Nowadays, with the tremendous growth in digital communications, the protection of a user identity becomes vitally important. In most cases, the identity is protected with a secret password that only the user knows. Another layer of security is the Two Factor Authentication method, which uses another (additional to password) separate and independent channel of communication between the remote server and the user. Typically this is implemented by sending an Auth SMS or a push message to the user's mobile device.
This article discusses the threats that can a web user face while creating, storing, and using strong passwords online to access his/her accounts, such as social media, email, financial institutions, etc. A good understanding of such may help prevent loss of important data, sensitive personal information, and financial assets.
Creating a Strong Password
Problems that a user faces while creating, storing, and restoring a password are discussed below. What is a good password, after all?
1) the password must contain an alphabet of symbols as big as possible, such as, for example, A-Za-z0-9 or 52 possible characters for the English alphabet and digits; even better if keyboard non-alphabet symbols are added such as "!", "?", "-", "#", etc., a total of 32 typeable characters from a usual computer keyboard. Then the overall alphabet for a password produces 84 characters. For other national alphabets, it can be even longer: 92 for German and 98 for Russian.
2) the password must be as long as possible, but not shorter than 8 characters
Some interesting facts: for a password of 8 characters long which is based on the above alphabet of 84 characters, the total number of variations would comprise 84^8 or 2.5 million billion. A modern software, as reported, is capable of checking 76,000,000,000 MD5 hashes per second on one average computer. This means that the entire possible number of hashes for a password of 8 characters can be checked in about 32,000 seconds or around 9 hours. Making the password longer just by one character will require a month of calculations. Adding another character (password length=10) means that an attacker will need 7 years. For a password of 20 such characters, one computer will need 127 billion billion years!
3) the password must be easy to remember, write down, and type into the password field.
As can be seen, requirements No.2 and No.3 are contradictory. A long and random password is difficult to remember, write, or type in. This is a reason for most users to use simple passwords or re-use the same password for all services, a fact that worries computer security experts most.
I looked through dozens of high profile Internet articles written by various people to get an idea of how a strong password can be generated, stored, and recovered if needed. In most cases, the proposed methods only deal with one aspect of the problem and ignore the others. For example, some authors keep inventing new methods to create a long and memorable phrase and manipulate it in various ways by replacing letters with digits and non-alphabet symbols. Other recommendations include using this or that password manager to generate and keep an encrypted database with a logins/passwords list.
Why remembering a passphrase is not working
A bit of very popular advice that people find on the Internet is about how to use a phrase as your password. For example, choose "I need a safe password" and modify it to a certain working password by replacing and manipulating characters in it. It is advised to invent and memorize a certain pattern for such modifications, for example, an alternate letter casing that may be like this "I nEeD a SaFe PaSsWoRd" or using only two first characters of each word and replace spaces with a certain symbol, like "I_nEa_Sa_Pa", etc.
While such a method can be quite productive for certain purposes, e.g. creating and memorizing your single and strong Master Password, this can hardly be used as an everyday password. Why?
1) A typical active web user has around 100 to 150 accounts that require a password. Using the above method, s/he would need to create and remember 150 different phrases and patterns. Or, even if the applied pattern is the same, it is just 150 phrases, still a tremendous challenge to face.
2) As some websites, especially financial institutions or banks require to change the user password regularly because it expires, let's say, every six months, managing the list of such phrases becomes a nightmare.
3) Trying not to forget the passwords, users will tend to
- use the same phrase on every website
- write down the phrase on paper as plain text form which can easily be stolen.
4) Such a phrase password is quite difficult to type in the password field, especially on a mobile device. This problem for most people will lead to choosing a simpler password and/or saving it in the browser's autofill to avoid typing. Browsers normally keep passwords as open text and such storage is completely unsafe.
Why using password managers is not always working
A great number of specialized software has emerged to tackle the password problem. The list includes
1) Locally run software that keeps the password list on your computer;
2) Cloud services store it on a remote server and give it to you when needed;
3) A mix of the two.
Although such software uses strong up-to-date encryption features and is constantly tested by security experts, it still has some problems, mostly due to the nature of people as users rather than the features of the software.
There are five main problems with password managers as I can see them:
1) The local computer can fail, be stolen, or the software can crash, or the database can be damaged or accidentally deleted. Saving backups on a flash drive can help, but it requires efforts only a few people, most disciplined and wary ones, are likely to exert;
2) The master password can be forgotten. In this case, you just say goodbye to your list of passwords.
3) Cloud password services are considered safe just because they say they are. There is no external or independent audit of such companies so that you don't know those people and you are not familiar with the mechanisms that protect your password lists. The company does not disclose their algorithms and protection mechanisms and, if your password is stolen by a hacker from such an online depository, you are unlikely to know when, how, and why it happened.
4) Cloud services are not fool-proof. For example, I have often been in a situation where Lastpass automatically suggests that I should update my login information for a web service even though I entered no new password and did not ask for it. If I click the update button at some point, my old good password would likely be deleted and replaced with an empty one. This feature was designed for the convenience of users, and as we all know, more convenience means less security.
5) Both local and cloud services can be paid, although some of them are totally free.
What to do?
To the benefit of Password Managers, I must say that I use one of them a lot (Lastpass). Their autofill feature is brilliant, saving a great deal of time and effort. But my key assets and services, including the Master Password to the Password manager itself, need an additional layer of protection, so I prefer to keep them elsewhere.
For this purpose I use a service that is called Safer Password my colleagues developed at Bizpages:
The idea behind this utility is simple: instead of making up a longer phrase and manipulating it using various patterns for each website, email account, etc., the user should generate a password that is an encrypted text made of two words: a strong single Master Password and a simple open password. The beauty of this system is that you can write open passwords anywhere: on a yellow sticker stuck to your display, in a text file on your computer, etc. The open password is usually short and easy to remember and write down.
Moreover, the Safer Password utility webpage remains fully functional even if saved onto your hard disk as a full HTML page. As such, it can be also copied to a flash drive as a backup.