On Thursday 28 September, we looked at how Password Manager programs can simplify the management of our passwords that need to be complex – but do they need to be easy to remember?
How is your data at Risk?
Unless you are a high profile person you will never be targeted individually by a hacker. The method is always to cast a net as widely as possible in the expectation that some people will take the bait.
Websites containing login details and personal data of many thousands of users are routinely targeted to get access to this information. Although the data should always be encrypted, “weak” passwords for example can easily be discovered and they are then made public.
You can see whether any particular variant of your password has been discovered by known hacking attempts using this website:
https://haveibeenpwned.com/Passwords
Passwords that have been used before can be then used in brute-force password cracking attempts.
The growth of AI has made password cracking even easier. This article:
AI Cracker Can Guess Over Half of Common Passwords in 60 Seconds
notes that AI password crackers such as PassGAN are 100% effective if the password in question has been leaked or breached from a database.
This is why passwords should ideally consist of a large number of random characters. But that makes the individual passwords more difficult to manage.
Phishing emails or websites offering something for free will be aimed at thousands of users.
Clicking on a link might result in downloading malware on to your computer which might steal your data and send it back to the malware operator. This data could be passwords stored in your browser or keystrokes you enter in websites when logging in. If the user suspects his or her computer is infected by an info stealer, he or she should do full scan of the system using automated anti-malware tools. Removing malware is not enough. It is crucial to change all passwords immediately. You need to be sure that you would be able to do this.
So ideally as a minimum, we need to be able to
- Store our passwords in a safe place.
- Make it easy to generate new strong passwords
- Make it easy to fill in passwords when required
Password Vaults
Since we need most of our passwords on websites, the safest and easiest way to generate and store personal passwords is either from within the browser or using a browser based password manager such as Bitwarden. These programs will make it easy to create and fill passwords, especially for website logins. They will not autofill e.g. passwords, on fake websites. They offer to check if any password has already been “hacked”.
The advantages of storing passwords in the Browser or in a password manager are that once set up, their operation requires only a few clicks. You can save your password credentials directly in the password manager, or from the login to a website or you can import credentials from a file.
Browser based password managers
Passwords are stored on the local device e.g. PC but can be accessed on other devices e.g. phone using the same browser.
In this case the passwords are normally not encrypted and are freely visible on the device unless protected by a Master Password which is disabled by default for “convenience”.
- The Apple Safari browser will populate passwords stored in the icloud keychain. Ref
- The Chrome browser includes Google Password Manager, but this no longer generates passwords. Passwords are synced across devices via the Google account.
- The Firefox browser includes a Password Manager. Passwords are synced across devices via a Firefox account. Most other browsers e.g. Brave, Opera, Edge are similar.
But are Browser Password managers safe?
Master Password
You will need a Master Password to make it difficult for others to access your password vault. The Master Password is used to encrypt the data in the password vault so that it is unreadable without using the Master Password.
A good Master Password will be at least 16 characters long and easy to remember accurately because you will have to type it each time you want to use the password manager. (Although fingerprint recognition may be possible on a phone for example).
A slightly modified silly phrase or line from a song might be a good way create a good master password. You need to select a phrase that resonates with you, but as examples:
pitney24hoursfromtulsa
cardinal richelieu died in 1642
You can experiment using this tool
https://www.passwordmonster.com/. We can give some guidance at the club, if required.
Password Manager Programs
Dedicated Password Manager software such as 1Password or Bitwarden are just as easy to use as inbuilt browser managers, but are more secure and have more features, including
- fully encrypted password storage, always
- the ability to store non password information such as memorable information e.g. for banks as well as storing and filling details such as name, address, passport number, credit card number etc if required.
- control over the generation of passwords and user names
- the option to organise credentials into folders
- control over the generation of passwords e.g. size, type of characters used.
- timeout before vault closes
- sharing passwords with other users e.g. family, colleages
- and many more settings options
Note that when using a Password Manager program the password saving features of the browser should be turned off.
Bitwarden Web Browser Extension is a Password Manager that can be reccomended. It is open source, free to use and contains all the functionality individual users would need. It can be installed from the Extensions option in your browser. There is a premium version for more advanced users. There are several Youtube videos to demostrate how to set up and use Bitwarden. This is a Quick Start video
Still worried about security?
If you are really serious about security might want to view this:
Finally it is worth mentioning that the computing industry is keen to replace passwords with Passkeys but this additional method will have to be added to every program using passwords.
Ref.
Why not give Bitwarden for example a try? If you would like help getting set up, contact Peter Bayliss at the club.