HOWTO: Strong Passwords

The Most Important Guide on the Internet

Last Updated: March 12th, 2018

Preface

Cracking computer
Computer which can crack all 8 character passwords in under 6 hours

Here is a photograph of a cheap consumer-grade computer that can crack all possible 8-character password variations in under 6 hours. Newsflash: It’s not 1980 anymore, and 8 character passwords are not strong enough. At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.

That’s impossible to remember!

Thankfully modern software has advanced to the point that you don’t have to remember your passwords anymore. There is an amazing piece of tech called KeePassXC which is 100% free, functions in Linux, Windows, and Mac OSX, and will completely solve your password concerns. There are compatible applications available for iOS and Android as well.

KeePassXC lets you store all of your passwords in a database which is encrypted using 256bit AES (Approved by the U.S. Federal Government for top-secret documents). It will allow you to set expiration dates on your passwords, and will display a friendly visual aid when it is time to update expired entries. It will simplify your life by allowing you to copy and paste your passwords, and in most cases you can even have it type them for you. You will never have to look at or remember any of your passwords ever again.

One Key to Rule Them All

I apologize for the nerd reference, I’m not even a Tolkien fan, but it seemed appropriate. KeePassXC allows you to lock your database using a couple of methods. You can secure it with a master password, you can secure it using a special “key” file, or you can require both. I recommend using both.

Portability

mobile devices
KeePassXC databases work on all devices
With the help of cloud-storage services it is easy to synchronize your password database on all of your devices.

Choosing a good Master Password

If you’re going to secure your database using a password, which I recommend, you will want a strong, easy to remember password. Because this is the only password you’ll ever have to remember, it’s not as challenging as trying to keep track of 30-100 passwords for various services. Still, a random alphanumeric is nearly impossible to remember. There is a technique for strong & easy to remember passwords called “Diceware”.

6 sided dice
5 six-sided dice

Diceware is a system of creating a password or ‘passphrase’ by stringing together several normal words. You roll 5 six-sided dice to create a 5 digit number. The exact order of the numbers does not matter. Then you compare that number against a wordlist, and based on the roll you pick 6 or more words which you like, string them together in a phrase you can remember. Short words are okay, but you should not use all short words. Long words are better. The longer the phrase, the stronger it is.

Password expirations

We have to face reality. It is the year 2018, and computers are extremely powerful. Even strong passwords can be cracked with a few years of solid effort, on the strongest specially-designed machines. A few years might seem like a very long time, but if you never change your passwords then you could be compromised. I recommend that you set your passwords to expire at least every year, and change them when the expiration date arrives. Your master password should also be changed at least every year.

Backups are vital!

3.5 inch floppy disk
optional backup medium
You need to keep backups of your password database. They should be stored in a secure and secret place, preferably off-line. You might also want to write down your master password and store it somewhere very secure. When you write it down, don’t label it “Master Password”. If you just write a series of seemingly random words on a piece of paper, nobody will know what they have unless they knew what they were looking for to start with. If you’re using a key file to secure your database, be sure to backup that file as well. The backup location should be secure, but as long as you follow a password-expiration habit, it won’t be the end of the world if someone finds your backup from 5 years ago.

Do not use online password services

There is no such thing as “unhackable”. Online password services are the most desirable target for crackers in existence. They are not immune to being hacked, and when they get hacked if you’re using them that means 100% of your passwords are compromised. Online password services are giant neon targets that scream “Attack us!” every day. Furthermore, they are never free. KeePassXC is offline, and completely 100% free (the author does accept donations). It has superior features to every single online service, and is more secure. Use KeePass, do not use online password services.

2-Factor Authentication (Also known as 2FA)

A lot of services are offering “2-Factor Authentication” or “2FA” these days to reduce the risks caused by users with poor password habits. Unfortunately, 2-Factor Authentication does not solve for bad passwords. When the methods used are e-mail or SMS they introduce their own security risks, and if the user has poor password habits for one site, they probably have poor password habits for their email and phone service too. If you’re going to use 2FA, it should be supplemental to a solid password policy, not a replacement. Information security begins with strong passwords.

Links

I want to save you some time so here are some helpful links to everything I’ve mentioned.

Credits

This guide is presented courtesy of Pride Tech Design, offering affordable website design, world-class hosting, and technology consulting for small and medium businesses.