Today I recorded a trial expert council response for The Survival Podcast – on a question about passwords and I thought it would be useful for others too, so I’m typing it out here in my blog. The question was simple. How long should my password be? The quick answer is if you create passwords with a random combination using uppercase and lowercase letters, numbers and special characters 12 characters long is long enough for most everyone. Hive Systems put together a chart showing the estimated time to brute force based on number of characters and complexity. Want to go down the rabbit hole on this? Dan Wheeler has an interesting article on estimating password strength
Another approach with systems that allow for much longer passwords is to use a number of truly randomly selected words. Bitcoin seed phrases use 12 or 24 words. You can use the same type of approach with fewer words from a larger list. To get a similar level of password strength. You’ll need four more words and much more than 12 characters long. It’s easy to remember, but harder to ensure randomness and more to type.
While the question was straightforward, given the importance of passwords, I thought it’d be useful to discuss a bit more about passwords. They protect so much and most people give them very little thought. Obviously, what actions you need to take are going to depend upon your threat level. My focus today and most days is just regular folks. If you’re a potential target with a very large publicly known wealth or other elevated risks, you should plan on being more careful and doing more to protect yourself and your accounts. And of course, protecting your little league calendar is much less critical than your bank account.
Now, no matter how strong your password is, if you give it away, it does you no good. So you need to always be careful when entering your password that the website or application you’re entering it into is actually the correct one. There’s a number of email phishing schemes, social engineering, fake websites, a number of different ways that people may be trying to get your information from you. Be careful and protect yourself.
Even if you never mess up, it is possible that the site that you’re accessing might have a breach on their side and your ID and password may get leaked. This is why it’s crucial that you do not reuse passwords. If a criminal has your password for one site they will then try that same password on a large number of other sites banks brokerages, email accounts, anything else that might be a higher value target where they think you might have an account. You do not want one failure to result in more failures as they get into more and more accounts of yours.
Now, most of us do have a lot of accounts these days, email, social media websites, streaming services, financial accounts, calendar apps, many many more. Having a long random unique password for each is safe. But you also have to be able to remember these and enter these passwords every time you need access. How do you keep track of all of these? You need a password manager.
A password manager will store your user ID and password for each of these different places and make it easy to find the right user ID and password when you’re trying to connect in. As part of that they also make it easier for you to copy and paste. You don’t have to risk mistyping a long complex password. Click here, click there, boom, and you’re ready to go. As a bonus, almost all password managers today will suggest secure random passwords for you. So when you’re creating a new password, you don’t have to worry about if it’s secure or not. Password managers will also encrypt all of your passwords to prevent anyone else from being able to access them. So all you need to do is remember the one master password for your password manager.
Having decided to use a password manager, which password manager should you use. There’s a number of free and paid products out there that you can use. In addition your browser on your mobile device likely already have a password manager built in. I use Firefox. It’s got a password manager built in. I have an iPhone. It has a password manager built in. Most likely yours does too. You can do some research, find a password manager that you like and use that. The reality of it is any password manager is going to do a far better job than storing your passwords on a spreadsheet, post it notes or anything along those lines.
Personally, I use a product called Vault Warden that I self host on my start OS server. You should pick what works for you.
Next, for important accounts, you should take advantage of enabling two factor authentication whenever possible. This is when in addition to your password, there’s a second authentication required to gain access into the account. Generally, it’s something like a random number that they send you via text message to your cell phone or sometimes email account. There are also authenticator apps that you can use instead, these programs run on your phone or on your computer and do the same thing. Generate a number that you type in as a secondary authentication. By using an authenticator app, you can protect yourself from what’s called a sim swapping attack, where someone has your text messages routed to their phone, not yours. Sim swapping attacks aren’t particularly common, but they do happen. It’s something you should be aware of and be careful about. Two factor authentication gives you an extra level of protection and is well worth it.
One last piece of advice. As important as it is to protect your passwords from bad people, you also want to make sure that you have a plan in place in case something happens to your password manager or to you. So if your password manager runs locally on your device, consider an encrypted cloud backup. If the password manager runs on the cloud, consider a local backup. Also, give some thought as to what you would do if you were to ever forget your Master Password. Or if something were to happen to you. Is there a copy of the master password hidden somewhere or with a trusted person? Do you have a plan in place that allows you to recover in cases like this?
In summary:
- Use strong passwords.
- Make sure when you’re entering passwords, you’re in the correct website or application.
- Do not reuse your passwords.
- Use a password manager to protect your passwords.
- Use two factor authentication for important accounts whenever possible.
- Make sure your passwords are backed up and you have a plan in place in case something happens.
If you have questions, or just need some help and handholding, contact me and let me help you.