Passwords, along with usernames, remain the primary data used to access online accounts. Poor management of them is also one of the main causes of account breaches for both individuals and companies. In this article, recommendations for good password management are outlined, aiming to ensure greater protection of your accounts.
The Evolution of Passwords
Simple Passwords and Stored Without Security
Initially, passwords were short and stored in plain text (without any encryption) in systems. Any intruder who gained access to the database where they were stored could view these passwords, as they were saved in a readable format. Since people typically used the same email and password across multiple systems, these intruders could access several accounts of the same individuals with little effort.
Hashing and Encryption
Systems began converting passwords into hashes using cryptographic hash functions. In other words, the password was no longer stored, only its hash. Whenever the user logged in, their password was converted into a hash using the same algorithm, and this hash was compared with the one stored in the database. This ensured that even if an attacker obtained the file or database, they could not easily recover the original passwords, as hash functions are irreversible.
Later, it became clear that although moving from storing passwords to storing their hashes was a significant improvement, it was not enough to store user credentials securely due to an attack known as rainbow tables. In this attack, intruders had tables with hashes and their plaintext equivalents. As a result, today it is recommended to add a salt to the password and convert the password + its salt into a hash. This ensures that even if two users have the same password, the result of password + hash will be a different value, making it much more complex to crack.
Increased Complexity
As users were creating passwords that were too simple, it became possible to crack them using brute force or dictionary attacks. As a result, companies began implementing policies that required frequent password changes (at least every 90 days), as well as increasing password complexity. This meant requiring passwords to contain uppercase and lowercase letters, numbers, and/or special characters. The prohibition of reusing previous passwords was also introduced.
Multi-Factor Authentication (MFA)
Due to the rise in phishing attacks and keyloggers, Multi-Factor Authentication (MFA) was introduced. Now, in addition to the username and password, another factor was required, such as a code sent via SMS to the user’s mobile phone or a hardware token.
One-Time Password (OTP) systems, such as Google Authenticator (Android; iOS) and Microsoft Authenticator (Android; iOS), were also implemented.
Password Managers
As the number of accounts per individual grew, password management systems began to emerge. These systems allowed passwords to be stored securely (using advanced encryption) and organized, as well as accessed in a simple manner.
In addition, they included a password generation feature, allowing users to create long and complex passwords without the need to memorize them. They also encouraged the use of unique passwords for each system.
Elimination of Passwords and Biometrics
Currently, we are witnessing a transition to passwordless authentication. Protocols like FIDO2, which are considered highly resistant to phishing, enable authentication without the need for passwords, using passkeys and physical security keys, such as Yubikeys, among others.
This approach makes the authentication process not only more secure but also simpler, by using methods such as biometrics—e.g., fingerprint scanning or facial recognition.
But in the present, the mistakes of the past are still being made.
Unfortunately, even today, there are systems where passwords are stored in plaintext or hashed without a salt; individuals and companies that still don’t enforce a secure minimum password length; a low rate of Multi-Factor Authentication usage (whether it’s due to systems that still don’t offer it, or users who, despite systems having it available, haven’t activated it), and more.
How long does it take for a password to be discovered?
The following graph shows the strength of some passwords, highlighting that the length, that is, the number of characters, is what gives them the most strength, making them harder to guess with each additional character.
You can test some passwords and see how long it would take for them to be cracked here.
What are secure passwords?
The answer to this question has changed over time. For example, in 2003, when NIST Special Publication 800-63, Appendix A was published, it recommended that passwords should contain uppercase and lowercase letters, at least one special character, and at least one number. It also advised that passwords should be changed frequently, at least every 90 days.
This led most users to replace some characters with numbers, which became highly predictable, even for software programs designed to guess passwords. Knowing that these substitutions were common, developers programmed the software to also make those substitutions. This could result in the password “P@ssW0rd123!”, which, for example, nowadays takes only 6 minutes to be cracked!
The requirement to change the password every x days also led users to only add or replace one character, keeping the rest of the password unchanged, which does not provide a significant security improvement.
The cartoonist Randall Munroe published a comic on xkcd that became popular by highlighting that the password “Tr0ub4dor&3” (something like “Tr0v4d0r&3”, meaning troubadour with substitutions and additions) could be cracked in just three days, due to the predictable use of uppercase and lowercase letters, character substitutions with numbers, and the use of special characters. Meanwhile, the password “correct horse battery staple” would take 550 years to crack. He also commented below that “After 20 years of effort, we’ve correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
You will probably agree that the passphrase “correct horse battery staple” is easier to remember than the password “Tr0v4d0r&3,” especially if you visualize an image in your mind.
The author of this document, Bill Burr, later expressed regret for these recommendations, which were misinterpreted and led users to adopt predictable practices, even though his recommendations aimed to make passwords more robust.
The National Institute of Standards and Technology (NIST) published a new document, known as NIST Special Publication 800-63-3, in 2017, which was revised in 2020. This document is widely adopted by the industry as a reference for authentication management and identity security.
Use long passwords.
One of the main factors, if not the most important, that makes a password secure is its number of characters. The more characters it has, the harder it is to guess.
Short passwords are easily guessable in an attack known as brute force, where software tests all possible character combinations. It’s a time-consuming process, but it can sometimes yield quick results, especially when the passwords are too short.
Nowadays, none of your passwords should be less than 14 characters.
Ideally, you should create passphrases instead of passwords, meaning using a phrase. Joining words like “I like Blog nelsonlopes.net,” along with numbers and other characters, can create an excellent password.
Use random words
Avoid using passwords that contain words related to you or someone close to you. These words are the first to be tried, especially based on what the attacker knows about you (for example, what you share on social media).
In other words, creating passwords with data that could lead back to you is half the battle for them being cracked. For this reason, it’s good practice for passwords not to include the username of the associated account, your name or the names of close family members, your birthdate, your phone number, etc.
The goal is to choose a passphrase that contains words that don’t make sense together, making it harder for any system to guess them.
The replacement of characters with their numeric counterparts no longer works
At one point, some characters were replaced with similar-looking numbers, such as “E” with 3, “T” with 7, and so on. But just as account holders made these substitutions, the software used by attackers to crack passwords was also programmed to do the same. Taking this into account, this type of substitution no longer provides strength to passwords.
Do not repeat passwords
One of the main mistakes people make is using the same password for multiple accounts. Imagine that somehow someone discovers the password for one of your accounts. By knowing your username or email, they can now try the same password across several other services.
In other words, to give a concrete example, suppose you use the same password for Instagram as for Gmail. If someone happens to discover your Gmail account, they will also be able to access your Instagram account. Not only will they be able to read your emails, but they may also read your Instagram conversations and, who knows, even post on your behalf.
If you use business systems, it is very important for both you and the company you work for that you don’t use the same passwords for your personal accounts and your business accounts, and vice versa. This is for similar reasons as described above—if any of your personal accounts are compromised, your business accounts are more likely to be compromised as well, leading to significant negative impacts for the organization. On the other hand, if the company’s accounts are compromised, the attack may extend to your personal accounts, which I’m sure you want to avoid!
All of this can be solved simply: each account should have a password different from all the others.
Do not reuse passwords
At this point, what I want to tell you is not to use passwords you’ve used in the past. They surely have some trace on your side or on the systems where you used them. Let your imagination flow and create new passwords.
Organizations should not require password changes. This does not mean that you shouldn’t change your passwords
NIST, along with other organizations, does not recommend password changes based on studies that showed this practice often led users to adopt predictable and weak passwords. A password change is only recommended if you suspect it has been compromised.
Therefore, they encourage organizations not to require frequent password changes, unlike the previous recommendation that sought to enforce a change at least every 90 days, and they complement this recommendation with the advice to have Multi-Factor Authentication enabled.
The user is no longer required to change the password; however, they should keep in mind that one way to ensure that if a particular account is compromised, unauthorized access by third parties is not continuous (even when unaware of the breach), is to periodically change their passwords. This is especially important for services that still don’t offer MFA (which, unfortunately, are still many), but also for those that do, as we know that certain MFA methods can be vulnerable.
Be mindful of where you store your passwords
Never store your passwords in places where they are in plain text, without encryption. For example, you should never store them:
- On paper, such as post-its;
- In computer or phone notes;
- In spreadsheets;
- On the covers of mobile devices;
- Etc.
If you do this, anyone with access to the paper or your session, physically or remotely, will be able to read the password. This is, in fact, one of the most common mistakes. It’s quite practical because the password stays on a post-it stuck to the monitor or in a file on the desktop, ready to be copied to the login page… by you and by anyone else who can access it, as it’s fully readable.
The ideal way to combat this and still maintain simplicity is to use a password manager, as I discuss further down in this article.
Do not store your passwords in browsers
Browsers have had the ability to store credentials for some time now, aimed at simplifying the user’s task. However, their use is not recommended because many don’t use robust encryption methods, and someone with physical access to the machine can extract them.
Do not share your passwords, but if you do, make sure to do it securely
If you share the password to your Netflix account with a friend so they can watch movies without paying, and use the same password for Gmail, you can see what might happen, right? And it’s not just about your friend, who might even be an honest person, but do you have guarantees that they will store that password properly?
Especially in the business world, it’s very common for users to share their passwords with colleagues when they go on vacation or are on leave, so colleagues can follow up on received emails and other matters. Don’t do this! And if you’re in charge of a department or have the ability to enforce security policies, prohibit people from doing so. Instead, they should request the IT department to forward emails and calls from the absent person to their substitute.
The truth is that the more people you share your password with, the greater the risk to your account. I don’t know if you store your passwords properly or not, but remember that the person you’re sharing your credentials with may not take the same precautions.
Remember: the responsibility to protect your account is not just that of the service provider or your company’s IT department (if applicable), it is also yours.
However, sometimes we do need to share a password. In these cases, email and SMS are channels to avoid! Use password managers like the ones listed below (affiliate links), which offer secure password sharing functionality, or use secure communication apps like Signal or Telegram.
Use a Password Manager
Password managers allow you to store all your passwords securely (data is encrypted), in a simple and organized way, making the management of your credentials much easier. Believe me, when used properly, they are a true game changer.
With a password manager, you only need to remember one password—the master password. Yes, just one: the one required to decrypt all the others. This password should be long and complex, but you must ensure it’s one you can remember because if you forget it, you might lose access to all the others.
So, what difference does it make to create the remaining passwords with 30, 40, or even 60 characters? I know this might seem daunting or even ridiculous to some people, but… give it a try. It won’t make any difference to you since the passwords will be automatically filled by your password manager, or you’ll just need to copy them. You won’t have to memorize or type them, and you’ll have the confidence of using a secure password! Of course, this depends on whether the service allows such long passwords. Unfortunately, many services still limit passwords to only 8 or 10 characters, which is incomprehensible.
You can organize your passwords into vaults. For example, you can have a vault where you store the credentials for your personal accounts, another for your spouse’s credentials, another for your children, one for work, and so on.
You can use browser extensions that automatically fill in credentials on the websites you visit. The most well-known password managers offer extensions for the most widely used browsers.
They have mobile apps that do the same for the applications you install, whether on Android or iOS.
They can be local or cloud-based. If you don’t trust the cloud enough to store such sensitive data there, you can use password managers like Keepass, whose database remains only on the device where it is installed. However, if you want to access the data on another device, you’ll need to copy the database to that device. This might not be very practical because, whenever you add or change a password, you’ll have to update it on both devices or copy the database from one to the other again. Some people use online file services to synchronize the database across devices, but this is not as simple as directly using a cloud service like the following (affiliate links):
Enable Multi-Factor Authentication (MFA)
No matter how secure a password is, you should always keep in mind that it can be discovered. For instance, if your device has a keylogger, every keystroke is recorded and sent to the attacker. In this case, no matter how complex your password is, its complexity becomes irrelevant once it is transmitted to the perpetrator.
To help resolve this and other issues, Multi-Factor Authentication (MFA) adds an extra layer of security to your accounts by requiring another factor whenever you log in. For example, this factor could be a One-Time Password (OTP) generated on your mobile device, through an Authenticator app, which you must enter on the website you’re logging into in order to gain access. In this case, in addition to your password, your device would be required to successfully log into the account.
Go passwordless
As we know, passwords are vulnerable and remain a challenge in securing online accounts. However, there are protocols designed to address the weaknesses of passwords, making access more secure and easier. Click here for more details.
Other precautions
In addition to the best practices mentioned above, which are more directly related to passwords themselves, there are a number of other concerns you should keep in mind.
Use a secure internet connection
It is known that even our home connection is not completely private, as the ISP (Internet Service Provider) can see where we are browsing and even view traffic that is not encrypted.
Worse than this is the use of public Wi-Fi networks, such as in cafes, airports, or hotels.
Consider using a VPN that encrypts all your traffic from your device to the VPN server you’re connected to. This way, all systems in between will only see encrypted traffic and won’t be able to decipher what is passing through. However, you should be cautious when choosing a VPN service. Specifically, the VPN should be audited to ensure that it does not keep logs of your browsing activities, as just like the ISP can see your traffic if you don’t use a VPN, the VPN provider will also be able to view it.
Services like the ones I list below (affiliate links) are recognized as trustworthy services.
Only visit HTTPS sites
When you access a site whose address starts with HTTP://, it means that the traffic between your device and the website’s server is not encrypted. When this happens, if the traffic between your device and the server is intercepted, the data, including your password, is readable by third parties.
Always check if the address you are accessing starts with HTTPS:// or if there is a closed padlock (sometimes green) next to the address bar, as seen when visiting nelsonlopes.net.
HTTP stands for Hyper Text Transfer Protocol, and HTTPS stands for Hyper Text Transfer Protocol Secure. The Transport Layer Security (TLS), which replaced Secure Sockets Layer (SSL) and corrected several of its vulnerabilities, is the protocol responsible for encrypting communication in HTTPS.
Always check the website address you are visiting
Is the website you are accessing the one you intend to visit, or is it an exact copy? Pay close attention to the address in the browser’s address bar. There are well-known cases where the similarities are so strong that the user enters their credentials on a fake website, thinking they are on the real one. Believe me, there are exact copies where the differences are even hard for the trained eye to spot.
To avoid being deceived, always check the address.
Notifications when you log in
Prefer services that send notifications whenever you log in. This way, if you receive one of these notifications and you are not logging in, you will know that something is wrong and should act quickly to minimize the issue.
If the system does not send these notifications, check if it shows the last login or has a visible login log. If it does, take a look from time to time to make sure everything is fine or to detect any issues. If you suspect that a login wasn’t yours, reset the password immediately.
Account lockout due to wrong attempts and CAPTCHA
Also, prioritize services that lock the account (temporarily or permanently) after a certain number of failed login attempts. This way, brute force and dictionary attacks are ineffective, as these processes are already slow (when passwords are secure), and with these locks, they become impractical.
Websites should also use CAPTCHA systems (Completely Automated Public Turing test to tell Computers and Humans Apart) to filter human users from bots.
Secure password storage
Prioritize services that do not store your passwords. Yes, that’s right, I repeat, prioritize services that do not store your passwords. Services should never store the passwords of their users, but rather their hashes.
But this is not enough, as it would still be vulnerable to rainbow table attacks. A salt should be added to the password before hashing the password + salt.
How to test if the password is secure?
Password managers themselves usually have the functionality to indicate whether each of your passwords is secure, even alerting you to those that are not. Some even have statistics so you can get a quick overview of the status of your credentials.
In addition to these, there are some online services that also perform this check, like this one.
Conclusion
Attacks to discover credentials have evolved over time, along with computational power, greatly reducing the wait time for those engaging in such activities. To counter this, it is essential to pay attention to some basic precautions described in this article. These precautions can be applied directly by the reader, but others must be implemented by the services they use. Therefore, it is important to manage your passwords well, but also to stay vigilant about the quality of the services where you store your information.
