How to safely manage your passwords

January 14, 2020

Do you find yourself struggling to remember your login credentials? It’s no secret: managing passwords for every single account we have can be frustrating. However, with the growing number of online accounts and internet devices, it is essential to make sure each one is secure. In this guide, we'll discuss what makes a password strong, how to manage them effectively, and why it's so important to do so.

A man in front of a computer frustrated with password management.

Why do I need a strong password?

There are a vast array of tools hackers can use to gain access to secure information. However, most security breaches are caused by either exploiting a weak or common password or by a "brute force attack". In both cases, the attacker takes advantage of passwords that lack complexity or strength.

The danger of using common passwords

To understand why strong passwords are so important, let's first look at the trouble with weak ones. One of the most commonly hacked passwords is "123456". Let that sink in.

While your password is probably (hopefully) stronger than that, think about some of the first passwords you came up with. When we try to come up with passwords, we tend to turn to personalized details. Birthdays, graduation years, schools, kid and pet names, favorite bands, and even sports team names all tend to come to mind, but some people just go with "password123".

Unfortunately, many of these details aren't as unique as you might think. Hackers often utilize lists of common passwords to attack large groups of people all at once. Those with weak or common passwords are typically the first victims.

The risk of brute force attacks

A brute force attack is a common and aptly named process that is basically trial and error on steroids. Theoretically, a person could sit down and systematically try every combination possible until it works. This would take forever, but with the aid of a powerful computer, hackers can take millions of guesses in the blink of an eye.

The truth is, no password is ever uncrackable. The difference between a strong password and a weak password is the time it takes to crack. While a 5-character password might take 8 hours to crack, a 36-character password might take millions of years.

What makes a strong password?

Using more characters

If your password only contained numbers, each character could only be one of ten possibilities (0-9). That means that by sheer chance, someone has a 1 in 10 shot at correctly guessing that digit. Simply adding letters (both upper and lowercase) to the mix brings that number to 62, and special characters makes it 94. That's a lot of options!

Password Length

While including extra characters and numbers definitely makes it more difficult to crack, experts maintain that the best defense is a lengthy password. This is because each additional digit in a password exponentially increases the possibilities and the amount of time required to break it. The difference between 9 and 12 characters is the difference between a few hours and a few centuries.

Uniqueness

So why can't we reuse passwords? That would make things really easy, wouldn't it? Well, that's precisely why it's a bad idea. Picture this: all of your accounts are protected by your login credentials like a locked door and your password is like a key to that lock. If a cybercriminal happens to get their hands on that key, they'll very likely walk around and try that key on every door you have, hoping that at least a number of them are the same. It's never good when a hacker gets into one of your accounts, but by having diverse passwords, you ensure that one breach does not turn into many.

What is a password manager?

So in order to have a strong password, it has to be lengthy, contain a variety of characters, and be unique. How are you supposed to remember a bunch of those? This is where a password manager comes into play.

What are the benefits?

Password managers are programs or services that store your passwords in an encrypted space and are only accessible with a master password. The idea is that this one strong master password is the only one you’ll have to remember. This allows you to make long, complex, strong, and diverse passwords for every account and removes the risk associated with redundant, simple passwords.

In addition to keeping track of your passwords, many of these services can randomly generate strong, unique passwords to use for new accounts. With browser extensions, they offer automatic form-filling so you never have to type out long and complex passwords.

Finally, most services offer two-factor authentication or biometric verification as an added layer of security.

What are the risks?

With a password management service or tool, you are effectively putting all of your eggs in one basket; a concrete, steel-reinforced, vault-like basket, but one basket all the same. While it's true that you risk all of your passwords by storing them in a single place, experts agree that this is a much safer alternative. The risk of hackers breaching your password management service is far less than the risk of having weak, redundant passwords.

Can password management tools be trusted?

There is an element of trust involved, to be sure. You are essentially saying, "I trust that this company will keep my passwords safe." However, that's not really a new concept if you think about it. If you have any accounts online, whether it's a bank, credit card, or social media account, you're already trusting a number of companies with your information. Companies like LastPass and 1Password use 256-bit AES encryption to secure your passwords and have no possible way to see any of them. In a nutshell, this means your passwords are protected using a method that would take millions of years for a supercomputer to break.

What if the password management company gets hacked?

It's possible but unlikely. The truth is, no one in the cybersecurity world refers to anything as being 100% safe or protected. It's always expressed in relative terms, such as "this option is safer than the alternative". So while they'll never refer to themselves as impenetrable, password management companies hold themselves to incredibly high security standards. More than likely, your passwords are safer with them than anywhere else.

If you're interested in reading about these companies' track records, LastPass and 1password are both very transparent about their security policies.

Which password manager should I use?

There are a number of different companies that offer such services, but the top contenders are LastPass, 1password, and Dashlane. They vary slightly in terms of their functionality, but they will all help you protect your passwords and your accounts. The best service is one that you will consistently use.

How can I manage my passwords without a password manager?

Make passphrases instead of passwords

If after reading this, you’re still not sold on the concept of a password manager, there are still ways to make yourself safer. As we discussed, longer passwords are always better, and there is a way to make them difficult to guess, but easy to remember. Remembering strings of random characters is incredibly difficult, but remember meaningful strings of characters is something we’re very good at. If you’ve ever had a song stuck in your head, you’ve already had practice!

For example, rather than trying to remember “y0pBdf.7;dfkj;wj893489sdf,” try to remember the phrase “50-Kittens-played-poker-for-5-hours!” (don’t use this one). In that passphrase, we have upper and lowercase letters, numbers, and symbols. It’s also 36 characters long, which means the sun will explode before a hacker can brute force it.  Now maybe this particular passphrase isn’t memorable for you, but you get the idea!

Another example of this is something called "diceware", which is simply a way to randomly generate passphrases randomly using dice.

The paper method

Writing your passwords down on paper is a method which many experts disagree on; some say it's safe, some say it's a poor practice. Like a password manager, writing your passwords down allows you to create unique and lengthy passwords without worrying that you'll forget them. With paper, it is literally impossible for anyone to electronically acquire them. However, it is possible for someone to simply steal them and you run the risk of losing them to a simple coffee spill. It is also worth noting that for the general public, hacking is a difficult obstacle, but reading a piece of paper is not.

If you're going to use the paper method, there are certain things you must absolutely avoid. For starters, don't keep your list of passwords anywhere near electronic devices (like under your keyboard at work). This is the first place a criminal will look. If at all possible, don't travel with it either. If your luggage is lost, or if the TSA decides to search your bag, you could be in big trouble. 

Finally, the paper method means real paper, not electronic documents. Never store your passwords in a text file (or any file) on your computer. Passwords stored in this fashion are incredibly vulnerable as they have no encryption or protection.

Password security is all about managing risk versus convenience. In the end, no solution will work if you don't utilize it. Fortunately, password managers are a safe and easy method for protecting your valuable information.

by Geoff Ullrich

About the Author

Geoff Ullrich is a writer and Content Marketing Specialist at Germania Insurance.