Password hygiene. How to create strong passwords and manage them?
Every time when you sign up to a new service online, you would have to create a password. As a security measure, every site will ask you to create a strong password which is hard to guess, mix of alphanumeric, special characters, at least one uppercase letter and with least character limitation. On top of that the password should be unique.
There are many security reasons behind each of these requirements. The more complex your password is, more harder for a hacker to crack it. You can create one or two such passwords, but how would you remember 10+ such passwords without writing down anywhere? Because writing down is not a good practice anyway. So what’s the best way to create passwords every time with all the requirements and store them securely for easy access every time? What’s the best way to protect your credentials from theft?
Multi/Two factor authentication is an additional layer to protect your online accounts. If your password is compromised, the attacker will still need the second authentication value to enter into the account. You can use your mobile and receive one time password or install authentication apps like Google Authenticator in your iOS or Android phones or use FIDO, U2F hardware tokens in supported sites. . The best practice is to enable MFA/2FA is all your online accounts wherever available.
HaveIBeenPwned (HIBP) is a free service created and maintained by @troyhunt. It contains credentials leaked in data breaches. You can enter your email address and check if your account was part of any security breaches. Also, you can check your passwords to see if it was exposed in any data breaches. Subscribe to HIBP and get notified if your account was exposed in new data breach.
Use Password Managers
Password managers helps you to create unique complex passwords every time and securely store them. All you need to remember is the master password for the password manager. With browser plugins for some password managers, credentials will be automatically filled when you visit a site. Don’t forget to enable MFA/2FA in your password manager. There are so many password managers in the market. Let’s take a look at some of them.
Lastpass uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. It claims that 13,000,000 people use LastPass, including 43,000 businesses. It has free version with unlimited passwords storage and the premium version is priced at $3 / month with more advanced features . It has some built in audit tools called ‘Security Challenge’ to check your existing passwords quality, duplicates, compromised passwords and gives a final score.
1Password uses AES-256 bit encryption and PBKDF2-HMAC-SHA256 for key derivation which makes it harder for someone to repeatedly guess your Master Password. 1Password does not have a free plan. Pricing starts from $2.99/month. 1Password has partnered with HIBP, so if your account was part of any new breaches you will get notified as part of it’s feature called Watchtower.
Dashlane is another competitive player in this space. It uses symmetric AES 256-bit key for ciphering and deciphering the user’s personal data on the user’s device. It has a free plan to store 50 accounts and premium plan priced at $3.33 / month. Password health in Dashlane monitors your passwords and scores it. It has breached passwords monitoring as well.
There are more on the list, see below for a quick summary from Wikipedia
|Name||License||OS Support||Browser Integration||Delivery Format|
|1Password||Proprietary||Android, iOS, macOS, Windows||Yes||Local installation with Cloud sync|
|Bitwarden||GPLv3||Android, iOS, Linux, macOS, Windows||Yes||Local Installation, Cloud-based|
|Dashlane||Proprietary||Android, iOS, macOS, Windows||Yes||Local installation with Cloud sync|
|Enpass||Proprietary||Android, BlackBerry 10, iOS, Modern Windows, Windows Phone Desktop:- macOS, Windows, Linux||Yes||Local installation with Cloud sync|
|GNOME Keyring||GPLv2+||Unix-like||Integration with GNOME Web and Chromium, through unofficial add-ons for Firefox||Local installation|
|Intuitive Password||Proprietary / Freemium||Android, iOS, Linux, macOS, Windows, Windows Phone||Yes||Cloud-based|
|KeePass||GPLv2||Windows, (unofficial ports: Android, iOS, Linux, macOS, Windows Phone)||through auto-typing||Local installation, optional file or cloud sync|
|KeePassX||GPLv2||Windows, Linux, macOS||through auto-typing||Local installation|
|KeePassXC||GPLv2||Windows, Linux, macOS||Yes||Local installation|
|Keeper||Proprietary / Freemium||Android, iOS, Kindle, Linux, Nook, macOS, Windows, Windows Phone||Yes||Local installation with Cloud sync|
|Keychain||APSL||iOS (as iCloud Keychain), macOS||in iCloud version||System utility|
|KWallet||GNU GPL||Unix-like||Integration with Konqueror and Chromium, through unofficial add-ons for Firefox||Local installation|
|LastPass||Proprietary / Freemium||Cross-platform (browser extension and mobile app)||Yes||Cloud-based with Local installation option available|
|Meldium||Proprietary / Freemium||Cross-platform (browser extension and mobile app)||Yes||Cloud-based|
|Mitro (defunct)||GPLv3||Cross-platform (browser extension)||Yes||Cloud-based|
|Mitto||Proprietary / Free service||Cross-platform (browser extension)||Yes||Cloud-based|
|Myki||Proprietary / Freemium||Cross-platform (browser extension and mobile app)||Yes||Local installation with Cloud sync|
|oneID (defunct)||Proprietary / Freemium||Cross-platform (browser extension and mobile app)||Yes||Local installation with Cloud sync|
|pass||GPLv2+||FreeBSD, Linux, macOS||through Firefox add-on||Local installation with git sync|
|Password Safe||Artistic License 2.0||Android, iOS, Linux (beta), FreeBSD (beta), Windows (unofficial ports: macOS, Windows Phone)||through auto-typing||Local installation|
|Pleasant Password Server||Proprietary||Cross-platform (browser extension & mobile app)||Yes||Local installation|
|Psono||Apache 2.0||Cross-platform (browser extension)||Yes||Local installation with Cloud sync|
|SafeInCloud||Proprietary||Android, iOS, Desktop:- macOS, Windows||Yes||Local installation with Cloud sync|
|Yojimbo||Proprietary||macOS, iOS (iPad only)||No||Local installation with Cloud sync|
What’s your preferred password manager? Share them in comments below.