How to store your passwords securely? | Lucideus

Question. How to Store your Passwords Securely?

If you’re reading this then that means you are thinking about the security of your passwords, which basically is the most important step that sadly, most of us forget to take. So Kudos to you!

Recent figures suggest that the average person has more than 90 online accounts to manage. By 2020, this number is expected to balloon to over 200. Now, there’s simply no way to mentally keep track of all these passwords (particularly if you’re being a good digital citizen and using unique alphanumeric combinations for every single password). So where is the trade off between convenience and security?

Before we get to the answer of this question, let’s understand the problem further.

How exactly do hackers steal your passwords in the first place?
1. Password leaks
It’s not uncommon today to get the news that a major company (say Twitter, Facebook, Google, etc) got hacked, and when this happens, it’s highly possible that millions of passwords got leaked onto the web. What’s worse, in case you use same passwords for multiple accounts, (Admit it, we all do this) anyone with access to those can use the leaked information to log in to your other accounts.
2. Brute force attacks
Thanks to the advancement in technology and programming, it is possible to crack any password less than 8-letters long within 6 hours. Passwords with length up to 12 characters are also considered vulnerable. One thing to note here is, rather than strength, length should be your best friend when choosing a password.
3. Phishing attacks
According to Wikipedia, Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Essentially, phishing is all about tricking users to willingly divulge sensitive information by disguising malicious websites and apps as legitimate services. It still remains incredibly prevalent, presumably because it’s proven time and time again to be an effective attack vector.
The next step after knowing how passwords are hacked is to be a couple of steps ahead by creating a strong password. That brings me to my next question.

How to create a good and strong password?

Simple. Don’t be silly!
Starting with the basics, avoid sequential numbers or letters, and remember, password is not a good password. Use unique passwords that do not include any personal info such as your name or date of birth. Also, never use memorable keyboard paths (like qwerty). These are among the first to be guessed.

Some rules to stick by:
  • Make it long : I’m repeating this, but that only emphasises further how important this one instruction is. Choose nothing shorter than 12 characters, more if possible. Passwords have evolved and now Passphrases are here to stay.
  • Use a mix of characters : The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it.
  • Avoid common substitutions : Common substitutions like, [email protected]$$w0rd for Password, do not affect the modern password crackers. They can crack these with equal ease. So it’s a bad idea to rely on these substitutions as a measure for password complexity.

I know coming up with and remembering a lengthy complex password is not an easy task, and to do this for 90 (or more?) different accounts is a lot to ask for.
So here are some different approaches you can use to store and manage your passwords securely.

1. Memorise
No, I will not ask you to remember 100 different passwords, but you can generate and memorise few easy-to-remember rules and generate your passwords based on them.

One way could be, to memorize a series of fixed letters and numbers and then modify that string to focus it on the specific website. For example, choose your favourite restaurant or football team, AAAAA and add with that the first four digits of your licence number BBBB. Keep these as a mix of uppercase and lowercase and add a special character at the end. And that’s all you have to remember.
To log in to your account at Gmail Account, then, your password would be AAABBB!gmai; your password at Netflix would be AAABBB!netf. Plus, if there is a need to choose a new password, just add another special character at the end!

It is still possible for an attacker to figure out your passwords for different accounts in case one gets leaked, but I consider it a safe bet to assume that no hacker would go through each password manually from a leaked database of millions of passwords, and your unique password won’t come up in any brute-force wordlists either.
Another great and easy way I came across can be found underMartin’s Blogs, and can be summed up in the following steps:
  • Pick words that mean something to you but aren’t obvious or guessable like relative’s names. They should all start with different letters, for the sake of the example we’ll say they are:
    • Random
    • Spoon
    • Apple
    • Violet
  • Establish a few key numbers. Try not to have obvious dates such as your date of birth – though something like 1994 and 2004 (FRIENDS TV show start and end year) is fine.
    • 1994
    • 2004
    • 5006
  • Create passwords using a combination of both.
Use the words or numbers forwards or backwards, capitalised or not capitalised. This gives you a very large number of available different passwords even though you only need to remember a few words and numbers. For example:
    • 1994Apple
    • Spoon5006
    • 4002violet
    • modnar6005
    • Random94
  • Note the password down IN CODE somewhere safe and convenient.
Now just store the password safely in code somewhere in case it’s everneeded – never write the full words or numbers down anywhere, you need to remember those yourself. For example, the above passwords could be stored as…
    • S5 (ie, the word beginning with S then the numbers beginning with 0)
    • 1A
    • Rev2 v (ie, the numbers beginning with 5 in reverse, then the word beginning with a – but not capitalised)
    • Revr 5
    • R half 1 (ie, word beginning with R then half the numbers beginning with 1)

2. Formula
If remembering them all is not your cup of tea, another unique way is to come up with a formula only known to you that gives long and easy to remember passwords, and only store that single formula.
You can even write the formula in a cryptic way and no one would know what it means even if they saw it.

Consider following

  • For the username: [email protected], the password can be created by
  • Taking the provider’s name in reverse form and mix it up with upper and lower characters"LiaMG"
  • Taking the username and adding a special character after every two letters si#ms#47#9
  •  Appending a number at the start and after the provider’s name
  • Final password would be: 8LiaMG0si#ms#47#9

Similarly, if the username is: [email protected], the password would be 8OOhAY0tr#is#to#n

Seems Neat, right?
And for all those who find these memorising tips gobbledygook, Password Managers are your best friends.

Let’s take a minute to know what all Password Managers are about.
This is a piece of software that will securely store all your passwords for you, only to be accessed by you using a single 'master password'.
A password manager comes packed with various features, including a unique and random password generator, in case you need some help when choosing a password.

A password manager works through one of the following ways:
  • Manually by looking up the password. You log in to the password manager website or app using your master password, look up the password for your relevant account, then simply copy it and use it to log in to the respective account (say, Facebook).
  • Automatically via a browser extension. This is a clever feature which you can install on your browser that will automatically fill in your username and password when you visit the relevant site. It will only ask you to put in your master password and verify your identity.

Isn't a password manager putting all my eggs in one basket?

Well, yes. Storing them locally in a password manager provides a single point of failure (the master password). Storing them in the cloud makes them vulnerable to various hacking attacks. That being said, there are a few pretty amazing password managers in the market with features like
  • Encrypting passwords on the client side before transferring and storing them in their servers
  • Adding a two-factor authentication, to strengthen your master password.

LastPass and 1Password are two password managers among many popular today that you can give a try, but I highly suggest spending some time reading about the different password managers available and choose the one best suited to your needs.

So this was my take on something we all use and keep hidden dearly, oblivious to the hundreds of password attacks going on right this second, and after following these steps, I’m sure you don’t have to wonder how many of those attacks got succeeded and who is checking your messages right now!


Article Link: