5 Ways to be Better at Passwords

Here is something I’ve been thinking a lot about lately:

Passwords are information asymmetry in action

So I spent my Easter holiday starting to actually practice something I preach professionally: doing a a recurrent digital security review. I can go into details with the overall process in another newsletter, but I want to focus in on the one key measure to stay safe from a majority of digital threats. This is of course having good password practices. There are a number of things you can do. Here, let me listicle them for you:

1. Use loooooooooooooooooooooooooooooooong passphrases

If you haven’t seen it before, here’s a comic from the always brilliant Randall Munroe:

This tells you all that you need to know about how to make good passphrases. Make them memorable and unguessable, rather than forgettable and easy to crack for a computer making a ton of guesses each second. Since its publication however, the standard recommendation among digital trainers has been raised from four to six randomly selected words strung after each other. Also, never use ‘correct horse battery staple’ as your passphrase, ever.

2. Never use the same passphrase for different services

So, if even if your passphrase is ‘secret password you will never guess’, if you use it everywhere, also on the weird narrow hobby forum you used to frequent many years ago and have since forgotten all about but that has since gotten hacked and taken over by a gang of password-stealing, identity-thieving, revenge porn-obsessed teenagers or organized criminals (same difference), then when they find your password on wierdnarrowhobbythatusedtobeavibrantcommunity dot com, they also have your Google credentials, your Facebook identity (a pleonasm if there ever was), and all the other things you use the actually not completely awful passphrase for. So make your long passphrases unique as snowflakes.

3. But how will I remember all of my unique-as-a-snowflake passphrases?!

Use a password manager, meaning that you only need to remember a single phrase to unlock all of your magnificent, long, hard-to-guess, easy-to-remember-if-just-there-weren’t-so-many-of-them, passphrases. There are several options. The Firefox browser has a built-in password manager, that should be used with a Master Password. There are also cloud-based services that will store and remember your passphrases (‘cloud’ here meaning other people’s computers, not based literally in the clouds). Examples such as LastPass and 1password will store and sync your passphrases between all your devices. You only need to trust them with the precious poetic creations that are your passphrases. If you trust no one (besides a bunch of software developers), download KeePassX, an open source, cross-platform password manager, that stores your passphrases locally on your computer, never touching the cloud. The learning curve here is pretty steep, but you will get more respect from your privacy paranoid friends (and incidentally also from your enemies).

4. Use two-factor authentication

Passwords are used for authentication, i.e. proving that you are who you say you are. But they are actually not that good at it because there is no way of knowing whether it is actually you that has put in the username and password when you log in to a service. Except that there is. It is called two-factor authentication. The two factors refer to one thing that only you know (which is why your passphrases should be kept secret), and one thing that only you have, like your phone (or one thing that you are in case of biometric authentication such as fingerprint or retina scanners, but I digress). Using your phone for two-factor authentication is supported by more and more services. Twofactorauth.org is an easily searchable database where you can see if the services you use has two-factor authentication available. That way, when a grifter shoulder-surfs your passphrase or hacks a service where you used the same one even though you shouldn’t have, it is ok. Unless they also steal your phone…

5. Memorize your most important passwords or write them down (yes, this is ok)

If you want to keep information completely safe, don’t put it on a computer. That is one of the key security take-aways from the Snowden-revelations. Of course you have to type in a passphrase that unlocks your computer, a pin for your phone and so on, but making those unavailable for digital exploitation is a good way of keeping safe all the data inside the devices. Bruce Schneier, the world-renowned security specialist, even says it’s ok to write them down if you find it hard to remember arbitrary information. Just don’t do it on a post-it next to your screen at work. Put them in your wallet or a similar place that only you have access to. Of course, just as digital security is hard and no one’s data is ever absolutely secure, physical security is equally hard against a determined adversary. But for many people, this is less of a threat than the risk of someone breaking into your email or social media account and using those to make a mess of your personal life or to stage further attacks against your employer or other organizations you participate in.

Originally published at tinyletter.com/asymmetries/.