Author

Alejandro Alcalde

Graduado en Ingeniería Informática en la ETSIIT, Granada.

More Alejandro Alcalde's posts

Have you seen a Typo?: Please, help me fix it by contacting me.

CHANGELOG

07.27.2017: Added Passwords Evolved: Authentication Guidance for the Modern Era to useful links.

Introduction

Recently there has been a lot of noise in the security field with wannaCry and a breach with more than 230M accounts stolen. Today more than ever it is necessary to have good habits creating passwords when creating new accounts in any new service you sign up. This post shows some good practices I’ve been using since I became more security conscious.

Create Good Passwords

The first thing is to create a strong and random enough password. There are many websites and tools for this purpose, such as Steve Gibson’s page or the built-in tool in LastPass.

For example, for every new account you create in any service make a long password containing characters, numbers and symbols (see LastPass generator). A good choice for the password length would be anything above 50 character, below is an example of the tool integrated in LastPass.

LastPass password generator

If you do not want to use LastPass you can use Steve’s generator:

Steve's Perfect Passwords



Lets see how much time would it take to crack this 50-length randomly generated password: 8e8f6$AB9^YgOJ4x$JqHknK*FXp*uru2qyU3KXydaK*lJncQrE:

How long would it take to crack the password? | source: howsecureismypassword.net

and what does it says Steve’s version?:

GRC's Interactive Brute Force Password “Search Space” Calculator | source: grc.com/haystack.htm

Use a password manager

Of course using such passwords you can’t expect to memorize them, and that is a sign of a strong and good password.

In order to manage your passwords you should use a password manager, I am using LastPass as these guys have demonstrated they know how to store your passwords in a secure way. ( I am basing this opinion on Steve Gibson’s knowledge on security, here are some talks about it: I, II).

Even if you’re​ using LastPass to generate and store your passwords securely, there is an extra layer you could put on top of that: “use LastPass intelligently”, as I explain in the next section.

Best Practices To Use A Password Manager

So far you have a password stored in your password manager that’s​ impossible to memorize, that’s what a password manager is for. But the possibility that someone attack you and get all your LastPass information still could exists. Let’s suppose someone stole all your data in LastPass, and to put us in the worst case scenario, ALL THE STOLEN DATA IS decrypted. Well, one way to solve that is to only store part of the password in LastPass, let me explain:

When you generate your password, you store that randomly generated password in your LastPass vault, but In the service itself, let’s say your Google account you set your password to:

8e8f6$AB9^YgOJ4x$JqHknK*FXp*uru2qyU3KXydaK*lJncQrEAPASSWORDYOUCANMEMORIZE

That way, even if all your LastPass data is stolen, the thief wouldn’t be able to log in into your accounts, as they only know part of your password.

Hardering online presence

These days more and more services offer a Two factor authentication option, you should enable it in all services you use.

TFA

When you enable TFA, the service will show your backup’s codes in the case you lose your phone or can’t generate a TFA code.

Securing your TFA backup’s

It is important that you save this backup’s codes, but In a secure place. The best thing would be to print it in paper and store them in a banks box. But for most of us stored them in a external HDD or print them would do the trick.

That’s it, In this days I think applying this tips and bests practices should have your password pretty secure, but remember, nothing is complete secure.

What tips do you use to secure your passwords? Let me know in the comments!

Useful links

Categories:Tags: