Password Advice

This is a long and extensive article covering my basic password advice and reasoning. Please take the time to read it and if you have any questions comment below and I will respond.

Assume the worst

Whenever you start dealing with password problems, it’s safest to assume all passwords and accounts are compromised. If someone had access to your device then collecting your passwords from Chrome, Edge, Firefox and Safari would take only seconds. Even if you don’t store your passwords within your browser then the attacker could still collect your passwords from an installed keylogger or other malware.

Do not change your passwords until each of your devices has been disinfected, of course. It doesn’t make sense to give the attackers direct access to your new logins so clean it up first.

While changing passwords is a good first step, if you do not check the filters/rules, forwarding, reply-to, and active sessions for your email accounts then any passwords you change are moot since the attacker could continue to have access to your email accounts and can simply reset any passwords you’ve changed. The “forgot password” option on most websites sends an email to reset your password and requires no additional validation.

Why use a password manager?

Using the native browser password management system (such as the Google Password Manager in Google Chrome) means that if your browser or Google account are ever compromised, or if someone manages to have even brief access to your computer, or if a piece of malware steals the local password database from the browser, then your passwords are all immediately and completely compromised.

Not using a password manager means that you have to have a written record of all your passwords somewhere. I’ve seen this implemented as a wall of papers with painstakingly recorded names, username and passwords, as a “password book” where two thirds of each page is scribbled out, as drawers full of sticky notes, paper scrap or 5×7 cards each with a different account, within Notes or Contacts on iPhone & Android, and as a single monumental spreadsheet or document.

These are all bad ideas.

There isn’t any level of website trust and either the data is physically exposed to anyone who enters the room or rummages through a drawer, or the data is unencryped and accessible to anyone with momentary access to the device to access Notes or Contacts, even malware or rogue apps.

Knowing the username and password for a website is only part of safely authenticating: password managers ensure that you are using the login details ONLY on the real website that you saved it with, and warns you if you try to fill it anywhere else. This alone can prevent most phishing attacks.

The worst of these is using either the Notes or Contacts feature on smart phones because it’s not only unencrypted, but when you copy something on mobile devices the contents of your clipboard are then automatically sent to many applications on the device to see if they have any use for it. It’s announcing your password to potentially malicious or rogue applications. Why would a flashlight app need to view your clipboard? Simple answer: so it can hack your accounts.

Using a third-party password manager solves each of these potential issues by locking the password “vault” in at least 500,000 layers (really) of encryption so simply copying the vault file itself will not enable an attacker to compromise your accounts.

One other benefit of a password manager is that it will synchronize between your computers, phones and tablets so your passwords will automatically be available on each device, in every browser, and in most apps. You will still have to enter the master password, of course.

I recommend Bitwarden, which is free for most peoples needs:
https://bitwarden.com/

The basic version (all that most people require) is free, open source, cross-platform and well-maintained.

Once you have a password manager set up you can then generate new, strong, unique passwords for each of your other accounts with minimal effort.

Master Password

Before you begin using a password manager you will need to think of a master password.

All password managers operate through a “master password” mechanism. They basically use a single password that unlocks access to your “password vault” which holds all of your other passwords, so it needs to be memorable, strong, long and completely new. Something not remotely like anything you’ve ever used before.

Your master password should be a bare minimum of 24 characters. If you’re comfortable typing more, go big. I recommend using an entire phrase: something like a line from a song, a Bible verse, a quote, or something else like that which you are unlikely to forget. Just make sure you change it a little bit so that it can not be easily hacked by someone that uses these same rules for creating their password cracking database. 🙂

One note if you choose a song: make sure you don’t hum or sing the song while you are typing it. An observer would be able to use this hint to improve their chances of accessing your accounts.

It should go without saying, but I will say it anyway: do not use the same stinking password you’ve been using since you first touched a computer as your master password. Trust me when I say it’s a bad password. A very bad password.

Note: If you forget your master password you can reset it, but you will lose access to all stored passwords. Real password managers don’t keep a copy of your password so if you forget it, it’s gone. Bad password managers either allow recovery or reset, but they should be avoided since this means that it’s never really secure. Some “business”-type password managers provide recovery through the business as long as the business account is still accessible. This is okay as long as you trust the business with access to your passwords or use it only to store the business accounts.

Length and Entropy

For all passwords, I recommend using a minimum of 24 characters, randomly-generated, including mixed case + symbols + numbers. If you don’t yet have a password manager like Bitwarden or RoboForm then you should do that first. If the site won’t let you use that many characters, use as many as it will allow.

ALWAYS use a new, unique, long, random password for each and every account.

An 8-character password is a joke. There are only 96^8 possibilities in an English 8-character password, or 7,213,895,789,838,336 variations. Roughly 7 quadrillion variations. The CPU on my 2016 laptop supports 14.4 billion calculations per second so it would take only 5.8 days to traverse the entire list. This password math also assumes that only a single computer was being used and that it’s an 8+ year old laptop using only a CPU for calculation. A relatively inexpensive video card (GPU) from 2022 can process the same password list in 48 minutes. Tandem or cloud computing can reduce this numbers to tiny fractions of this based on the number of devices you throw at it. These numbers also represent the maximum amount of time to process the entire list, not the average or mean time to crack an actual password, which is significantly less.

Furthermore, this assumes that most common printable characters are available and supported by the password platform. Many aren’t. Most systems even limit entropy by requiring a number (which reduces complexity for at least one character by 90%), or symbol (65%), and usually require the first character to be a letter (46%). These rules actually reduce potential password complexity in the name of increased security. Sigh.

15 characters isn’t long, either. A 15-character password still has relatively minor entropy – depending on the specific rules a site imposes, a 15-character password has only 96^15 variations in the English language, or 542,086,379,860,909,058,354,552,242,176 possible variations. I know that looks like a long number, but in cracking terms, it’s not.

These numbers are all based on cracking based on the full scope of the potential passwords. The actual time to crack is much smaller when based on dictionary attacks. More on that later.

With today’s hardware and what’s coming soon with commercial quantum computing you shouldn’t be thinking in terms of “how long do I have to make it?” but rather “how long can I make it?” Always use the longest password you can for any given site. For example, Facebook allows you to use a password that’s 500 characters long. Use it! That changes the number of variations up to 96^500 (that’s about a thousand digits). Using a password manager makes generating, storing and filling this password a breeze.

But again, if you’re not using a random password then you’re still the “low-hanging fruit.” Instead of having to try 96^n variations for any given account, they only need to try the millions of “known” passwords, or even better, only the most popular 10, 100 or 10,000 known passwords. This tiny dictionary will often succeed since people use such weak passwords, so it minimizes the effort significantly. By using a randomly generated long password your passwords are vastly more secure.

If a password manager is not possible yet then use a long passphrase that includes MISSPELLINGS and not simply “1337 5p34k”. A passphrase is a series of words instead of simply characters. People assume this means that this alone means it is more secure. Unfortunately, that’s not always the case.

The potential randomness (entropy) in passwords using only dictionary words (about 175,000 variations) is less than what you could get with only 3 characters of random text (~885,000), which means that any passphrase less than 7 words is functionally as insecure as using a 12 character random password, which is pretty weak.

Yes, passphrases are better because they’re longer, but if you use each word exactly as-is then you’re just trading entropy with a weaker scope. Adding random misspellings, numbers or symbols will significantly increase the value of using a passphrase. Not because a website requires it, but because it increases entropy.

Password Hygiene: Why use random passwords?

The first thing that happens after a website is hacked is that the leaked passwords are used in “credential stuffing” attacks where the attacker tries each of your passwords on all of the most popular websites and many unpopular websites. The attacker can try thousands of websites at a time with your leaked login details within seconds after downloading the breach data. If you have been reusing passwords then this means that the password you used on a Walking Dead fan site or a CNN talkback page that gets hacked likely grants the attacker direct access to your Amazon, Facebook or even Wells Fargo account.

There are only three critical password rules to remember:

  1. Any password you can remember is not secure.
  2. Never reuse any password or any part of a password.
  3. Don’t share your passwords with anyone.

If nothing else, these rules are the best reason to use a password manager (such as Bitwarden, RoboForm, LastPass, Dashlane, or 1Password) that performs site validation (to prevent phishing) and includes a built-in random password generator.

HaveIBeenPwned (HIBP), a white-hat repository detailing hundreds of hacking events since 2007, currently has over 847 million unique passwords in their database. It also has a counter applied to each password, so you can see that 300,185 idiots all thought “P@ssw0rd” was actually a good idea. This number is vastly undercounted, too, since this number only represents the number of times that this password has appeared within these few publicly disclosed breaches, while most sites either still haven’t had their data compromised or, more likely, the compromised data is not yet public.

Every website will be hacked eventually, if it hasn’t been already. I’m seeing an average of 200+ major hacks every month, with the total number of compromised accounts in the billions. Every month.

Microsoft was hacked three times in the ten-month window between April 2023 and January 2024. Adobe has been hacked at least six times that we know about. The NSA, FBI, Department of Defense, Whitehouse, and most government agencies have been hacked at least once. Most businesses (including Microsoft) did not even know they were hacked for months or even years and take even longer before they acknowledge it publicly…if they ever acknowledge it publicly.

Looking through the HIBP breach reports I see that the typical business is hacked for just shy of a year and a half before discovering it (16.8 months on average). They just don’t know. It’s safest to assume every site is already hacked and will likely be hacked at least once per year. The best defense is to practice good security hygiene yourself to ensure that the damage any individual hacking event can cause you is minimal.

Every password will be hacked eventually. A mysterious international “state-sponsored” boogeyman isn’t necessary. Being a billionaire, politician, or other high-value target isn’t necessary, either. Any 12 year old can buy time on Amazon or other cloud providers to automate anything they want, including cracking passwords, and no human being will ever know what goes through a 12-year-old’s mind. They can even do so for free using a trial or by paying for it with stolen credit cards in order to avoid any expense at all.

Dictionary Attacks

People often assume that passwords are usually cracked using brute force: sending every possible random password combination that a site/service/app can support until the correct password is determined. However, since people almost always reuse the same passwords or the same passwords as everyone else, hackers usually perform a “dictionary” attack. This is when the attacker uses a collection of common passwords instead of randomly generating every possibility. These common passwords are usually from password dumps from previous breaches. The attackers test the most commonly used known passwords instead of wasting time & resources on less likely passwords. These lists are out there and they are huge.

Every person will be hacked eventually, but the point here is that while there are currently only 753 dumps worth of data in the HIBP database the numbers show that most people never even consider password hygiene. 753 dumps and 847 million unique passwords might sound like a lot, but remember: there are currently over 200 major hacks every month. HIBP only includes a tiny tiny fraction of the trillions of accounts that we know have been compromised. If all the data from each of these hacks were actually available the doom and gloom might be far worse. Maybe people are even worse than what the HIBP data shows? We don’t know. What we do know is the data from HIBP and the numbers below are a signal based on what we can easily observe – the HIBP data. Nevertheless, what we see is truly terrifying.

According to the HIBP dataset:

  • 22,232 passwords have each been used by over 10,000 compromised accounts.
  • 1,222 passwords have each been used by over 100,000 compromised accounts.
  • 44 passwords have each been used by over 1,000,000 compromised accounts.

The top 10 most frequently used passwords account for over 13% of all accounts within the HIBP data. The 44 passwords with over a million accounts each make up a whopping 20.8% of all accounts within the HIBP data, so it is not an exaggeration to say that 20% of the world is using absolute crap passwords. Way more than that, actually, but isn’t that enough?

Here’s where it will really blow your mind: The top 10,000 most frequently used passwords account for 89% of all accounts within the HIBP data. Eightynine percent! That means that 9 out of 10 accounts in the world are likely able to be cracked with one of these mere 10,000 passwords. Put another way, almost 90% of the world is using passwords that are functionally no more complex than a 4-digit pin number.

Targeted Dictionary Attacks

Targeted attacks are quite different. Sure, the data is already depressing, but it gets worse. The password data from HIBP is generic and broadly applicable. People tend to use the same types of information in their passwords.

If you’ve been pretty good not to use one of these weaker passwords (on its own at least) there’s still the risk of a targeted attack. Targeted attacks will build on this corpus of information as well as a background check on the target individual. A background check will include your name, initials, aliases, email addresses, phone numbers, extended family members (grandchildren, children, siblings, parents, grandparents, cousins and so on) names and birthdates, neighbors, pets, physical and mailing addresses, cities, zip codes, business records, as well as public information you’ve posted on sites like LinkedIn, Facebook, Twitter and other social media.

Much of this information can be generated or collected in an hour or less or bought wholesale through any of a dozen providers that charge as little as $15/month for unlimited background checks.

This information is then added to a custom “personal data dictionary” about you and used as the basis for attacking your passwords. If you are one of the 7 billion people on planet Earth using these facts as the basis for any part of your passwords then this should concern you. This reduces the effort by way of complexity from potentially trillions and quadrillions of variations to mere dozens.

When personal data dictionaries are used together with your publicly available personal data from previous password dumps, an attacker can build up an exacting profile of the specific pieces of personal information you are likely to use when you build a password and programmatically predict every likely variation in mere seconds. Once a personalized data dictionary is generated, most passwords will be compromised near-instantaneously.

All of this to make sure you understand why you need to use a new, unique, long, random password for each and every account. I don’t care how much you loved your cat, just use a random password. Please.

Password Change Order

Now that you’re getting a password manager set up you need to change every password for every account. Really. Most people have dozens or even hundreds of accounts, so this is not a minor task. If you don’t change the passwords then all you’ve done is protect yourself from phishing, while many of the accounts are already exposed or even compromised. Change each stored password to a new, unique, long, random password.

I recommend you change passwords in this order:

  1. Email (Google, Yahoo, AT&T, Hotmail/Outlook, Comcast) – reviewing filters, forwarding, reply-to, and active sessions; and enable 2FA (two-factor authentication)
  2. Banking, Finance and Investment (BofA, Wells Fargo, Vanguard); and enable 2FA (two-factor authentication)
  3. Anything with stored credit card, payment or banking information (Verizon, Costco, Amazon, Walmart, Propane); and enable 2FA (two-factor authentication)
  4. Social Media & Forums (Facebook, Twitter, LinkedIn); and enable 2FA (two-factor authentication)
  5. Everything else

#1 – EMAIL MUST BE DONE FIRST! Any attacker that has access to your email account can just change your passwords again after you change any other accounts.

You must check the filters, forwarding, reply-to, and active sessions for your email accounts or an attacker will be able to either recover access to your email accounts and simply reset whatever passwords you’ve changed.

How do you eat an elephant? One bite at a time.

As I write this I can see your eyes glaze over. Hundreds of accounts and I just want you to change all your passwords?! Yes. Don’t be silly though: you don’t have to change every password right now. Even if you just change one or two passwords each day you will get it done before you know it. You just need to commit to actually working towards this goal.

Device Accounts

There is a gotcha when using good passwords with specific services: device accounts.

You can change almost any password for almost any account and use a password manager to fill it on your devices. Unfortunately, there are three accounts where this can actually be a problem. Apple, Google and Microsoft accounts are now often used for device-level authentication on macOS, iPhones, iPads, Android, Chromebooks, and Windows devices. That means that you will need to be able to manually enter this new, unique, long, random password every time you log in to your phone or your computer, when you make an app store purchase, or at least when initially setting up these devices. An 80+ character random password isn’t fun to type even once, and these devices require it to be entered each time certain actions occur, which could be quite frequent.

In these scenarios using a passphrase is just about the only safe option. Your passwords for these accounts (that are tied to your devices!) need to be as long as possible but memorable, since you may not be able to access another trusted device with your password manager when you are logging in to one of these devices.

If you have accounts on these services that are not used for device authentication then you can still safely generate good random passwords for these accounts.

But wait, there’s more!

In addition to a password manager, there are a couple other things you can do to minimize your risk.

  1. Set a watch on your email addresses/domains with HIBP:
    https://haveibeenpwned.com/
    This will alert you when your email address appears in breach data along with the site that it was leaked from and what other information was exposed.
  2. Check your passwords against the Pwned Passwords database.
    https://haveibeenpwned.com/Passwords
    If you don’t want to risk putting your password into a form on the Internet (and you shouldn’t!), then you have three options:

    1. You can use the “pwcheck” program I created for this purpose. Steps in the next section.
    2. You can create an SHA-1 hash of the password and send ONLY the first 5 characters of it to this URL:
      https://api.pwnedpasswords.com/range/00000
      Replace 00000 with the first five characters of the SHA-1 hash of your password, then compare the results.
    3. You can download and extract the 30+GB database of the entire password collection and compare it yourself offline.

Note: The HIBP Pwned Passwords service uses the k-Anonymity standard to ensure that your actual password isn’t uploaded when using pwcheck or the API URL. Now compare the return data with the actual SHA-1 hash and if it’s not there then it hasn’t (yet) appeared in a publicly disclosed data dump. More about that stuff here.

  1. Call me! When you have any security question or concern, please call me. This post covers a lot of the “why” and some of the “how” but you’re sure to have issues when you start using a password manager.

Checking a password with pwcheck

I wrote pwcheck to help test the security of passwords. Over time I’ve added more features to it, such as the ability to generate passwords and passphrases. To use it you’ll need to open a command prompt: click the Start button, type “cmd”, press Enter. A black or blue command window will appear.

To test a password, copy it to the clipboard then type this into the command prompt:

pwcheck .

You’ll get something back like:

Uh-oh. This password has been used by 10382543 compromised accounts.

Or:

Yay. This password is not known to be compromised. Yet.

You can use pwcheck to generate random passwords, too. Type one of these commands in the command prompt:

pwcheck /g1
pwcheck /g2
pwcheck /g3

You can then highlight the password and press Enter or CTRL+C to copy it to the clipboard.

/g1 creates a truly random, but relatively short password.

/g2 creates a word-based password (aka, “passphrase”). This is much longer, but doesn’t include symbols or numbers, and does include spaces, so often needs fiddling before some websites will accept it.

/g3 creates a passphrase, like /g2, but replaces the spaces with random symbols and numbers.

For each of these commands you can also add a space and number after the password type (as below) to control the length of the password. For /g1 this number sets the number of characters. For /g2 and /g3 it sets the number of words.

pwcheck /g1 112
pwcheck /g2 9
pwcheck /g3 4

Credit Freeze

Whether you’ve been hacked or not you should freeze (sometimes called a lock) your credit. Do this by creating an account at each individual reporting agency and then setting up a freeze/lock on the account. This will prevent any new lines of credit (where the creditor actually checks your rating) so it should minimize the risk of financial damage.

Here’s the specific pages for the big three credit reporting agencies:

There is NO CHARGE for the ability to freeze your credit, but each of the big three credit bureaus are businesses so they make it easy to accidentally sign up for a paid service instead of simply freezing your credit. Be careful to follow the links/buttons for Freeze your account for free or similar verbiage. Also note that each credit bureau requires that you have a cell phone in order to freeze your credit. This is absurd, especially since so much of the elder population that are the largest targets for credit fraud are also the least likely to willingly use cell phones.

Regards,

Shawn K. Hall

Subscribe To Our Newsletter
Sign up to receive notifications of our new posts.
icon

Leave a Reply

Your email address will not be published. Required fields are marked *