Digital Privacy: Your Passwords

This entry is part [part not set] of 4 in the series Digital Privacy

Let’s get this out of the way up front: your passwords probably suck. They’re probably terribly insecure, easy for a computer to hack, and getting reset every time you can’t remember what they are. So let’s look at why that is, and how to fix it.

The way a password works is that it is something no one else can know, but gives you access to something. The way a password doesn’t work is when it can be figured out, guessed,  or bypassed. We’ve tried to address a lot of the bypassing with securing your phone and your data access with VPNs. The guessing is simple enough; that’s when people use very simple passwords with relevant information to them. Passwords that incorporate pet names, birthdays, anniversaries, and the like. These are things that people who know a bit about you, either personally or by way of Google or Facebook, can plug in and get relatively close to your password. But what about the figuring out part? That takes a bit more thought but still isn’t terribly hard.

The biggest problem is that most people just don’t know what a good password is. Something to keep in mind that it needs to be secure from both people and computers. The way computers most often guess passwords is through something called brute force. This involves a program running thousands of possible passwords and waiting for one to work. It can sometimes use a dictionary to give it a head start guessing words, and sometimes just runs through random characters, trying all possible combinations. I won’t get into calculations, but let’s look at some examples of how complex passwords really are.

Let’s say you have a password that can be only numbers. If that password is one character long then the pool of possible passwords is 10 (0-9). If the password is two digits long then the pool jumps to 100 (01-99, and 00). A four digit password with only numbers (like a PIN) has a pool of 10,000. That’s still not very secure, since brute force attacks can try hundred of billions of passwords a second.

So from a computer standpoint the simple examples above show that you’re going to want a long password, and a mix of kinds of characters. A twelve character password with numbers has a pool of one trillion. Normally a trillion sounds insanely large, but you can see that someone really intent on breaking that password, with good hardware, could do it in a moment. So we introduce letters, uppercase and lowercase, and throw in special characters (punctuation) to boot. Now with twelve characters, your password pool as risen to 5.403,600,876,626,37X10^23. That’s a pretty big number, nearly twice the number of stars. But that password includes things like ?_bk4-MxZu\G(,o}gaU5mP34! which you’re not likely to remember. So while it may be fairly decent against a computer attack, it’s nearly useless to you as a human.

XKCD has an excellent comic about password security, showing “correct horse battery staple” as a solid password that you can remember and that a computer will take a long time to crack. Of course, it hinges on picking actually random words, thereby keeping it from being human-guessable. And that can be achieved with something called the dice method. It involves two things: 1) a word list, and 2) physical dice. You can also use this site, but again you’re trusting someone else to give you a password rather than making it yourself.

The Intercept gives the instructions as so:

Now grab some six-sided dice (yes, actual real physical dice) and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with the first word in your passphrase. What you’re doing here is generating entropy, extracting true randomness from nature and turning it into numbers.

If you roll the number two, then four, then four again, then six, then three, and then look up in the Diceware word list 24463, you’ll see the word “epic.” That will be the first word in your passphrase. Now repeat. You want to come up with a seven-word passphrase if you’re worried about the NSA or Chinese spies someday trying to guess it (more on the logic behind this number below).

You can click through to their whole article, which give you a lot of the hard numbers and is a great read.

So now you know what a good password is, and how to make one. But everyone has so many accounts are you really going to remember all of those long passwords? And I know you’re not going to reuse those passwords for multiple accounts, right? Then we need to look into storing those passwords.

If you’re storing your passwords then there’s not as much of a need to make them memorable. You can create completely random, long passwords and just put them all in a password manager. Password managers are lockers for all of your passwords. Most browser have password managers built into them, like IE/Edge, Chrome, Firefox, Opera, and Safari. Some of these are even cross-platform, meaning you can save a password on your desktop browser and it will fill it in on your phone because the software syncs across all your devices. But it also means that they’re locked into the single piece of software, and you’re also trusting Firefox, for example, not to ever have data loss or a breach. There are services for managing your passwords everywhere, or you can roll your own. There are trade-offs between these options, so find the right balance of security and ease-of-use that suits you.

As far fully set up managers, LastPass and Dashlane are often mentioned as top choices. You can read a few in-depth comparisons over at Tom’s Hardware and PC Magazine, but most options will have importing, syncing, and various encryption schemes. You’ll install apps or browser plugins to get them to save and then auto-fill forms when logging in to sites and apps. They’ll also often be able to generate passwords for you for each new account you create online. Again, there is a level of trust here. A few years back, LastPast was hacked, and if you’l better holding on to your own data, there’s an option for that.

If you want to get your hands a little dirty and roll your own then you’ll probably want to look at Keepass. This software is free and open-source, with features being added with plugins and extensions. If you want different forms of encryption, there are plugins for that. Want Chrome of Firefox to autofill when logging in? Plugins. You can even save your vault to Dropbox so it syncs across computers and your phone, and use an app like Keepass2Android and open get your passwords synced across all devices. Throw in another site to sync with (again, more plugins) and you have a backup in the cloud that you’re not constantly touching just in case there’s even a problem saving your main copy. The downside to this is that you have to set everything up yourself. LastPass and similar services charge you because they streamline everything for you.

There are a couple more password related topics I want to touch on briefly. First, let’s look at 2-step authentication. What this does is prompt for a second, temporary password after logging in to an account. In the case that your password is stolen for something, a 2-step authentication will mean that they still can’t access your account. Usually this second code is generated by an app on your phone (Google Authenticator  or Authy), or texted directly to you on demand, and some services even have stand-alone apps just for these codes. Some major sites that allow you to use this set-up are Google, Apple, Microsoft, Yahoo, Twitter, Facebook, Instagram, PayPal, Steam, Dropbox, WordPress, Snapchat, Venmo, Tumblr… The list goes on as more and more people become aware of privacy issues, and as more and more sites are subject to data breaches and want to keep their user data safe. I recommend using it whenever possible. It adds an extra step but can save your but in the case that your password is stolen.

The last thing I want to mention are physical keys. These are USB keys that you carry around, some are equipped with Bluetooth or NFC, that you plug in to the computer as your login method. These keys are encrypted, and are very secure. There are trade-offs, as always. The more secure something is, the more difficult it is to access, and that goes for anyone. If you want to use these you need to commit to carrying it around all of the time. Depending on how you access your account (phone, desktop, tablet, etc.) it may or may not do you a lot of good, and would necessitate the pricier keys with NFC. There are also a limited number of places that you can use these. The most common that I know of are Google, Facebook, Drop Box, and GitHub. Google recommends searching “FIDO U2F Security Key” to find compatible keys, and Yubico the go-to maker of these things. I know most people won’t be eager to adopt one, but if you’re here then you’re looking for security information, and it’s worth knowing your options.

I’d like to take a moment to give a shout-out the Library Freedom Project. They have great resources on software options, and slide shows from presentations, so head over there for some further reading and recommendations.

That’s it for the first set of digital privacy tutorials. If you have any questions, or want any further topics covered, please leave a comment on the blog or our Facebook page.

Series NavigationDigital Privacy: Your Phone >>

About Adam

Adam is a Jewish American who's sick of the white Christian male being America's "default" setting. For money he works in a public library because free books and information access are wonderful things. For love he writes here for his pet project, The Chaotic Neutral, which is always looking for more writers. You can follow him on Instagram, Goodreads, and at his oft neglected Twitter where he will try to post more, and probably live-tweet the Eurovision Song Contest.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.