Password Management 101: How to Keep Your Passwords Safe

When it comes to cybersecurity, and more specifically infosec, password management is critical in defending your information and organization from cybercriminals. Beyond firewalls, malware protection, VPNs, and other cybersecurity tools, passwords are often the only thing protecting confidential information like company data, intellectual property, seed phrases, and the private keys of cryptocurrency wallets.

Of course, there are technologies such as SSO (Single Sign-On) and biometrics, however, these sorts of tools are still typically coupled with a password at some point in their authentication process to ensure a greater level of security. This ultimately means that infosec is highly dependent on passwords, and the secure generation and management of those passwords. 

All things considered, secure password management and keeping your passwords safe starts with having an ultra secure password in and of itself. There are a number of things that make a password strong, and you should always use common sense and avoid typical passwords such as your birthday, a succession of numbers or letters, or single words and short passwords. 

But in order to really understand how to create a strong password, it’s important to understand how passwords get hacked in the first place. Here are a few of the typical ways cybercriminals obtain password credentials:

• Brute Force Attack – In this sort of attack, the hacker uses software to try and guess every combination possible until it guesses yours.

• Dictionary Attack – The attacker uses a predefined dictionary of words and tries to match them against your password. This is why having a password like “horse” or “football” are always bad ideas, as they are easily guessed in dictionary attacks.

• Password Phishing – Phishing attacks are something we’ve covered at length here at Halborn, and they involve cybercriminals trying to trick, pressure, and social engineer victims into giving up password information.

Especially when it comes to brute force attacks and dictionary attacks, having your password information get compromised is far less likely when you have a strong password that follows specific guidelines. Below, we’ll explore how to ensure you create a strong password.

In many ways, good password management starts with having an ultra strong password. The stronger the password, the more difficult it is for a hacker to crack it, and here are the elements that actually make a less-hackable, strong password:

• Length – Usually you want to have a minimum of 12 characters, but optimally 25 or more. We recommend using a password manager to create passwords that are 60+ if the service you’re using allows it.

• Use a mix of characters – Use upper-case, lower-case, numbers, and symbols in your password to make it more difficult for brute force attackers to succeed.

• Use a random password – It’s always best to go for a random string of letters and numbers as opposed to a common combination of words. However, if you absolutely insist on using words, at the very least make sure you use separators like periods and dashes in between words (eg. orange.apple.grape) and avoid obvious substitutions like @ for the letter a. 

Using any one of the above guidelines in isolation isn’t enough, so you’ll want to ensure you use all of them (or, at the very least, a combination of several of them). For instance, having a password that is 12 characters long can take either milliseconds to hack, or billions of years to hack depending on how it’s formed. In fact, Express VPN, the VPN service provider, has an interesting online password safety tool that will show you how long it takes to crack a specific password. And although we don’t recommend you generate passwords with this online tool and use them to secure your information, it’s very helpful to see how much of a difference a special character, separator, or extra number can make to the security of your password. 

In the rare case that your password is compromised after following the recommendations above, password management tools 1Password as well as things like Google’s built in security features can warn you when your email or password has been involved in data breaches.

As you can see, there’s quite a lot that goes into good password management and properly securing the information your passwords ultimately protect. And as a result of all the complexity around cybersecurity and infosec, one of the major areas that hackers try to exploit within organizations is cyber fatigue. People tend to experience cyber fatigue when they become overwhelmed with managing multiple passwords, PIN codes and accounts. That is, being inundated with prompts, credential requests and false positives that overtime may start to feel meaningless – although they are critical to information security. 

One of the most powerful tools organizations can use as part of their infosec strategy and to help avoid cyber fatigue include password managers. Password managers remove the complexity involved in coming up with a secure password, storage, syncing, and monitoring among other things. Below, you’ll find a list of options for password managers you can consider as part of your password security strategy.

Depending on the devices you use, they may come with their own password generator and manager. For example Apple OSX users will be familiar with iCould Keychain and the Safari browser password manager. Firefox has Lockwise, and Google Chrome also has a native password manager that can generate passwords and also warn you if a password has been involved in a data breach. The advantage of these tools is that they are free and convenient, however an obvious drawback of these natively built in tools, outside of Firefox’s Lockwise, is that the passwords within them are tied to the ecosystem and can’t be used across platforms.

If syncing across multiple platforms including mobile is important to your operation, then you’ll want to consider tools such as 1Password, Keeper and Dashlane among others. These tools include useful features like password change history, data leak notifications, 2FA for greater security when new accounts instances are created, AES 256-bit encryption, and much more. 

If your project or organization would rather manage passwords purely offline, one option includes the open source password manager KeePass. Many of the other options that allow online syncing can also be used offline, so if keeping your data totally offline or outside of public networks is important, these are the kinds of options you’ll want to consider.

Hackers have gotten more clever and continue to evolve their strategies for stealing password information. So beyond the password management tools themselves, you’ll want to equip yourself with the right knowledge of things you should do, and other things you should avoid when it comes to keeping your passwords safe. Here’s a list of password Do’s and Don’ts you’ll want to keep top of mind.

• Use a password manager and go above and beyond a particular service’s minimum requirement. If the service you’re using allows long passwords over 60, 100 or many more characters, then take advantage of this extra security.

• Create unique passwords for every single service you use. Never reuse passwords across any service, and ensure each one is truly unique (ie. avoid adding a “!” or number to make them unique as hackers can easily crack variations like this).

• Use a VPN when on public WiFi and logging into accounts to help avoid your password being intercepted.

• Although your password manager will house the majority of your passwords, a couple of passwords you should avoid storing anywhere online are A) the password for your actual password manager and B) the password for your personal computer and mobile device.

• For the passwords that you cannot store online, consider splitting them up and storing them in separate places. For example, half of the password can be stored at one location in a safe, and and the other half at a seperate location – both using fire and water resistant material. Also be sure to have copies kept in a safe place.

• Train all users of sensitive information within your organization on proper password management.

• Share your password with anyone. Even if asked for it by technical support for a service you’re using as no service would typically request this information and it could be an actual phishing attempt.

• Share your information on websites that don’t use HTTPS.

• Text or email your password information at any time.

• Use spreadsheets and unsecured handwritten notes to store passwords.

• Use anything too obvious like birthdays, the names of family members, your email address, single words or an obvious succession of numbers.

• Share your password management strategy with people that don’t need that information and this could include people within your organization.

• Try to memorize too many passwords, and have a secure backup of all critical ones.

A secure password that is safely stored and synced is a critical step in your overall infosec strategy. But you can still take your security a step further through the use of multi-factor authentication apps such as Google Authenticator and Authy, hardware OTP tools like a Yubikey, and Google’s password alert extension for Chrome.

Proper password management and keeping your passwords safe is a key element to information security and keeping your data out of the hands of unauthorized users. And if you want to ensure your sensitive information and data are as safe as possible, reach out to our cybersecurity experts at halborn@protonmail.com.