Strong Passwords

I discussed in the Understanding Data Breaches section how passwords can be stolen in an encrypted format from a service's database. The first line of defense against this is multi-factor authentication. Unfortunately not all sites offer this feature. The second line of defense, therefore, is strong passwords.

A strong password should consist of sixteen or more characters consisting of upper and lower case letters, numbers, and special characters, and should not be reused anywhere. This, of course, means that your password is impossible to remember. Also, as mentioned in Understanding Data Breaches, weak passwords can be quickly and easily cracked through a variety of methods. The solution to this paradox is to use a password manager.

A password manager is a program or service that allows you to record login information such as username, password, login link, and other information that varies from service to service. This database is stored in such a way that makes it reasonably secure from data breaches. The advantage of this service is you only ever need to remember one password: the password to log in to your password manager, which sould ideally be a passphrase.

A passphrase is a series of words rather than a single word. A good passphrase should be at least five random words. That means that quotes aren't a good idea. The good news is, if you're using a passphrase as a master for your password manager, you only need to memorize that one passphrase. And five words, even random words, are much easier to remember than a complex password. A good passphrase has the potential take upwards of hundreds of years to brute force or guess.

In today's landscape where privacy is becoming a growing concern, password managers are dime a dozen. The most important thing is to look for a service that claims to be "zero knowledge," or put another way "we can't see your passwords." A good provider will ensure that your password database is encrypted in such a way that no employee of the company can see your passwords and information. Remember: if they can see it, so can a hacker who gains access.

You should also consider whether or not cloud-based services are right for you. Cloud-based services offer incredible convenience, but you also run the risk that the provider is lying about not being able see your passwords or the risk that a hacker will download your database and then have all the time in the world to guess your master password, just like they would on any other account they steal passwords for. Using a strong master passphrase as mentioned above, this shouldn't be an issue. On the other hand, locally-stored databases run the risk of getting deleted, lost, or corrupted if you don't keep reliable backups.

Product/Service Pros Cons

Bitwarden
  • Open source
  • Audited
  • Cloud-based
  • Available on all operating systems
  • Has a feature to generate secure passwords automatically
  • Cloud-based

KeepassXC
  • Open source
  • Available on all operating systems
  • Has a feature to generate secure passwords automatically
  • Has a feature to remind you to change your passwords at intervals of the user's choice
  • Is not cloud based, so no risk of your passwords getting swept up in a corporate data breach
  • Not audited
  • Is not cloud based, so it can be difficult to coordinate across multiple platforms without some conscious thought and requires user to be conscious of backups

Previous Next