it could easily go on a shopping spree. My password had not been changed yet, so I was still able to log in. The first thing I did was resetting it to another password… that I had used before 😵‍💫. You can probably guess what happened next. Exactly, I received the same email a few weeks later. Somebody had logged in into my account, but again I was able to safely reset my password.

Looking back, the person that “hacked” my account would never have been able to change my password, because it would require a confirmation via email and that account was one of the few accounts that had a password that I did not share across multiple accounts.

Thinking back to that second incident a few weeks back, I decided to change my “password management” (which wasn’t managed at all).

Have I been pwned?

I started off with checking “Have I been pwned” (/pəʊnd/). It’s a tool where you can enter your email or phone and check if your data was exposed in “breaches” to persons that should not have been able to view it. To my surprise, my data had been compromised in 15!! breaches. A lot of them included my email, username, and password (or password hash, more on that later). I was somewhat taken aback by the amount of breaches my data was involved in.

Importance of complex passwords

Before advocating why you should use a password manager, I want you to understand the importance of using complex passwords and why reusing the same password over and over again is bad practice.

Beside social engineering, a brute-force attack is the most common tactic to gain unauthorized access to (your) accounts.

A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.

That means, if the attacker keeps guessing, they will eventually be able to gain access to your account. It’s obvious that the more complex the password, the longer this guessing game will take. The schematic below gives you an idea how long it would take an attacker to brute force a password, depending on the complexity and length of it.

Source: https://www.hivesystems.io/blog/are-your-passwords-in-the-green

Remember my “too-complex-to-hack password” I used on almost all of my accounts? It would’ve taken an attacker only 1 hour to brute force it. My password had:

  • 8 characters
  • Upper and lowercase letters
  • Numbers

On top of that, attackers often use rainbow tables to speed up their guessing game. These tables basically contain (common) passwords and their corresponding hashes. That means if a data breach occurred, and it contains among other data, hashed passwords, then plain text passwords can be matched with their corresponding hash and the attacker doesn’t even have to brute force. Let me give you an example and let’s assume that:

  1. I have set a password “12345678” on one of my accounts.
  2. The platform where I have set the password got breached and all its data got leaked.

The platform that stores my password to later allow me to log in again, will not store it in plain text (I hope 🙏). It will rather store it as a hash, which is basically a chain of characters that represent your password. Now let’s consider the following, very simplified, rainbow table:

A very simplified example of a rainbow table

Noticed that my common password as well as its corresponding hash can be found in the table above? This means the attacker doesn’t have to guess my password but can just look it up by matching the leaked hash with my plain text password. This can be simply avoided by using a complex, uncommon password.

Note: a rainbow table is ineffective against one-way hashes that include large salts.

It’s needless to say that once your password has been “brute forced” or leaked, the attacker can use it to gain access to all your accounts using that password. That’s why it’s really important to avoid using the same password across multiple services. Because sooner or later your data will be part of a breach, guaranteed, a 100%.

When (not if) that happens, you’ll be glad that you only have to reset and secure that one account instead of all the ones you are using that password for.

Managing your passwords and credentials

Now that you understand the importance of using complex passwords, as well as avoiding using the same one across multiple platforms, I’ll explain how I managed to turn my poor password policy around.

There are three main things I did, and I suggest you do them as well.

1. Start using a password manager

A password manager is a computer program that allows users to store, generate, and manage their passwords for local applications and online services.

There are a lot of password managers available and each have their pro’s and cons. These are some of the most known and used ones:

This article might help you out with choosing the best fit for you. I went with Bitwarden as it has a lot of features in its free version, and it allows you to self-host the software as well (although this is a feature suited for more technical advanced users).

Once you have installed the manager of your choice, I recommend to

  • Choose a very complex “master password” (one you can remember of course 🐵)
  • Immediately enable two-factor authentication. Be sure to pick “App” 2FA over “SMS” 2FA.
  • Add all your existing credentials to the manager and remove all other files, papers, … where you were storing them before.

2. Check for reused passwords

A lot of password managers have a feature called “Reused passwords report”. I strongly urge checking out that report. You should make sure that report is empty or, in other words, that all of your passwords are unique. If a service that you use is compromised, reusing the same password elsewhere can allow hackers to easily gain access to more of your online accounts.

3. Enable 2FA where possible

Two-factor authentication is a mechanism where a user is only granted access to a service after successfully presenting two (or more) pieces of evidence.

  • Knowledge, something only the user knows. For example, a password, passphrase or a PIN.
  • Possession, something only the user has. For example, a key or a token (= digital version of a key).
Computer vector created by stories — www.freepik.com

The most common token generator is “Google Authenticator”. It can be downloaded from the Apple app store as well as the Google Play Store.

A lot of services allow you to enable 2FA on your account. It basically means that you cannot log in by only providing your password. You also have to provide a token that is randomly generated and refreshed every 30 seconds by the 2FA app. Or in case you enabled SMS verification, a token that has been sent to your phone.

I strongly recommend enabling this on every service that provides it. It will take you a little longer to authenticate, but the risk of your account being compromised is reduced to almost zero.

Pros and cons

Using a password manager has a lot of benefits, but it also has a few minor downsides.

  • There’s still some vulnerability to consider. If someone else learns the master password for your password manager, all the other passwords stored there could be stolen.
  • You might forget your master password. Typically, you’ll be locked out of the password manager’s database. There are ways to get back in, but the worst-case scenario is that you’ll then be forced to reset the password for every account included in your “vault.”
  • Setup and use could be tedious. You might have to get used to using a password manager, which can take a while and some time.

But they do not outweigh the benefits

  • Passwords are remembered for you
  • Passwords can be unique and complex
  • Passwords are encrypted

There are a lot of other ways to protect your online information (be careful with Wi-Fi, treat emails and attachments with caution, use hardware password managers, use private/public key authentication, …), but using a password manager is one of the most effective and easy ones to start with.