Imagine a world world without passwords. Wouldn’t that be amazing? We didn’t have them back before computers and the internet, and in the future everything will have secure password-less login everywhere, but for now we need them if we are going to use the world wide web.
- Why does everything require a username and password?
- Can’t I just use the same password for everything?
- But why do passwords need to be so complicated?
- How am I supposed to remember all of these passwords?
These are questions that everyone has asked at some point. In this post, I plan to answer those questions, and hopefully give you a better understanding of the importance of good passwords and adding additional security measures.
Nothing is unhackable
First, you need to know is that NOTHING is unhackable. Anyone who tells you different is either lying or doesn’t understand how things work. To better understand why, you only need to realize that to stop a hacker, the security needs to be 100% secure 100% of the time. A hacker only needs to be successful once.
That doesn’t even account for Social Engineering. Social Engineering is, basically, tricking someone into giving you the information that you want. Spam emails and phone calls are the most common examples of this. If you can talk someone into giving you access to a computer or bank account, there is no amount of security that can keep them out. If you give a thief the keys to your house, it won’t matter how good your locks are, they’ll still get in.
NEVER give this information to anyone.
The Convenience <—–> Security spectrum
Security and convenience are inversely related. The more security that you have, the less convenient it is to use. This is a simple fact. For example, If you were to put five deadbolts on your front door, your security would increase, but it’s less convenient to lock and unlock five locks. If you key each lock differently, your security would increase even more, and the convenience would decrease yet again by having to use five keys.
You will need to decide where on the spectrum you want to live, and this can be different based on the account. You might be willing to sacrifice more convenience to better secure your financial accounts than you are for facebook. I can’t tell you if this is right or wrong, it’s your choice based on your threat tolerance.
Just remember, the easier it is for you, the easier it is for the bad guys.
Why does everything require a username and password?
Your username distinguishes you from every other user. The password is an attempt to ensure that you are the only one that can log into your account. I say “attempt” because it does not do a very good job of keeping others out who want in bad enough.
Can’t I just use the same password for everything?
Using the same username and password for multiple accounts is the most convenient and least secure method. I consider this basically zero security. Never do this.
Even the best companies eventually get hacked into. Usually when that happens, one of the first things that a hacker looks for is a list of usernames and passwords. Every website is supposed to store passwords as a “hash”, not the password itself, but hashes are able to be converted back into the password (It’s not easy, but is possible), and not everyone hashes passwords.
A password hash is the result of processing the password through a cryptographic function. When you enter your password into a website, it preforms the same cryptographic function on what you entered and compares the output to the stored hash. Hashes are easy to calculate but very difficult to reverse.
If a website that you don’t even use anymore gets hacked and they get your username and password, no big deal right? Who cares about the information on that site? Maybe so, but what if it is the same login that you still use for your bank account? What if one of the many hackers that purchase your login information give it a try on your bank’s website? And what if they transfer all of your money into their own account? Is it still “no big deal?”
But why do passwords need to be so complicated?
Two of the many ways that hackers attempt to gain access to someone’s accounts are “Brute Force” and “Dictionary Attacks.”
With a Dictionary Attack, the hacker will use software to guess the password, using words from a dictionary. Then they will add numbers to the end and replace letters with numbers and special characters. This type of attack can be very fast when the password is not random.
- password
- Password
- password1
- password123
- pa$$w0rd
- pa$$w0rd123
These are some of the first ones in the dictionary. Why? Because they are some of the most commonly used passwords. These, and similar could be cracked in less than a second by this attack.
In a Brute Force attack, a hacker will also use software, but this time they will try every combination of characters in the hope that they will be able to find the correct combination. If successful, they will have access to the account. A long and complicated password will make this harder for them. Imagine how long it would take to brute force the password 123456 vs. B$G+i|KC(u92kG:h0 Which is more secure?
Password length matters as well as its randomness. The random password E9Uwl$ can be cracked within two minutes, while B$G+i|KC(u92kG:h0 could take 317,098 years to crack by brute force.
Below are some examples of random passwords of different lengths to demonstrate how increasing the length of your passwords makes them much harder to crack.
Length | Example | Est. Time to Crack | # of Possible Combinations |
---|---|---|---|
6 | E9Uwl$ | 2 minutes | 689,869,781,056 |
8 | Pq:O8uyR | 3 hours | 6,095,689,385,410,820 |
10 | %Q)^9^^j6b | 12 days | 53,861,511,409,490,000,000 |
12 | m|%y+=Z1:2Iv | 3 years | 475,920,314,814,253,000,000,000 |
13 | jJ6Rj!enJ/}5( | 32 years | 44,736,509,592,539,800,000,000,000 |
14 | iN%Sso.H%M3A*x | 317 years | 4,205,231,901,698,740,000,000,000,000 |
18 | Ag{Civ-9pDVv[{6it$ | 367,834 years | 328,323,043,381,012,000,000,000,000,000,000,000 |
21 | 7!^FY!e,)$@/S^qQxXV9q | 3 billion years | 272,699,866,663,574,000,000,000,000,000,000,000,000,000 |
How am I supposed to remember all of these passwords?
Not on a piece of paper. Writing them down is not secure, and tends to make you choose passwords that are easy to write. This makes them less secure. Plus, if someone steals that paper, or takes a picture of it, they have ALL of your logins.
This is where Password Managers come in. They are a safer way to store all your account logins in one place. This database of usernames and passwords is encrypted with a single password to decrypt all of them. With a password manager, you will only need to remember one password.
There are many options out there offering different levels of security and convenience. Some are free, some are paid, and some offer both. A few examples are:
- Apple Keychain
- Google Password Manager
- bitwarden
- LastPass
- 1Password
- NordPass
- KeePassXC
- and many more.
Most will also offer a random password generator which is very helpful in creating quality passwords. Some store your database online for ease of use and access across devices, some store it only on your local hard drive for higher security. They will also have browser plugins which will allow you to easily save a password to the manager when it’s created, as well as to automatically fill in your username and password when you go to a website.
What else can I do to become more secure?
Okay, so I’ve changed all of my passwords to be unique and stored them in a good Password Manager. It was a lot of work, but wasn’t all that hard. Is there anything else that I should do to be even more secure?
If you want to take your security to the next level, you should add Two Factor Authentication (2FA) to all accounts that offer it. There are several types of 2FA.
The overarching term is Multi-Factor Authentication (MFA), when the quantity of factors is two (such as username/password and TOTP), it is typically referred to as 2FA.
e-mail/SMS OTP 2FA
With e-mail or SMS One Time Passcode (OTP) 2FA, when you successfully enter your username and password into a website, it will send you a text message or e-mail with an OTP that you must enter before the login will complete. This is a more secure than not using 2FA, but if your e-mail or cellphone are hacked, the hacker can receive your OTP.
TOTP 2FA
Time-based One Time Passcode (TOTP) is a more secure version of OTP. This used to be done exclusively with hardware tokens, but software is primarily used now. This software will generate an OTP for your specific account that is only valid for a limited time, typically 30 seconds. This code will need to be entered after your username and password before it times out. TOTP is more secure than e-mail/SMS OTP because of the short time it is valid, and the fact that the code is generated on your device and is not sent over e-mail or text message.
Some password managers include TOTP and there are also standalone apps.
Security Key 2FA
Beyond the scope of this post is hardware security keys, such as the yubico YubiKey. The YubiKey offers TOTP as well as password-less login on some sites.
There’s More
This was just a high level overview. There is a lot more information available elsewhere online.