Gearoid is an award-winning software craftsmanship coach, passionate about helping developers reach their full potential. By day, he …
Password Management - The Basics
- Part 1: This Post
- Part 2: Password Management - Passwordless Login
Happy World Password Day! (In 2024, it’s being celebrated on May 2nd). Remembering loads of passwords is an absolute pain. As we work in corporate jobs, we find that the number of personal and professional passwords we have continues to grow, along with having to log into systems numerous times a day.
In general, employees manage 191 logins and log in 154 times a month, with each login taking, on average, 14 seconds, causing us to spend at least 36 minutes entering passwords per month. Let’s look at why a password manager should take care of it rather than tracking them all in our heads or on a scrap of paper.
The Impact of a Data Breach
According to Statista’s report, 6.43 million data records were leaked during the first quarter of 2023. When these data breaches occur, the leaked data may include our email addresses and passwords. This breach can start a chain reaction of “bad actors” accessing our accounts, locking us out, and gaining access to further accounts if they have access to the email account. This exploit can further snowball if the same password is used on all accounts. The “bad actor” can gain access to our email. They use the email information to understand the services we’re signed up for and access them using the same password.
Using the same password across accounts is like using the one key for all the locks in an entire town and having thieves steal the key. They can then go through the contents of every building, see what is there, vandalise, and steal whatever they want. The impact financially and mentally would be huge.
Detecting Data Breaches
Google One provides scanning for our email addresses on the dark web, which lets us know the data breaches where our email addresses were exposed. The website Have I Been Pwned (HIBP) allows us to check on any email address and see if it’s been exposed through a data breach. There are also complete identity monitoring services that keep track of our email addresses, banking details, passport information, driving licence, and social security numbers. These complete services usually come at a cost.
Protecting Users From Data Breaches
HIBP provides a free service to check if a user’s password has been compromised in a data breach. The HIBP API can be integrated into the sign-in or password update services to notify users that the password has been compromised. Ideally, when updating a password with a known compromised password, the service would block that password from being used with helpful information. HIBP doesn’t publish the companies that use the API on their platforms, but as users, we can ask for the platforms to have this feature, and if we’re in the privileged position of creating the applications, we can work to include this feature.
Why Do We Need a Good Password?
Along with the data breaches that may show our passwords on the dark web, hackers also try to break into our accounts by using software to guess our passwords. Below, we can see that the simpler the password is regarding character type, the easier it is to crack, even when the password length is increased.
However, suppose we use a previously stolen password, simple words, or the same password across multiple sites. In that case, the table above will turn purple as each password will be forced instantly, no matter the character combination or length. This scenario is because hackers will start with standard, easy or already-known passwords rather than from scratch.
Why Do We Re-Use Passwords?
Remembering long and complex passwords is tricky unless we have a photographic memory like Sheldon Cooper from The Big Bang Theory. Generally, we need to have memorable passwords, and having so many accounts with the ever-increasing number of accounts we use, it’s tricky to keep track of all the passwords. Some strategies to deal with this are to re-use passwords or have a base password which slightly changes based on the name of the service being used. In the 2021 report from LastPass, 92% of people know that re-using the same password or a variation is a risk. However, more than learning is needed to cause people to take action.
Good Security Practices
According to Bitwarden, the six good security practices we need are:
- Check if our password has been pwned: we are checking to see if the password has been exposed in a data breach.
- Ensure that we have a strong password: if we don’t have a password manager that provides a password generator, we could use Bitwarden’s strong password generator to create a password. If we have a password that we think is strong and want to check it, we could use Security.org’s password checker.
- Embrace two-factor authentication: a report by Comparitech says that 99.9% of all attacks are blocked by multi-factor authentication (MFA). For the small percentage that MFA doesn’t block, hackers will use social engineering, MFA fatigue, or other means to obtain the additional form of authentication needed.
- Stick to encrypted sharing methods: using our password manager’s sharing facility is an excellent way to go.
- Avoid re-use altogether: update the passwords for any accounts where our password has been re-used.
- Use a password manager: Techradar has a good review for 2024 that compares password managers and recommends them for different life scenarios.
Taking Password Management Seriously
Using a password manager is a way to strengthen our password security, remove the cognitive load of remembering all our passwords, and speed up our ability to log into platforms and services. The National Cyber Security Centre in the UK defines it as:
A password manager is an app on your phone, tablet or computer that stores your passwords, so you don’t need to remember them
Along with storing the password, a good password manager makes it frictionless to enter, lets us know if a password is re-used or weak, alerts us if our password has been compromised, and can manage our second-factor authentication. The password manager can also sync the passwords across all the platforms we need to enter our passwords.
According to a 2022 Security.org report, users who do not use password managers are three times more likely to experience identity theft than those who do.
Application Password Security
Over time, applications have become more sophisticated in how they store passwords. Initially, they might have been stored in plain text in the database, but now they are transformed by a process which cannot be reversed. Over time, these transformation processes are getting more sophisticated.
In a data breach, the leaked passwords should be the transformed version, so this slows down “bad actors” as they try to figure out how the passwords have been transformed, and the transformation takes time. To speed the process up, they will take known passwords that have been transformed and see if they match what has been leaked, as they will be immediately able to enter those accounts. This is why we must change our passwords after a data breach and ensure they are different across accounts. If we have a good password, it slows them down from cracking it and gives us time to change it before they access our account.
What Password Manager Should We Use?
Some free password managers are iCloud Keychain, Google Password Manager and Firefox Password Manager. These are a good start; however, they have limitations and are tied to the browser they are associated with. This means the iCloud keychain works with Safari, Google Password Manager with Chrome, and Firefox Password Manager with Firefox. Suppose we’re finding that we need to enter passwords outside of our browser and have to try and find the password, or we are defaulting back to inadequate password behaviours. In that case, it may be time we looked into dedicated password managers.
When looking for a password manager, we should look for one that easily syncs across all devices and makes it easy to save and enter our passwords at a minimum. Once we have entered our password for the password manager or used our fingerprint, for example, to log in, we should be able to choose in one click which accounts we want to use to log into a service. Some password managers will automatically enter our credentials in the app or website. A reputable review site can save us the hard work of comparing the different services. An example is the Techradar review for 2024. On the list, there are free and paid solutions.
Starting Our Life With a Password Manager
Once we’ve chosen our password manager, we must enable our devices and browsers to use it seamlessly. This might be apps or browser extensions. Let’s take Bitwarden and 1Password as our examples since Bitwarden is currently the best free password manager available, according to TechRadar, while 1Password is used by many businesses. We need to install the apps and extensions to get started using them. Both websites provide handy download pages:
- Bitwarden: https://bitwarden.com/download
- 1Password: https://1password.com/downloads
At the end of installing everything, we should have the following:
- A desktop app
- Extensions for each browser we use, e.g. Chrome, Safari, Edge…
- The mobile app
When setting up the mobile app for Bitwarden, they have a help page on setting up autofill and unlocking using biometrics, as they are necessary to make using the app as easy as possible.
Password Checkup
Some password managers will provide a service to score all our passwords and let us know where we may be exposed. 1Password provides Watchtower, which identifies the following:
- Identify vulnerable logins imported from LastPass: LastPass had data breaches, and this check informs us where we might be vulnerable.
- Find compromised websites and vulnerable passwords.
- Find websites that support passkeys.
- Identify re-used and weak passwords.
- Find unsecured websites.
- Identify logins that support two-factor authentication.
- Check for expiring items
- Find duplicate items.
Ideally, we want a perfect score across the board, but the reality is that we can do what the websites allow us to do. This means that any accounts that limit us to having PINs or short passwords will either show up as being vulnerable or having a weak password. In these cases, we need to ensure that if there are any second forms of authentication, we have them enabled so that if a hacker blows their way through, they are blocked by MFA, which we read blocks hackers 99.9% of the time. Banks are notorious for having very weak password or PIN protocols, and they must combine them with apps, one-time passcodes and card readers.
One-Time Passcodes
Another feature our password manager hopefully has is the ability to store one-time passcodes. These are a form of second-factor authentication, set up by scanning a QR code. Once set up, the codes change every thirty seconds. The benefit of having them in our password manager is that they are automatically entered when needed rather than being retrieved from another app. 1Password has a guide to help us through the process of setting up one-time passcodes.
What’s next?
Since it’s World Password Day, we can level up our password management skills and ensure we’re not vulnerable. If we don’t have a password manager, it’s an opportunity to set one up, as it’s easy and will save us time. We can bite the bullet and change any re-used passwords. Also, look at our vulnerable and weak passwords in our password manager and tackle a few of them. Over time, we can improve our password management score.
Conclusion
Password management is a problem that we all have to tackle. Keeping track of passwords in our heads and coming up with unique, strong passwords is challenging. Rather than having this cognitive load, we’ve seen the benefit that password managers bring. The only question left is, what will it take us to make the simple move of setting up our password manager and living the life of not having to remember loads of passwords and instead our one password manager password?
Further Reading
- 139 password statistics to help you stay safe in 2024: https://us.norton.com/blog/privacy/password-statistics
References
- LastPass Reveals 8 Truths about Passwords in the New Password Exposé: https://blog.lastpass.com/posts/2017/11/lastpass-reveals-8-truths-about-passwords-in-the-new-password-expose
- Data Breaches Worldwide: https://www.statista.com/topics/11610/data-breaches-worldwide/#topicOverview
- Google One Dark Web Report: https://one.google.com/dwr/dashboard
- Have I Been Pwned: https://haveibeenpwned.com
- Have I Been Pwned Password Checker: https://haveibeenpwned.com/Passwords
- Have I Been Pwned Password API: https://haveibeenpwned.com/API/v3#PwnedPasswords
- Bitwarden’s Strong Password Generator: https://bitwarden.com/password-generator
- Password Manager tips from the National Cyber Security Centre in the UK: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers
- Hive Tech Password: https://www.hivesystems.com/password
- The 2021 Psychology of Passwords Report: https://www.lastpass.com/resources/ebook/psychology-of-passwords-2021
- 6 Things to Keep Your Passwords Secure: https://bitwarden.com/blog/6-things-to-keep-your-passwords-secure
- Password Statistics: https://www.comparitech.com/blog/information-security/password-statistics
- 3 Techniques to Bypass MFA: https://securityscorecard.com/blog/techniques-to-bypass-mfa
- Password Manager Annual Report 2022: https://www.security.org/digital-safety/password-manager-annual-report/2022
- Best Password Manager of 2024: https://www.techradar.com/best/password-manager
- Password Manager Mobile Apps: https://bitwarden.com/help/getting-started-mobile
- Use Watchtower to find the account details you need to change: https://support.1password.com/watchtower/
- Setting up one-time passcodes in 1Password: https://support.1password.com/one-time-passwords/
Credits
The title image is from Dreamstudio AI.