Non-technical folks: Why you should use a password manager.
Somehow a few years ago, I got lucky and I’m no longer responsible for providing technical support for my friends and family, so I don’t have to give computer advise anymore.
However, I do have one piece of advice for them in their daily computer use: Use a Password Manager, even if it is just a sheet of paper.
The whole system of passwords is incredibly weak, and it has never been weaker. At some point in the future, it is likely that the technical community will come up with a replacement for them, but you shouldn’t wait for that time, as passwords are already at risk. Passwords are regularly stolen from websites. I manage to trip over articles of password hacks all the time, so much so that I don’t even read them.
So how does a Password Manager protect you? To fully explain that, we have to delve into how websites store passwords. Bear with me, this is a wee bit technical, but I’ll keep it as painless as possible. And if its too painful, jump to the next section.
When you give a website your password, such as “P@ssw0rd!”, the website doesn’t or more accurately shouldn’t store it just like that. It encrypts it, but not in the same way your bank encrypts the information it sends your web browser.
The information a bank sends back and forth to your computer is encrypted with reversible encryption. Reversible encryption allows you to get the information that you put into it back out of it. For instance, if we were to encrypt “P@ssw0rd!” by choosing the next letter in the alphabet, next number, or for the symbols the key to the right on the US keyboard, we’d get “Q#ttx1se@”. As long as you know the rules how it was encrypted it is trivial to take “Q#ttx1se@” and decrypt it to get “P@ssw0rd!”. This is important for information that is sent back and forth to your computer, because your computer needs to be able to show you what your bank balance is, recent transactions, etc.
Passwords on the other hand are stored with irreversible encryption, also known as a hash. So take “P@ssw0rd!” and hash it you get something like, “8a24367a1f46c141048752f2d5bbd14b”. Most hashing algorithms are designed up so a small change makes a big difference. The hash of “Password!” is “0040f2abc2cff0c8f59883b99ae9fab6” which is quite a bit different than the hash of “P@ssw0rd!”.
But passwords are not just stored by hashing them. Passwords should be salted and hashed. No salt in this instance isn’t table salt. It is a random bit of information, such as “06acebb0405318414c0577c0b6fe065d”. So what a website does is take your password, “P@ssw0rd!” and adds it to a random salt that is unique for your password, for instance “d3945bb3f56371103fb38eb5744188db” and puts them together into “P@ssw0rd!d3945bb3f56371103fb38eb5744188db”, and then it hashes that. For instance “P@ssw0rd!” might be stored as “d596b64c12671d6f2dbbf2004d98081e” once it has the salt “d3945bb3f56371103fb38eb5744188db” added to it.
So how does a website know it is you? When you give it “P@ssw0rd” to that it adds the salt it has for you, “d3945bb3f56371103fb38eb5744188db” and hashes it. It then compares the the result of that has to the hash that it already has on file. If the hashes match, it know you knew the password was what you originally gave them, “P@ssw0rd”, even though they do not store the password.
So why to through all of this song and dance about hashing and salting? It helps to protect your password the file containing your password gets stolen from the server. Helps is the important word, it doesn’t make it impossible to figure out your password when that file is stolen, it just makes it take a lot of computer power to figure out what your password is. (Physical safes work the same way, they are designed to take at least a certain period of time to break into.)
Many things have transpired to make passwords easier to figure out from the stolen file:
- Computers and more specifically graphic cards, which can do the heavy lifting of cracking passwords, have gotten much faster.
- Humans are bad at picking passwords. Yeah, you thought you were clever in replacing “a” with “@” and “o” with “0”, but everyone else, including password crackers know those tricks too.
- Lists of words that might make up passwords are easier and easier to get in electronic format.
So how does a Password Manager protect you? It does nothing to protect your password on the server, what it does is two important things:
- You’ll have a unique password for each individual site, so if your password is compromised on website, you only have to change the password on that website, not every other site you used that password.
- It allows you to have more complicated passwords than you can remember, such as “b4d6UFp/naGu1H7MzRBE-o#=vm9C0m3py]$pG171”. Perhaps you could remember that password, but could you remember 10 or 15 passwords like that? A password that is truly random is much harder for password crackers to figure out.
At this point, I hope you’re chomping at the bit to start using a password manager. Here are some suggestions:
- 1Password – This is the one I choose. My data is only on systems that I want it to be on, and it nicely integrates with web browsers.
- iCloud Keychain – This is limited to folks who utilize devices in the Apple ecosystem.
- LastPass – A centrally hosted password manager. Your passwords will be on a central server with passwords from many other people.
- Safe Wallet
- mitto
- Pen and Paper, and secure that sheet of paper. Seriously. Bruce Schneier, a noted security expert has said, “… people say don’t write your password down. Nonsense. Write it down on a little piece of paper and keep it with all the other small bits of paper you value — in your wallet. … [Paper money] has value. Your password has value. As a society we are good at valuing small bits of paper. We have cracked that problem.” If you do use this method, I recommend ensuring that your passwords are random in some way, roll a die, open a book to a random page and choose the first letter of every line as your password, or some other technique.
Using a password manager is both good hygiene and insurance. Using my a password manager makes logging into websites effortless and gives me piece of mind.