• Home
• About
• Contact

A Guide to Passwords and Password Managers

After seeing too many friends get hacked, I present to you the first of my practical security guides. I shall show you how to create, manage, and store strong passwords, the biggest weak spot for most. This guide is suited to private individuals who wish to fortify themselves against the most common forms of cyber-attack they're likely to face that stronger passwords will help to shield you from. Given this scope, professionals and organisations will need more specialist advice than a hobbyist like me can give. Take a shot every time I say password.

How Passwords are Cracked

Hacking is the act of gaining unauthorised access to a computer, network or part thereof. When the target is a normal person, the goal will often be to steal personal (especially financial) information, use said account to defraud others, or both. Following this guide will greatly lower (but never eliminate) the chance of this happening to you. Cracking is the act of correctly guessing another's password, often with the aid of software.

The kind of software in question is called a password cracker. It will automatically guess passwords one after another at speeds above millions a second until it finda a match. These guesses might be all possible combinations (called a brute force attack), but is more often narrowed down to common words or passwords from past data breaches (called a dictionary attack).

It's worth noting that typing many guesses directly into a website's login page isn't the best way, as most big ones are likely to block access after enough wrong tries. Instead, hackers will try to get their hands on a copy of a website's database and do their guessing there. You don't need to know the details, the way to shield yourself is the same, but I've left some below for those interested.

Any website that issues accounts keeps their information inside of a database, but keeping passwords in plain text, like any other data, is a stroke of madness; even if secured by some means, everyone is compromised forthwith the moment said security is broken.

To prevent this, issuers use a technique called hashing: a function takes some data as input (your password in this case) and wherewith gives a string of characters unique to said data as output. This output is called a hash and is kept instead of your real password. These hash functions are written in such a way as to make it easy to turn data into hashes, but very hard to turn hashes back into data. In this case, the cracker would generate the hash from each of its guesses and check for any matches within the database; if the hashes match, so do the passwords.

Making Strong Passwords

The goal here is not to make uncrackable passwords, that cannot be done, but instead to make them take so very long to crack, that hackers give up and try somewhere else. The best ways to do so are the following:

• Increase the length. The more characters there are, the lower the chance of guessing them all right at once becomes
• Add more variation with uppercase letters, numbers, and symbols. Whilst less important than length, range raises the number of options for what each character could be, thus raising the possible number of guesses per character
• Never use the same password twice; if one account is hacked, the hacker may try the same username-password combination on popular sites
• Never include information about yourself or that others may associate with you. Names, dates, places, and hobbies may be easily scraped from public profiles to be turned into a wordlist for use in a dictionary attack

Now you could do this by hand, but humans are slow, inefficient, and predictable. The better way involves a program called a password manager to spit out and store very long strings of fully random characters. This will work in most cases, but you may run into trouble with services where, for one reason or another, copying and pasting is not possible. For times like those, please see the method below:

The Diceware Method

Diceware is a method, devised by Arnold G Reinhold, to generate long passwords, which he calls passphrases, with ordinary dice and a list of words. Doing so this way gives you a great deal of randomness whilst also being readable, memorable, and typeable. This is handy for cases like, say, a password manager.

This can be done for you with an electronic Diceware generators like this one, but it helps to know how it works. As you'll need one for later, try the link above or the method below:

1. Get a wordlist from Mr Reinhold's website wherein each word is next to a five-digit number
2. Cast your die and write down the result until you have five numbers; rolling many at once will speed this up
3. Look up each five-digit number on your list and write down the corresponding word
4. Repeat steps (2) and (3) until you have enough words; Mr Reinhold advises at least six, but I'd go for one more just in case
5. Optionally, add a symbol between each word using the method under Optional stuff you don't really need to know

As making a computer produce fully random numbers poses a challenge, any electronic generators will be inherently less secure than rolling by hand. However, the level of randomness in the generator linked hereinabove should be enough for a normal person.

I recommend writing down your passphrases unlabeled on a sheet of paper hidden somewhere only you can find it.

Choosing a Password Manager

If you think it's hard to remember unique passwords, that's because it is. Such a worry is for a password manager to allay by saving your login details to an encrypted database, making new passwords, and typing them out for you. This database is locked with a master password; the only one you must remember and why I said to make a Diceware passphrase earlier. Please keep this safe, as you cannot open your database without it!

Yes, it will take some time to add or update all of your current logins, but the added security and hence peace of mind will pay dividends. If, like many, some of your login details are saved in your browser, see below to speed things up:

Exporting Saved Passwords from Your Browser

Following these steps, you will end up with a CSV file holding your login details. Steps for importing said file into a password manager are in the next sections.

With slight variation, the steps for Chromium-based browsers (Chrome, Edge, Opera, Brave, and others) are thus:

1. At the top-right, click the three-bars icon, Settings, Autofill and passwords, and then Password Manager
2. Move to the Settings tab. Under Export passwords, click Download file
3. Choose a place to save it to

For Firefox-based browsers:

1. At the top-right, click on the three-bars icon and then Passwords
2. Again at the top-right, click on the three-dots icon, and then Export Passwords
3. The notice will warn you that the import will be in plain text, so delete this file once it's been imported. For now, click Continue with export
4. Choose a place to save it to

The file you just exported is not encrypted, so please delete it once it's been imported!

KeepassXC

KeepassXC is my preferred choice for a password manager; as opposed to cloud-based software, your login details are kept within a file on your machine. This comes with the upside of not needing to trust someone else to keep your details safe. The downside is now you must do that. Keep your database in a safe place and make regular backups to a separate device like a USB flash drive; if you lose this file, then you lose all of your logins!

To import your existing logins:

1. From the menu bar, click Database, Import, and then CSV File. Select the file you downloaded earlier
2. Choose a name and description for your new database
3. The default encryption settings should be enough, so press Continue
4. Choose a password and then click Done
5. Select First line has field names. This should match most of the columns to the correct options, but I'd double check
6. Once you're sure they're all right, click OK

To add a new login:

1. Click on New Entry or press Ctrl+N
2. Click on the die icon or press Ctrl+G to open the password generator
3. Choose the length and character types; 128 characters made up of upper and lowercase letters, numbers, and symbols will work for most services
4. Click on Apply Password when you're done
5. Type in other details like your username, login name, and link to the website. Then click OK

To set up automatic backups:

1. From the menu bar, go to Tools, Settings and then General or click the gear icon
2. Under File Management, check Backup database file before saving
3. Next to Backup destination, click Choose to select a location; I advise this to be on a separate storage drive like a USB flash drive or network storage you control
4. Once you're done, click OK

Bitwarden

I understand an offline-only copy may be inconvenient. I think it's a fair trade-off, but if you do not, then I advise the use of Bitwarden, the most comprehensive open-source solution. After making an account, called a vault, you can log in from their web, desktop, or mobile applications. You will, of course, have to trust them to keep your information safe whlist on their servers.

To import your existing logins:

1. On the menu bar, click on File, and then Import data
2. Under Destination, choose the vault and folder you want to save your logins to
3. Under Data, choose either Firefox csv or Chrome csv for File format
4. For Select the import file, click Choose file and find the CSV file you saved earlier
5. Click on Import data

To add a new login:

1. Click on the plus icon or press Ctrl+N
2. Click on the circle icon to open the password generator
3. Choose the length and character type from the window that pops up; 128 characters made up of upper and lowercase letters, numbers, and symbols will work for most services
4. Click on Apply Password when you're done
5. Type in other details like your username, account title, and link to the website. Then click on OK

Other Password Tips

Some other tips too small for their own section. If there's enough interest, I may add more details in future

• Beware of phishing. The strongest password in the world is for naught if you give it away. The aim is to trick you into either giving them your details through a fake login page or running malicious code that steals them from your browser data such as saved passwords or session cookies; the latter could let a hacker bypass logging in entirely, as with the LinusTechTips channels a while ago. Watch out for inpersonal, poorly-formatted messages telling you to do something urgently
• Avoid third-party sign-ons at all costs. Tying other accounts to a notorious data-guzzler like Facebook or Google means if it goes down, all connected accounts go with it. This in turn makes deleting said data-guzzlers much harder should you wish to do so in the future
• Log out from old devices. If you ever move devices, it's a good idea to log out of everything, else someone get a hold of it and thus your accounts. You could uninstall the apps or clear browser data, but it's often faster to perform a factory reset. If you forget, then most big websites will allow you to log out devces from their settings under something like Login Sessions

If you follow these tips, then you will be less likely to be hacked than if you do not. Best of luck to you and please feel free to send me any questions. Have a good day!

See Also

• Password Storage Tier List by Studying With Alex: This video does a great job explaining complicated password storage methods, though I disagree with his final point on third-party authentication
• Prevent Common Threats by Using the S.T.O.P Method by All things Secured: More details on how to spot possible phishing attacks
• Dumb Password Rules by duffn and many others: A website that holds information on arbitrary password requirements for many websites which they may or may not tell you themselves