A additional write up for the Complete Guide To The Paranoid User has become evident after re-reading some older work. I missed the mark on some other key details that will be addressed in subsequent write ups. In this document I shall walk through additional attack vectors and dangers that come from passwords.
Likely passwords are already an annoyance for you as many, passwords are the first point of security for a majority (if not all) accounts online. I will be discussing having good passwords, but also making it much easier to manage those passwords. First, I would like to clarify what exactly we are concerned about in regards to password security and a few misconceptions people have about the subject. The main concern is websites getting hacked and their database of user login info being leaked. A fairly common misconception people have is that if a website gets hacked, it does not matter how good you password is, the hackers will have it. Generally this is not true, sites will store a hash of your password not the password itself.
To understand why salted passwords were created, and how they work, we first need to explore the importance of cryptography and encryption. Some definitions...
Cryptography and encryption are crucial today because of their role in helping protect against bad actors from around the world. With cyber-crime becoming the fastest-growing crime in the U.S., and costing the global economy more than $450 billion in 2016, employing best practices of encryption and cryptography are more important than ever.
If all information were plain text and had no encryption or cryptography surrounding it, sensitive materials like password information, health records (PII), and even bank account information (PIFI) could be stolen and sold to the highest bidder. One of the first steps of basic security hygiene is to not store sensitive data in plain text, especially passwords. This is where password hashing comes in. Password hashing is defined as putting a password through a hashing algorithm (bcrypt, SHA, etc) to turn plain text into an unintelligible series of numbers and letters. This is important for basic security hygiene because, in the event of a security breach, any compromised passwords are unintelligible to the bad actor. As a result, the theft of this information is considerably more difficult.
Password hashing is a key step to protecting your users on the back end, but it is not infallible because it hashes in a consistent way. This means it is predictable and can be beaten by dictionary attacks or rainbow table attacks. “Hello”, for example, will always equal to the same combination of letters and numbers, and therefore can be guessed through brute force. One way of protecting against this is by adding a salt or using salted passwords. Salting is the act of adding a series of random characters to a password before going through the hashing function.
The important thing is that even if hackers get access to the hashes of the passwords, having a good password still reduces the chances of the hackers figuring out the actual password that generated the hash associated with your account. The other big concern is password reuse. Since most websites just use your email as your username, if one password is discovered, then it is trivial to try that email and password on other popular sites to see if it works, if all of our login passwords are unique the damage is limited to that one account. At the very least we do not want to reuse passwords for important account such as emails, financial, etc.
Something many people still are not aware of is that the mainstream guidance on creating passwords is not that good. The general idea is that you want to focus on making passwords you want to remember, you want long rather than random.
|6Åt±®u2cICåÕ#¶¯òo¥xË8AuL©³´É^õ©ç]ܤ¿ß¨£ø)C¶iÚ÷¯Íåe¿p÷yÇc§H²
If you wanted to go above and beyond you could use something like a quote or phrase as your password and if you wanted to add a bit of randomness to it, you could still do easy substitutions like using the % instead of spaces between words, or a simple capitalization scheme, such as every 3rd character in a word is capitalized.
Utter%Purging%Harvest%Strangle%Spinout%Disengage%Deskwork%Thesis%Utility%Psychic%Small%
This is all well and good, however there is still two problems that haven’t been addressed. Which is the sheer number of passwords people need to memorize and the fact many websites require having special characters and numbers in the password and many even require the password be less than 12 characters. This is where password managers come in. I believe the optimal password strategy is to have a handful of good, but memorable passwords, for things such as encryption keys, device login, password manager and accounts you would want to have access without access to your password manager, additionally due to the inherit insecurity of phones (likelihood to get lost or stolen) I would not recommend setting up your phone to utilize your password manager or save passwords to account you care about at all, for anything you would want to access from your phone, use a good memorable password or a separate password manager that has limited passwords.
Password managers offer a lot of benefits, not only do they prevent the need for us to remember all our passwords, but typically they also are able to generate random passwords and passphrases. Not only are truly random passwords the most secure, but they can also be set to include special characters and numbers to meet website requirements as well so even if we are limited to 12 characters, a truly random 12 character password is still very secure. Also, depending on the password manager, they can also be used for storing things such as 2FA backup codes or, in the case of local password mangers, be a 2FA device themselves.
Another quick note, browsers such as Firefox can be used as password managers, I know at least Firefox (and its forks) offers the option of setting a master password that is used to encrypt the logins it saves. Additionally it will offer to create random passwords for you. However there is numerous ways to generate good random passwords such as sites like Passwords-Genrator.org and local programs like PWGen.
It should also be noted that you should keep backups if you are using a browser or a local password manager. Local password managers will typically store everything in an encrypted database file on your computer that can be backed up without much trouble and every browser offers the option to export your logins as CSV files, however they will be unencrypted so you will need to encrypt them yourself or store it on an encrypted drive.
On password managers. Most are online services that will store your passwords on one of their servers encrypted with your master password. I am sure most of the reputable services are fine, however I do not have any experience with online ones (for comments made in the introduction), so I will just use KeePassXC as an example. You can store an unlimited number of passwords and information in a KeePassXC database. Every piece of information you store in your database is encrypted at all times within the kdbx file. When you are accessing your database from within KeePassXC, your information is decrypted and stored in your computer’s memory. KeePassXC places controls over the access to this data so other applications cannot read it (unless they have administrative rights).
Overall it is an excellent password manager, not only does it work with your browser (Firefox) (Chrome) with their official browser extension, but it stores everything in a single encrypted database file which makes backups incredibly easy and since it is encrypted you can have a backup on a cloud drive without much concern (and I would recommend on an off site backup on the off chance your house burns down). Additionally you can also attach files to entries which is convenient for storing things like 2FA backup codes or exported phone contacts file.
Lastly concerning phones. Due to their inherit insecurity, most likely to be lost or stolen, and typing in good passwords / phrases being tedious. I think the primary goal with phones is simply to minimize the accounts we use on it. For the accounts we do use on it, either have few enough you can remember good passwords for them or use a free password manager service that only has passwords for accounts you will use on your phone to minimize the potential damage if someone gets access to the password manager on your phone.
Likely you already have some experience with 2FA as nearly all online banking accounts will require it, usually through text message or email. I will not cover text message and email 2FA since although they are better than no 2FA, we can do much better without much trouble. The main problems with email and text message 2FA is that in the case of email, it is probably the most commonly attacked service and due to it is importance, we really want to have 2FA on our email account and having to do 2FA on our email so we can get our 2FA code for another service is quite tedious. Text messages are better, however they are tied to that SIM card, so if we lose the phone we’re shit out of luck until we can get a new one activated with the old phone number.
Generally the way the various 2FA protocols works is that some sort of shared secret is generated by the service and imported into the device that will be performing the 2FA. On mobile authentication apps this is typically done through a QR code or as a string of random characters. Then when you go to login to a site a new code is generated from the shared secret and the time. There’s many options for this sort of 2FA from mobile apps such as Google authenticate or FreeOTP to password managers themselves and other desktop applications that handle 2FA such as KeePassXC.
As for the different options, there is two main things you will want to consider. First is privacy, as options like Google, Microsoft and Authy will require a phone number and email to use, it is up to you if you are comfortable providing them with that information. However if you do not want to do that there is other options available such as FreeOTP. The second concern is redundancy and backups. If we just install a 2FA app on our phone and take no recovery measures, we are not much better off than using text messaging 2FA. One solution to this is redundancy, which is to have 2FA setup on our desktop / laptop as well so that in the event of losing our phone (or vice versa) we still have the other one to get codes from. The other thing is backups, some 2FA services will generate about 10 one time use codes that do not change that are to be used as backups should we lose our 2FA device so we will not be locked out of all our accounts, however you can also just save the original shared secret. Obviously these should be stored some where safe and password encrypted.
The best option for backup and redundancy, provided you do not want to use a local password manager and you are okay with giving up your email and phone number, is authy. It is cross platform so can also be installed on your laptop desktop as well as they will store backups encrypted with a password on their servers so you do not have to manage your own backups, you would just reinstall the app and log back in. (Note: if you plan on using 2FA on your email this might not be a good option since they will likely use your email to verify you when you log in on the new install). Although you can do your own backups and have redundancy with other services, authy is more convenient in this regard.
If you do ont want to provide an email or phone number to a service you are not out of luck. You can still use two different 2FA applications for the same accounts, such as FreeOTP on mobile and WinAuth, 0AuthTool or KeePassXC on your desktop. Although with these options you will need to manage your own backup codes. You can register two different devices with the same shared secret, so if you were going with the KeePassXC + FreeOTP route, when you configure 2FA with an account, you would scan the QR code with FreeOTP on your phone then click the “I can’t scan the QR code” and you will be presented with the string that you can copy and paste into KeePassXC. Plus since the shared secret is now stored in KeePassXC, it will be included in your password backups and so you will only have one backup to worry about for both your passwords and 2FA, plus you still have the redundancy of having both your phone and desktop be 2FA devices. Additionally KeePassXC and FreeOTP are both free and open source and run locally, so you do not have to pay anything or worry about some company getting hacked or selling your info.
Lastly I will give a quick mention to hardware tokens. Obviously they require purchasing something since hardware is involved, but they more or less operate under the same principle as the software we have talked about previously. Modern ones like YubiKey, and their equivalents, work by inserting the hardware token into a USB slot on the device (or NFC for phones) and touching them to generate and send the code via mimicking a keyboard. This option is more secure as it separates the code generator from your device, such as your phone or laptop, so if someone were to steal your phone and get full access to it, unless they also grabbed the hardware token they still would not be able to login to any of your accounts protected by it. One difference to note with this option is that each key has a unique shared secret, as far as I know nobody offers duplicate keys with the same secret, so if you have two keys you will need to register both with every site you intend to have 2FA with. So after initially adding the keys to all your accounts, if you want to add a new one later, you will also need to get the backup key out and associate it with that account.
To briefly wrap up what a decent password and account strategy is. We want the majority of our passwords to be randomly generated and managed by our password manager. However we will still need a couple of strong and memorable ones for things like the password manager itself, device login and any accounts you would wish to still have access to if you do not have a access to your password manager. Additionally for very important accounts, primarily financial and email, we would also want to setup 2FA to further protect them. (email is very important since it is typically what password resets are done through).