What does a good, secure password look like?
You won’t like the answer.
Because it’s this: 456965230ee038b6ebd0e9369062113c861f5423e1146137e0bee8b2d3
That is an excellent password. It’s long, it’s complex, and most of all, you can’t remember it.
“Hold on,” I hear you say, hypothetical reader. “Why shouldn’t I be able to remember my own password?”
Because you are point of failure Number 1. How many passwords have you given out to people? Can you trust them? Can you really?
I don’t say that to sound scary. But it’s a practice in security circles that if a password is actual very, very important, that not even the person(s) who use it can call it up easily.
It gives you time to think, and to act on the thought, “Does this person actually require my password?” 99/100 times the answer is a very firm “No.” For example, your bank calls you. They tell you that there’s some potentially fraudulent charges made against your card. What does your bank actually need to verify that it’s you?
It’s not your card number. That’s in their database. They already know it. It’s not your name, same situation. It’s not your address, phone number, zip code, PIN number, SSN, none of it.
Typically, they will, instead, ask for the last 4 digits of something, a card, your SSN, etc. Even better is when they ask for just the numbers on your address. They know the rest. Someone asking for too much info is red flag number 1 that something is wrong with any situation.
People engaging in social engineering will usually move too quickly to give you much time to think. They’ve presented you an emergency and you need to act right now! But you don’t. What really happens if that call is legitimate and you hang up? You call your bank at its number and go through and get the charges declined. No love, time, or money really lost. A real bank employee, should a real person call you for this sort of thing, will absolutely understand if you respond with, “I will call my bank back directly, thank you.”
But say you’re not very good under pressure. You fold quickly. That’s fine. Your password is long and unmanageable , and you have to go look it up to even give it out. Now you have precious long minutes to consider if this is even a little bit real.
“Well, okay, good point, but,” I hear my lovely hypothetical reader say, “now I have this long string of numbers and letters just sitting in a note pad document, or, worse, on a note pad. That’s just as bad!”
Well, yes. So don’t do that.
Instead, use a password manager.
First, they generate hilariously long passwords like that for you, so you don’t have to play a miniature drum solo on your keyboard to generate a password. Second, they store the passwords in an encrypted database, so they’re not in an unsecured word doc, or on flammable, easily stolen, note paper.
There are hosted services, like OnePass, LastPass, or Dashlane to use. There are decentralized services, like Myki, and then there’s the favorite of IT Professionals everywhere, Keepass, for keeping a local database.
Hosted services are great! If you feel you can put your trust in another company to securely host your passwords. Which you can, by the way. That’s not scare tactic. If any one of them decided to lose their minds and start selling password data, it’d be found out quickly, and many, many bad legal things would happen to them. But if you have a personal hang-up with cloud hosting, I get it.
Myki is the only decentralized service I’m aware of. Each device the app is installed on keeps its own encrypted local copy of the database, which in turn can be restored or accessed from any of those devices. The only thing that touches Myki servers is an encrypted packed to pass the data between devices when a update to the database happens. They can never actually see any data you move between devices. But, again, you are using someone else’s device to push your data around, and some people have hang-ups with that. Understandable.
Keepass is your solution for total control of a single encrypted password database. You just keep a cloud backup of it every night, and don’t lose your password. Bam. Done. No issues.
“Okay, that’s nice. But,” I once again hear my hypothetical reader ask, “What about that one password you’re using to unlock the database. Shouldn’t that be really long? Should I be able to remember it?”
Yes. To both questions.
“Doesn’t that create a single point of failure?” You ask, pointedly, hypothetical reader.
Yes. However.
First, any given hosted service is going to be up to current best practices and standards for storing and preventing access to encrypted data. Second, if you are using a hosted service, Two-Factor Authentication is your friend. Please use it.
Third, a decentralized service attack requires that an attacker have administrative access to one of your devices. If they have that, you have larger issues than your passwords being stolen.
And, finally, an attack on a local database requires, that, again, an attacker has access to the hosting device. Which would create a much larger issues than just your password being stolen.
Oh, and using the remember password feature in browsers? Totally fine. Use it all you like. Just be careful about where you’re syncing that data. I’m looking at you, Google Chrome.
“Okay, so, how do I remember my obnoxiously long password for my password manager?” My hypothetical reader asks.
I’m just going to link to this XKCD comic that I feel explains it best.
But, to summarize in case XKCD is blocked at your work place (why?), pick any 4 given common words, smush them together into one string (WITH SPACES!). The example given is “correct horse battery staple”. Now come up with some cute mnemonic to remember this for yourself, which you almost already did, most likely, and now you have a strong, human readable, human memorable, password.
This should be the only password you have like this. The rest are machine generated and meant to take until the heat death of the universe to brute force via machine guessing.
Well, unless you have to log into the IRS website… which disallows the use of password managers and copy/paste functionality in its password field. For reasons. None of them well explained.
Listen, the IRS is still running the entire tax system off of a program written in COBOL that has caused an estimated billion dollars in technical debt to get out from under into something more modern. We’re going to guess their problems go far and beyond their strange password policies.
Sometimes it really is the service’s fault when you get hacked. But you can do your best to avoid it in the meantime.
Stay safe online, and in the wide world.
If you have questions, you can contact me at my Harmony Group email address: AJ@HarmonyGroupATL.com
~AJ
