People do a poor job of creating, managing, and remembering passwords. We are horrible at making random numbers and worse at creating things that are random-like but we can remember.
Part of this is because of the rules put in place by NIST and ISO. ISO 27001 has this to say about passwords:
- Length
- Shorter the password, easier it is to crack. The minimum acceptable length for a strong password is at least eight characters.
- Complexity requirements
- Creating a lengthy password is effective only as long as it is difficult to crack. Your name, city, pet name, and so on may have more than eight characters but are weak passwords that are easy to guess.
- Characters
- Continuing on the previous point, the key to a complex password is a mix of lowercase, uppercase, numbers, special characters, and symbols.
As computers have become faster, the need for better passwords has also increased. Brute forcing a password has a simple cost formula:
For example, if the complexity is all uppercase letters and the length of the password is 8 characters then we have:
Which might look like a large number, but in computer terms isn’t really. As the complexity goes up, the final number goes up. Adding length causes the number to go up even faster. Consider adding the set of numbers, 0-9 to our complexity verse adding one more character to the length of our password.
And adding one more character to the length:
Adding just one extra character gives us nearly twice as many values to test.
Oh, the divide by 2 is the average number of tests before we guess right.
If the characters are not truly random, the number of guesses decreases substantially. Using names or words, even with character exchanges, produces a much smaller search space. Regardless, the formula stays the same, even if the vocabulary changes.
Consider just using a 3-word passphrase:
As you can see, using a passphrase increases the search space incredibly. The only requirement is that the search space of the letter search meet or exceed the search space of the word search.
Unfortunately, many password methods do not handle long passwords well. In early Unix times, no matter how long of a password you entered, only the first 8 characters were used.
Which brings us to
Password Managers
A password manager stores passwords in an encrypted form and retrieves them for you on demand.
For a password manager (PM) to be acceptable to the users, it must interface with the users browsers and other tools that need passwords. This means it must have a mobile app. If it does not, it will not be used.
The PM should monitor applications for password requests and autofill those requests.
The PM must lock itself after a certain amount of idle time or browser/device restart.
Finally, and in some senses, most important, the PM must be secure from data breaches.
To be secure from data breaches, the PM should never store credentials in clear text.
LastPass
This is one of the better-known PMs. While it had a good track record, there was a data breach and credentials were exposed.
One of my clients used LastPass, so I used it. I never particularly liked it. When I could, I moved away from it.
One of the big downsides is that it requires a live, active internet connection to function. No network, no access.
Keeper
I have used Keeper. It is a well-rounded PM with all the expected features. It stores all credentials encrypted by your password. They can’t access your credentials even if they wanted to. Since they can, your passwords cannot be exposed in a data breach.
One of the strong points of Keeper is the ability to share “folders.” You can have a folder for passwords related to a single project or client and share that folder with other users, inside or outside the organization.
The ability to share passwords means that the administrator can update a shared password, and every member with access to that password gets the change immediately.
Shared folders requires a paid tier.
There is also the ability to store small files securely.
The one downside I discovered with Keeper is that it too requires an active internet connection to function.
We were on a long road trip when my kid ran us out of data on my mobile plan. They consumed nearly 10GB of data in a little over 6 hours.
This left me in the position of attempting to log into my provider’s website using credentials stored in Keeper. Except that the amount of bandwidth available to me was so low that it took 30 minutes to get that password and login.
BitWarden
This is my current PM of choice. It provides all the features of Keeper with a few that appeal to me.
First, it is can be self-hosted. This means that all the data security is provided by me. With the self-hosted version, I can offer PM services to anybody at cost to me.
When you move up to any of the paid tiers, the lowest being $4/user per month, you get the ability to create organizations and then share a collection (folder) with that organization.
The mobile application does not need to have Internet access to function, though you might need to request a sync if there are recent changes to your vault.
All data is stored encrypted. The key to decrypt your vault is your master password. Even if there were to be a data breach, your password would still be secure because decrypting your passwords requires your master password.
The BitWarden allows for the use of a Personal Identification Number, or PIN. Unlike most PINs, the BitWarden PIN can be any number of digits. I find that it is easier to remember a number sequence than to remember random character strings.
You can set when the master password is needed to unlock the vault.
If you happen to forget your PIN, you can still unlock your vault with the master password.
Like all good PMs, BitWarden offers two factor authentication (2FA). It supports YubiKeys and TOTP options. TOTP is commonly referred to as an authenticator.
You can use a secondary authenticator for your 2FA to access BitWarden. But you can also use BitWarden’s integrated TOTP generator.
The pricing appears to be reasonable: $4/user per month for “small teams” and $6/user per month for enterprise-level features.
Psono
This is another self-hosted option. It does not seem to have the same polish as BitWarden. It would be my choice if I were just playing.
Conclusion
If you are not using a Password Manager, now is the time to start. For my readers, I’m willing to give you a free account on our BitWarden server, though you are likely better off using BitWarden’s free offering.
Mrs B and I have been using 1Password for more than a decade now. We bought “perpetual” licenses way back when, and have so far managed to resist the demand to switch to a cloud-based solution hosted on 1Pwd’s servers for (of course) a monthly fee. (We hate having to subscribe to our life…)
Long term I am looking at switching us to KeePass. Public domain, desktop and mobile versions, in principle it stores secure notes as well as passwords. I don’t know about app auto fill in mobile, but we already have to love without that in the 1Password desktop app.
Any thoughts?
I like the Apple builtin password manager.
On password complexity: it’s annoying that every app and website seems to have its own rules. Most of them are variations on the one you quoted. It turns out, as I read a year or two ago, that those rules were pulled out of thin air by Bill Burr of NIST. The article talked with him, and what the basis of those rules was. The answer boiled out to “nothing really, we just came up with that on the spur of the moment”. And in particular, the rule that passwords need to be changed frequently is actually quite a bad idea. Better to change them rarely but make them good.
I have a handy way to generate passwords: just generate a sufficiently long random number, and use the printed version of that (in hex if letters and numbers are required):
python3 -c ‘import random; print(hex(random.getrandbits(48)))’
Increase the 48 according to taste.
And in particular, the rule that passwords need to be changed frequently is actually quite a bad idea. Better to change them rarely but make them good.
–
This, exactly. Changing passwords frequently just makes it easier to forget your password and have to reset it, which just means more frequent password changes and more forgetting, in an endless cycle. (Or as I’ve pointed out, it means it’s more likely someone has their network password on a Post-It note under their keyboard.*) Better to make a good, strong password and only change it if/when you suspect there’s a reason to.
–
———
* – I worked call-center tech support for several years, and I lost count of how many times I’d say that to a caller, and they’d suddenly get really silent, like “Oh, crap, how did he know?” LOL!
You’ve almost certainly seen this, but I’m just gonna drop it here: https://xkcd.com/936/
–
MFA provides more security than complex passwords or long pass-phrases, but the basic tenet still exists: security only works if it’s used, and used consistently. The second MFA is bypassed, it may as well not be there, and the instant a password manager stores the master key in plain-text, it’s useless. TOTPs are only good if the system providing and administering them is itself secure.
–
Designing around real-world users is a balancing act: a fully secure system is not accessible, and a fully accessible system is not secure, so how to build a secure-enough system that is still usable-enough to the most people. It’s a difficult question to answer, and one reason why security is hard.