Lately I have sat down to talk with a couple of different groups of people working outside of tech. As someone working with cybersecurity there was a set of statements where I had to interject. This post is a result of these discussions, with the aim to be a reference that can be used to improve the security of everyone, no great technical skills required. I will focus on how we secure our accounts, focusing on the login experience.

The Problem

The problem with passwords is that they are guessable. We in the industry have long tried to make it harder for attackers to steal the passwords of users, much to the detriment of the users. By increasing the requirements the user is forced to use tricks to have a chance to remember their passwords. This could be password reuse, writing the password down on the desk, or using some (guessable) personal information. All these are detrimental to the security of the account.

So what can we do. Lets break down some recommendation and risks:

Password Length and Complexity

Every time you create a new account online, you are asked to create a new password. Usually there are a password length requirements, as well as requirements to use at least three of upper case, lower case, numbers and special characters. But how much does this affect the security of the password?

XKCD has a nice comic about this, highlighting that a random string do not add as much security as it gives headache to the user. A better approach would be to use four random words as a password, or even a passphrase. This would increase the security, while minimizing the difficulty to remember the password.

Password Rotations

For a while it was recommended to force password rotations to ensure that even if the password was stolen, it had a limited lifespan. However, this makes it even more difficult for the users to remember their passwords, meaning that the passwords in use gets worse.

Of course you will need to change your password if it gets leaked or stolen, but until then it is better to have a good password and keep that. A good long and unique password will keep your login secure, without needing frequent change.

Two Factor Authentication

The best way to mitigate the risks with passwords is to not fully trusting them. By requiring a second factor for authentication the security skyrockets. My recommendation is to use a two factor authentication app (such as Google Authenticator) for all services that allows it. This will make it a bit more tedious to sign in, but it will 100 % be worth it if it saves you from being hacked.

There are a couple of different ways two factor apps can be used. The most common is that the app generates a rotating 6 digit code, that you enter as a second password. The service can then validate that you have the same app that you used when creating the account. Another alternative is that when you sign in you get a number, this number you enter into your app to validate that you are the one trying to sign in.

The main thing with two factor authentication is to only approve sign-ins that you have initiated. Never give your two factor code to someone calling you, or enter it on an untrusted website.

Password Managers and Login with other Services

Due to the sheer number of accounts we all need to use regularly makes it almost impossible to remember all passwords. Therefore there are two alternative ways to minimise the number of passwords you need to remember.

First of we got password managers. This is a software that helps you create and remember good and unique passwords. By storing the passwords, and syncing them between devices it allows you to just remember a single password. Sure there is a small risk with putting all information into a software, but compared to the risk of using bad passwords, it is manageable. However, you could remember a couple of your most important passwords (i.e. your bank login) ensuring that it will not be compromised if your password manager gets compromised.

An alternative is to use “Log in with XXX”. This feature means that instead of creating a new login, your account gets linked to another service (such as Google or Facebook) and that is used to sign in. This also lets you not remember your password. However, this comes with at a cost, your privacy. Whenever you sign in with another service, that service knows that you signed in. If that is something you are OK with, you are good to continue using the feature, otherwise, you will have to look for other ways forward.

Passwordless Authentication

There is a new way of signing in begining to gain popularity, Passwordless sign in. The tech behind this way of signing in is quite interesting, and might be a topic for a future blogpost. However, there are few sites where it is implemented so I will just leave this as a tease.

Summary

So there are many risks with passwords, and it is difficult to keep up whenever the best practices changes. At the point of writing, I would give two recommendations.

  1. Everyone should use Two Factor Authentication. It is the best way to secure your accounts, and should be the bare minimum for important accounts.
  2. For those who want to take an extra step, and improve their security posture, a trusted password manager is a great investment. It might take some time, but when you do not have to remember your passwords any more you will thank me. I you want to learn more about password managers I have heard good things about both Bitwarden and 1Password.

Stay secure out there!