Passwords are - at least for now - the most important thing in our digital life. The security of your computer, smartphone, and tablet depends on it, but so does the security of the devices of friends, acquaintances, or work colleagues. In this post, we'll take a deep dive into the password. It's often the little things that lead to big problems. In the end, you will find another bonus: backup of the password manager. This is particularly important to me because the most secure system is of no use if you can no longer access your data in the event of an emergency.
Passwords are very old and existed long before computers were around. We find many traces of passwords in the past. It was Alibaba who used the password "Open Sesame" to gain access to the robbers' den. Even later, we find mentions again and again. Passwords were used by soldiers, for example, or slogans for access to established connections. Complicated variants such as specific wording for a question or statement were often used to verify contacts. In addition to the password, other identifiers were often taken into account, e.g., B. Brotherhood Ring. We see clear parallels in the computer age.
The digital beginnings were easy. A password was sufficient to gain access (e.g., for the screen saver). User-Accounts were added later. The user accounts regulate the access rights for users and thus the password in two stages. In the two-stage process, a user name and a password are asked for. Due to a large number of systems and the lack of a standard, there were the greatest restrictions (user names were not allowed to contain certain characters, passwords had to contain certain characters), which led to different user names on different platforms. Over the past 10 years, the email address has established itself as the username. What seems like an advantage, however, also has disadvantages. Any hackers have it much easier, as e-mail addresses are publicly known.
The 2-stage concept of the user name and password only allows access if both are correct. Good/modern systems display “wrong username or password” in the event of an error. And that's a good thing because there is no indication of whether the username exists in the system or not, making it more difficult for a possible attacker.
This is also a good indicator of whether the software is reasonably up to date.
And so we come back to the difficulties for the attacker, as long as the username was a name assigned by the user, it was more difficult for the attacker to guess than today's e-mail. In practice, this hardly matters, but it illustrates one of the major risks in IT. Data leaks. Most email addresses and passwords are published here.
Now that we've dealt with the password's past and present let's look at the future. The password as we know it will become extinct in many areas. Pretty soon. While we protect our smartphone with a PIN a few years ago, biometric access authorizations are almost standard. Fingerprint and facial recognition have replaced the password on the smartphone and allow us to log in easier and faster.
A key question arises in this context, how often should the person be authenticated, or how long should authentication be valid? Face recognition or the fingerprint on the mobile phone can be checked in the background without any problems and unnoticed by the user. So you can find out whether the user who logged in a few seconds or minutes ago is still on the system. This has good protection potential with various attack methods. However, another technique is on the advance here. Machine Learning (ML) and Artificial Intelligence (KI / AI). With this technique, typical user behavior is recorded and analyzed. These include scrolling behavior, type of pressure, pressure resistance, and typing speed. This behavior pattern is now compared with the behavior of the current user. If this differs, a new biometric recognition is carried out for security reasons or requested a password. At the moment, however, their use is only sporadic and is still in the testing stage. You can easily imagine the disadvantages, e.g. if you gave the smartphone to someone to fix it or your partner to read something. However, it is easy to imagine that such systems will very soon be introduced in sensitive areas, e.g., B. Online banking.
But let's get back to the password.
Unfortunately, insecure passwords are all too often used.
In addition, the identical password is used for different services, e.g., the password for your e-mail account is the same as what you use for Facebook. This is also called password recycling.
Another problem is that passwords are saved in plain text or even (as was often the case in the past) with "Post It" stuck under the keyboard.
Password sharing (especially if it takes place on insecure channels such as email) is also a problem.
Ultimately, regularly changing passwords for no reason (e.g., data leak) is a security risk because mostly only slight modifications of the previous password are used, so consecutive numbers are appended, or letters are exchanged for numbers (e.g., S becomes 5, o to 0, etc. .). The use of identical numbers instead of letters is also called leetspeak.
The question arises, however, whether you gain security at all if you change passwords regularly. The answer is clearly no. At least as long as there is no data leak. And in the event of a data leak, the regularly changed password usually does not offer any protection because it is insecure due to the methods described above and can be easily guessed. In this respect, regularly changing passwords is usually counterproductive, at least as long as you do not use generated passwords.
We know from data leaks that a shockingly large number of people are still using insecure passwords. Although this differs between different languages, many passwords are also identical across languages. Common words and short sentences such as B. Password, Superman, Iloveyou, 123456. Other combinations have their origin in the programming of the keyboard, such as asdfgh or qwerty. You should definitely avoid these passwords. That's why we're now looking at finding a secure password and how to remember it.
Here are a few rules for a good password.
There are several methods of generating a good password. Next to you, for example, the first letters of your favorite quote, including the author and year of birth.
The purest form of madness is to leave everything as it is and at the same time hope that something will change. Albert Einstein 1879.
The password would be:
Tpfomitleaiiaatsthtswc.AE1879
We have upper and lower case letters, umlauts, special characters (point and comma), and four numbers. And the best part is, you can derive it at any time and don't run the risk of forgetting your password. Granted, this is a bit long, and I'm sure you will find a shorter quote. It is only used here to illustrate the principle. Instead of quotations, you can also use book titles, idioms, etc.
After we have just created a secure password, we come to the second act. It would be best if you had a separate password for each access. No password recycling. But how are you supposed to remember all of the passwords?
Password managers are the solution. And most of us are at least familiar with browser password managers like those in Google Chrome, for example, which constantly ask whether they should save the password.
These browser password managers have some disadvantages; they are challenging to back up and are mostly only available in this browser. Password manager programs are better solutions.
There are some good programs available, both free and paid. Most of them have a free and a paid version, and usually, the free version will be perfectly adequate for you.
Personally, I've worked with these password managers:
The so-called self-hosted password managers occupy a special position. Here you do not entrust your passwords to a cloud service that promises to store the data securely and encrypted, but you rely on yourself. You should only use this if you really know what you are doing. How to back it up, etc. Otherwise, this can quickly become a major disaster. Keepass is an open-source project that supports self-hosting.
Many programs offer recovery options or inheritance rules. The inheritance rules, in particular, are well suited as a back door to recovery. The password will be requested, and you will receive a message from the password manager to reject this password request. In the event of your death, you would not answer this e-mail, and so the requesting party will receive your password after a period of time and will have access to all of your passwords. The fact that you can restrict the group of people making the request (e-mail address) and, on the other hand, select a time window where you have safely read the corresponding password request message to reject it in the event of abuse, contributes to security.
Password managers also actively report data leaks, recycled passwords, insecure passwords, etc.
You use a secure password as described above to unlock your password manager. We then call this the super password.
For all services, you use passwords that are generated and saved by the password manager. You don't have to remember these passwords, and you can view them at any time with your super password.
You ensured it has a back door (reset, inheritance rule) and works to get access.
You have a working backup of your password manager.
The password manager offers a function for backing up all passwords. It would be best if you did this regularly. In another post, we go into more detail about backups in general. Here is an excerpt from it.
The backup should be kept safe, and you should have access to it in the event of a disaster (think what happens if there is a fire or water damage, theft ...). The backup is like insurance. In the best case, you never need the insurance, but when you need it, you find out very quickly that it would have been better if you had dealt more with the conditions. So take the time to think about backup and retention.
Good options are to save the backup on two different USB flash drives and deposit one in the company. The 2nd USB thumb drive could be deposited with a good friend or stored in the vehicle. However, it should be stored in such a way that it can be easily exchanged without getting on your friend's nerves too much. Cloud storage - encrypted, of course - is also conceivable, but you should also remember the password for this service - and yes, it should not be the same password as for the password manager. In any case, create two backups and separate them spatially. Make an entry in the calendar reminding you to create a new backup, e.g., B. every month.
The answer is no. With Browser Extension, it is advisable to use both the extension and the password manager. However, this has a disadvantage. Anyone who has access to your system can also access the usernames and passwords suggested in the browser. In addition, errors can creep in, e.g., B. If the password is changed, only the extension is changed. However, the password manager has still saved the old password, and this is, of course, only noticeable if you are dependent on the password manager for whatever reason. In this respect, I would recommend refraining from doing so and opting for a system.
Definitely not by email. If at all, then please in an encrypted connection. E.g., WhatsApp. Here I would advise against sending the entire password and not using any text such as “Hi, this is my password:” Divide the password into 2 parts and send one part via WhatsApp and the 2nd part via another service like Skype. This will help you in a data leak as there is no indication that it is a password, and even if you guess it, the password is incomplete.
Most password managers have a sharing function with various methods of sharing passwords with groups, family members, etc. This also has the advantage that if the password is changed, the other person has direct access to the new password. You also ensure that your password is not insecurely stored somewhere on the computer or smartphone/tablet. After all, it's about your safety. Pass the link to this article on to your family, friends, and acquaintances so that they are a little safer in the future too.
There are various websites where you can usually search for your email address (or username). Password managers also actively report data leaks.
https://haveibeenpwned.com
https://cybernews.com/personal-data-leak-check/
https://monitor.firefox.com
https://www.f-secure.com/en/home/free-tools/identity-theft-checker
In addition to the password, many services offer 2FA or MFA functions. Some also offer so-called physical keys, e.g., B. FIDO or Yubikey. We'll go into that in the next blog post.
The checklist for more digital security in your everyday life. Register for free and get access to the password checklist and other valuable checklists and information.
Tle (Hungry Bear)
Tle (Hungry Bear)
Dr. Theodore (Professor Bear)