Secure passwords - how to create and manage them
Howto create and manage secure passwords
Creating a secure passwords for each of your accounts is very annoying! Nowadays you'll need a password protected account for everything - newspaper, social networks, email, online banking, even for your cookbook! Nobody can remember hundreds of different and complex passwords. So most people choose pretty simple access keys and use the same 2-3 passwords for everything! I don't need to tell you that this is a veeery bad idea.
I want to keep this article short so I refrain to list examples where a weak password had severe consequences. Everyone can imagine what will happen if your bank account or your bitcoin wallet got hacked!
In the first part I show some rules for a secure password. After that I give some hints on how to remember and manage the jumble of passphrases.
Part 1: Creating a strong password
Your passphrases should meet the following criteria:
| Length | At least 11 characters | More characters -> more difficult to crack! A 10 character long password could be cracked via brute force in days or months. With solely one additional character an attack will need years! |
| Characters | Uppercase and lowercase letters, numbers, symbols | With only lowercase letters every position of your phrase has 26 different possibilities. If you add uppercase letters to the mix you double the difficulty. With numbers and symbols it will get very tough to crack. |
| Words | Don't use dictionary words | Cybercriminals will use word lists like different dictionaries. So don't use this words. Be creative and invent new words ;-) |
| Names / birthdays | Don't use names, dates or personal details | Through social engeneering or social networks like facebook the maiden name of your mother or the birthday of your son can get public pretty fast. |
And some additional rules:
- For every account create a new and unique password.
Don't use one main password, even in slight variations, for everything. It would be a shame if your account from a hamster forum got cracked and the criminals could use the same password for your email accounts. - Complexity should fit the occasion
If you have different passwords, you don't need a super strong passphrase for every unimportant site like the hamster forum or your cookbook. It's sufficient to use a good but memorizable password for such sites. In return give your important accounts very strong access keys!
Check your passwords
Here are some sites which check the quality of your passwords. I don't recommend to give them the identical passwords you would use for your accounts.
https://howsecureismypassword.net/ - Tells you how fast your password will be cracked. I wouldn't trust these values 100% but as rule of thumb it works.
http://www.passwordmeter.com/ - Rate your passwords and tells you how strong they are.
Strong stuff!
All this sounds pretty annoying, right? But you don't have much of a choice. You wouldn't give a stranger your credit card and pin code, wouldn't you? More and more of our lifes takes place online therefore you need to treat your online identity as good as your normal offline identity.
Fortunately there are some tips and tools which will help you with all these long and infernal complex passwords.
Part 2: Manage your passwords
With so many complex passphrases you will need some kind of help. There are a lot of easy-to-use tools (so called "password safes") which can generate and securely store your secret login data. But there are some offline methods as well. They will come in handy if you don't trust any tools, if you want to have a powerless fallback or if you want to keep some strong, often needed passwords in your memory.
Personally I use a combination of both worlds. Most passwords I generate with a password safe called KeePass but for important respectively often needed logins I generate them with a simple to remember method and store them first in my brain and in KeePass afterwards.
Option 1: Tools
There are different tools on the market. Like mentioned I use KeePass, not because it's the best, just because it was the first password safe I got introduced to. There may be better alternatives so I encourage you to do some research to find the tool that fits your needs. It's a good idea to use something with a built-in password generator and that is available on different platforms (Windows, Linux, Android, iOS, etc.) so you can use the same password database on all your devices.
Regarding password safes there are online and offline tools. Here are some good products:
KeePass
Source: http://keepass.info/
KeePass is a free password safe where you can store your important data in different categories. It comes with a built-in password generator and is available for most operating systems and smartphone. For Android I recommend "KeePass2Android". You can copy your password database to every device manually or store it in a cloud. Be careful: If you like to use cloud providers like Google Drive or Dropbox you should use the additional keyfile feature to open your password database. Don't store the keyfile in the cloud!
KeyPass website: http://keepass.info/
Master Password
This is a free and really innovative app for your smartphone or computer. The developers describe it as follows:
Master Password is different: it is based on an ingenious password generation algorithm that guarantees your passwords can never be lost.
While password managers generally save your passwords in an encrypted vault or upload them to the cloud for safe-keeping, they make you dependent on syncing, backups or Internet access.
Master Password has none of these downsides. Its passwords aren't stored: they are generated on-demand from your name, the site and your master password; even on a brand-new iPhone without restoring any backups or Internet access.
Source: http://masterpasswordapp.com/
If you don't have any tool yet I would recommend that one!
Master Password website: http://masterpasswordapp.com/
LastPass
LastPass stores everything in its own cloud. It's very convenient but you need to trust the developers. There are browser extensions for your computer or apps for your smartphone. You can pay 1$/month to get additional features. This may be a good solution if you want a password safe (and not a on-demand-generation tool like Master Password) where you don't need to bother with copying the latest version of your password database from place to place.
LastPass website: https://www.lastpass.com/
Browser
Most people use this method without even noticing that it's a password safe. Every modern browser can save login information for visited websites. It's not a good idea to use this feature blindly. Some Browser even store these information in plain text... for example Firefox. The saved passwords are not encrypted if you don't use a master password.
Another problem is that somebody who uses your computer, can easily access the passwords with the "inspect" feature of your browser. Therefor you simply need to inspect a password field on a website, change the type="password" in type="text" and the original text is revealed on the screen. Read more on that here: https://www.maketecheasier.com/see-password-in-browser/
Conclusion: Don't save important login information in your browser!
Option 2: System
There are some "analogue" methods I like to introduce. It's a good idea to find a way to remember the most needed passwords so you don't need to look in your password app every 10 minutes. Here are three ways to offline generate your passwords.
Basic password + characters of service name
In this technique you have one password as foundation for every service you use. Then you add, for example, the first 3 letters of the website's name you need the password for. Then add the length of the website's name as number.
Example:
Basic password: k-4X%hLi
Website/service name: facebook
Length of service's name: 8
First 3 letters: fac
Password: k-4X%hLifac8
Password sentence
With this method you choose a short, pointless sentence that has a connection to the service or website you need a password for. Then you add some symbols or convert it into "1337". Your Bitcoin-password-sentence could be "money fly blue whale". add some symbols or 1337-speak: "mon3yflyblu3wh@l3". After that you could add some numbers or symbols every of your sentences get: ";-mon3yflyblu3wh@l3+:"
You only need to remember
- which conversion you make (for example e=3, a=@ etc...)
- which constant symbols / numbers you add on which position to every password (for example ;- at the beginning and +: at the end)
- a sentence which your brain can associate with the service
Generator on paper
For this technique you need a password card which is a table, filled with random characters. First you need to create a table like this:
The source for this table is a german computer magazine called c't. You can get the table at full resolution here: https://ct.de/y45t (article) or 
(picture).
But it should be easy to create your own table as well!
Now you fill every field with 3 (or more) random characters. You can search for a random character generator online if your brain is struggling generating random chars.
To read out a specific password use the domain. For google.com use the characters in the fields "row 1, column GHI" for "g" + "row 1, column MNO" for "o" + "row 2, column MNO" for the second "o" + "row 2, column GHI" for second "g" + "row 1, column JKL" for "l" + "row 1, column DEF" for e.
It will be sufficient to only use the first 4 letters ("goog") of your domain name. As you probably noticed, most times you only need row 1. If you need to choose the same column again, you simply take the next row. The first o is "row1 column GHI", the second o is "row2 column GHI", the third o would be "row3 column GHI" et cetera.
Some last notes on account security
Now everyone should know how a good password looks like and how to manage even bigger amounts of login information.
It's very important to give your accounts additional security through Two-Factor-Authentication (2FA), Tan generators, fingerprint scans etc. Save your password database in a safe place and always make a backup! Copy your password database on your backup drive, burn it on CD and put a written or printed backup in a safe deposit box.
I hope that article helps some of you. If you have any questions, please write them into the comment section. Do you have additional hints to manage or create your passwords? If you found this post useful, please consider upvoting and resteeming :)
Thank you for holding up a torch for memory. Most people entirely rely on technology to save their passwords. I memorize all my passwords and so can you. With memory techniques you can remember very secure and long passwords. Today I posted about a new free ebook from a memory coach friend of mine. Follow me for more about memory and get the book as long as it is free: https://steemit.com/security/@flauwy/new-ebook-free-for-limited-time-the-hack-proof-password-system
In the past we needed to remember a lot of phone numbers. Today we can do that with our passwords as well. I'm going to check out your ebook. Sounds interesting.
It is true, the demand for our memory is sinking due to technology. But that is even more a reason to use our brain properly and not get careless. Particulrly when it comes to cryptocurrency.
Nice tutorial. Having strong passwords is getting more and more important and with your tips even I should be able to get some. ;)
Thanks! Yes I tried to keep it easy and understandable. Its a boring task but if you want to enjoy the wonders of the Interwebz you have to protect your accounts!