Digital hygiene: Passwords
This is part 3 of a 3 part series on digital hygiene. I suggest starting at part 1.
Whenever I watch heist movies, I always roll my eyes at the "hacker" character. They can consistently hack building's camera system; or download the contents of a target's phone for use later in the heist. They also manage to hack the bank, which questions the need for a heist in the first place.
While there are real-world programatic attack vectors that can be exploited, they're generally opportunistic. When a new vulnerability has been discovered, nefarious actors try to exploit it at scale before it’s patched. The chances of finding and executing a "hack" on the spot (via bluetooth or something equally ridiculous) is highly unlikely.
Although, I digress. The most common vulnerability is significantly more boring. It's compromised passwords. These can be stolen through social engineering, like phishing, that exposes account details; but it's also likely exposed through a data leak, where a service hasn't stored passwords securely, and thousands of email+password pairs are stolen. These authentication details are then systematically tested on a bunch of other services in the hopes that some people have re-used their passwords, and thereby gain control over those accounts.
And that brings me to the topic of today's post: Password hygiene.
Leaked or stolen passwords are by far the most effective way to hack an account. And so it is imperative that everyone who uses the internet, which accounts for 93% of people in the developed world, to spend some time ensuring that their accounts and login information are secure.
On Bear Blog, the blogging platform I run, it is interesting to see the frequency with which the Forgot Password flow is used1. This is a pretty good indication of the number of people who do not store their passwords properly, since it should never be the case that you've forgotten your password. You should never have to remember your passwords in the first place.
I wonder how many work hours are lost globally due to people following the forgot password flow.
I have hundreds of accounts online, everything from my bank, to a free tool for converting ebooks. If I don't reuse any passwords (which I don't, see above) I'll have hundreds of email+password pairs. I certainly can't remember hundreds of different passwords and match them to the relevant services; and outside of a small subset of people, neither can anyone else.
Before I saw the light and started using a password manager, I used to use a password cipher of my own design. I'd take a string of letters, symbols, and numbers, say !xlk-bd15j-hjk, then replace a certain character with the first letter of the service I was accessing. So for example, if I was trying to access Amazon and the character I'd replace was the 6th one, the password for that service would be !xlk-ad15j-hjk.
This setup isn't very secure (but it is still better than using the same password everywhere). It works until it doesn't. The first issue I ran into with this is that some services had extra password requirements like needing at least one capital letter or a number. The second issue is that this leads to password re-use for all services with the same starting character in their name. And finally, some services do require that you change your password regularly (more on that later), so I'd have to remember which accounts had updated passwords, generally by adding a 1 at the end of it.
It is possible to get extra creative with this, and I did for a while, running a bash script to generate passwords on the fly by taking in the name of the service and hashing it. A storage-less password manager, if you will. But this turned out to be pretty inconvenient, especially since this is a solved problem.
Enter the password manager.
Keeping passwords and 2FA recovery codes safe is easy, you just need to decide on a tool, and stick with it.
There are lots of great password managers out there like Dashlane, 1Password, or Bitwarden. I'm quite partial to Apple's built-in password manager because it syncs between my devices and integrates seamlessly with Apple's biometric authentication, making every login a simple fingerprint scan.
Once you've chosen a password manager, you set a master password. This is the most important password so it is never to be forgotten or written down2. I find using a passphrase is both higher entropy, and easier to remember than a password. Here's a classic XKCD comic explaining password entropy.
Now, every time you log into a service or use the forgot password flow, ensure that you put the password into your password manager, or generate a brand new password using the password manager's built-in generator. You'll only need to do this once per service, and from then on you can use the password manager to login to that service. Another reason I like Apple's password ecosystem is that a lot of this is done by default, without having to manually copy and paste passwords. Password managers do have browser extensions and mobile apps to make this easier across devices. Use them.
Your password manager will also generally alert you of password re-use. If the password has been used multiple times, I'd recommend going and updating all of the accounts. The best way to think about this is that at some point the password will be leaked. Which accounts are you comfortable having compromised? Naturally something like banking or email needs to be updated as a priority, but if it's for a background removal tool...actually, still update it. Why not?
Let's talk about 2-factor authentication (2FA), also known as multi-factor authentication (MFA). While there is a slight difference between 2FA and MFA (hint: it's the number of factors), I'll be using them interchangeably here.
MFA is a security measure to prevent access to an account where the login details have been compromised. Generally if you have good password hygiene and are vigilant about phishing attacks, this is unlikely. However, for high priority accounts it is a necessary security step.
SMS 2FA tends to get a lot of hate, justifiably, due to sim-swap attacks. However, the reason many retail services (like banks) still use SMS instead of TOTP authentication is due to retail customers not having good recovery code storage and backup. If you use Google Authenticator or a similar tool, and do not back up your codes, losing your device is an effective way to lock yourself out of your account. Banks rely on the assumption that you'll reclaim your mobile number, whereas the same cannot be said about lost TOTP recovery codes.
That all being said, if you have the option to use a TOTP authentication code instead of SMS or email 2FA, I highly recommend you do that. You'll just need to ensure you've backed up your recovery codes.
I'm going to say something quite controversial here: I think it's okay to back up your recovery codes in your password manager.
While it does mean that if your password manager is compromised, then all of your accounts (including the ones protected by MFA) are exposed, MFA is generally there to protect against compromised login details and not against a compromised password manager. If your password manager is hacked...I'm sorry. You're going to have a tough time.
At the end of the day, the best tools are the tools you use. I like how Apple's 2FA codes also populate with biometric authentication, removing the need for me to go and find my phone (which I generally leave in another room while I'm working).
Some side notes:
- Changing passwords regularly, especially as a requirement, leads to worse and not better security. Mostly because users don't use password managers correctly, and end up defaulting to a rotation of memorised passwords. The act of changing a password is also a well known phishing attack vector.
- Ensure you take a regular (encrypted!) backups of your passwords to store offsite, just in case you lose access to your password manager, however unlikely.
- Hardware authentication devices are neat, but most people don't work on systems important enough to warrant that level of security. There will always be a trade-off between usability and security, and more security isn't always better. I once misplaced a Yubikey and all of the accounts I used it on had TOTP authentication as a redundancy, so I guess it didn't add much extra security?
- Developers, please stop logging people out of their accounts! There is very little to gain from having short sessions. It's annoying and leads to users forgetting and needing to recover their passwords more often.
As frustrating as it is, it's up to us developers to account for human folly and bad password hygiene. I'd love to create a webservice that only has a username and password with no need for an email address. But I know that I'll receive regular emails asking about account recovery due to a lost or forgotten password.
tldr; Get a password manager, and use it exclusively. Don't try to remember passwords. It's easier and more secure this way. Having good password hygiene makes you significantly less likely to wake up one day with your bank account drained.
As the old joke goes: If you're running away from a bear, you don't need to be faster than a bear, just faster than everyone else.
It turns out there is a small subset of people who use the Forgot Password flow as their main means of authentication, never even trying to store/remember their passwords. This makes sense as it does function as "magic link authentication", but does seem very inconvenient to me. I hate having to go into my email in order to log in.↩
It has been pointed out to me that writing down the master password isn't inherently insecure, as long as it's not stored contextually. So while it should be fine to write it down somewhere (especially if you're liable to forget it), don't write it on a sticky note titled "Password:" and stick it to your monitor.↩