Data Breach Defense: Strong Passwords

I discussed in the Understanding Data Breaches section how passwords can be stolen in an encrypted format from a service's database. The first line of defense against this is multi-factor authentication. Unfortunately not all sites offer this feature. The second line of defense, therefore, is strong passwords.

A strong password should consist of sixteen or more characters consisting of upper and lower case letters, numbers, and special characters, and should not be reused anywhere. This, of course, means that your password is impossible to remember. Also, as mentioned in Understanding Data Breaches, weak passwords can be quickly and easily cracked through a variety of methods. The solution to this paradox is to use a password manager.

A password manager is a program or service that allows you to record login information such as username, password, login link, and other information that varies from service to service. This database is stored in such a way that makes it reasonably secure from data breaches. The advantage of this service is you only ever need to remember one password: the password to log in to your password manager, which sould ideally be a passphrase.

A passphrase is a series of words rather than a single word. A good passphrase should be at least five random words. That means that quotes aren't a good idea. The good news is, if you're using a passphrase as a master for your password manager, you only need to memorize that one passphrase. And five words, even random words, are much easier to remember than a complex password. A good passphrase has the potential take upwards of hundreds of years to brute force or guess.

In today's landscape where privacy is becoming a growing concern, password managers are dime a dozen. The most important thing is to look for a service that claims to be "zero knowledge," or put another way "we can't see your passwords." A good provider will ensure that your password database is encrypted in such a way that no employee of the company can see your passwords and information. Remember: if they can see it, so can a hacker who gains access.

You should also consider whether or not cloud-based services are right for you. Cloud-based services offer incredible convenience, but you also run the risk that the provider is lying about not being able see your passwords or the risk that a hacker will download your database and then have all the time in the world to guess your master password, just like they would on any other account they steal passwords for. Using a strong master passphrase as mentioned above, this shouldn't be an issue. On the other hand, locally-stored databases run the risk of getting deleted, lost, or corrupted if you don't keep reliable backups.

Note: There are dozens of password managers, even open source ones. For the purposes of this site and to avoid having my readers drowned with too many options, I have narrowed down a handful of choices. I picked only open source options, I ignored forks, I picked services that are still maintained and updated, and I picked services that are reputable and have appeared on either best-of lists or frequently get mentioned in the privacy community.

Product/Service Pros Cons

Bitwarden
  • Audited
  • Available on all operating systems
  • Can be self-hosted
  • Cloud-based

Keepass
  • Multiple forks for nearly any operating system needed
  • Has a feature to remind users to change passwords at intervals of the user's choice

LessPass
  • Available on all operating systems
  • Automatically calculates passwords based on master password, login, and site, eliminating the need for a vault or database
  • Not audited
  • You must be certain to use the same site format (ex, "www.twitter.com" instead of "twitter.com") when calculating passwords on new devices or they will not match

Lockwise
  • Created by Mozilla, a company with a relatively strong reputation as privacy-respecting
  • Not audited
  • Cloud-based
  • Available on iOS, Android, and the Firefox browser. No desktop app or website.

Master Password
  • Available on all operating systems
  • Automatically calculates passwords based on master password, name, login, and site, eliminating the need for a vault or database
  • Not audited
  • You must be certain to use the same site format (ex, "www.twitter.com" instead of "twitter.com") when calculating passwords on new devices or they will not match

Password Safe
  • Designed by renowned security technologist Bruce Schneier
  • Not audited
  • Not cloud-based
  • Available on iOS, Android, and Windows only

Getting Started

Just like my advice on the multifactor authenitcation page, I suggest you stop what you're doing immediately and adapt secure passwords for your most critical accounts. Bank, email, and other accounts you can't afford to live without. Do it right now before you do anything else.

For the rest of your accounts, there's two main ways to go about it. The first is "all at once," which I did when I first dove into privacy and security. Basically, clear out an afternoon when the kids are at the movies and the spouse is out with their friends and change everything all in one sitting. This isn't a bad idea, but it can be exhausting and mind-numbing. For most people, I recommend the same "as you go" approach as with MFA where you change passwords as you use them. Next time you log into Amazon, change your password. Then, next time you order pizza, change that password. In time every account will have a unique, strong password.

Tips & Tricks

Password managers typically include a note-taking section. This is a great spot to take notes like MFA backup codes, answers to security questions, or other account-specific details you want to remember.

A common strategy for added account security is to give false answers to security questions. For example, a common security question is "what is your father's middle name?" This kind of information is easy to find online. A hacker could call the bank posing as you, answer the question, and transfer all your funds out of your account. Instead of the true answer, answer with a passphrase and record it in the notes section.

For accounts that don't offer MFA, I recommend finding a strategy to stay ahead of the curve. The Uber Data Breach of 2016 was kept hidden for over a year before being disclosed. Companies are not required to inform you of data breaches, so you may not know your password was stolen until it's too late. KeepassXC offers a feature to remind you to change your passwords at a frequency of your choosing, and Bitwarden has a premium feature that will inform you of any detected data breaches. Personally I wouldn't rely on that, I would change the passwords yourself on a regular basis of your choosing using whatever reminder method works for you.


Previous Next