Password hygiene. How to create strong passwords and manage them?

Every time when you sign up to a new service online, you would have to create a password. As a security measure, every site will ask you to create a strong password which is hard to guess, mix of alphanumeric, special characters, at least one uppercase letter and with least character limitation. On top of that the password should be unique.


There are many security reasons behind each of these requirements. The more complex your password is, more harder for a hacker to crack it. You can create one or two such passwords, but how would you remember 10+ such passwords without writing down anywhere? Because writing down is not a good practice anyway. So what’s the best way to create passwords every time with all the requirements and store them securely for easy access every time? What’s the best way to protect your credentials from theft?

Enable MFA/2FA

Multi/Two factor authentication is an additional layer to protect your online accounts. If your password is compromised, the attacker will still need the second authentication value to enter into the account. You can use your mobile and receive one time password or install authentication apps like Google Authenticator in your iOS or Android phones or use FIDO, U2F hardware tokens in supported sites. . The best practice is to enable MFA/2FA is all your online accounts wherever available.

Check HaveIbeenPwned

HaveIBeenPwned (HIBP) is a free service created and maintained by @troyhunt. It contains credentials leaked in data breaches. You can enter your email address and check if your account was part of any security breaches. Also, you can check your passwords to see if it was exposed in any data breaches. Subscribe to HIBP and get notified if your account was exposed in new data breach.


Use Password Managers

Password managers helps you to create unique complex passwords every time and securely store them. All you need to remember is the master password for the password manager. With browser plugins for some password managers, credentials will be automatically filled when you visit a site. Don’t forget to enable MFA/2FA in your password manager. There are so many password managers in the market. Let’s take a look at some of them.


LastPass

Lastpass uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. It claims that 13,000,000 people use LastPass, including 43,000 businesses. It has free version with unlimited passwords storage and the premium version is priced at $3 / month with more advanced features . It has some built in audit tools called ‘Security Challenge’ to check your existing passwords quality, duplicates, compromised passwords and gives a final score.

LastPass Security Challenge

1Password

1Password uses AES-256 bit encryption and PBKDF2-HMAC-SHA256 for key derivation which makes it harder for someone to repeatedly guess your Master Password. 1Password does not have a free plan. Pricing starts from $2.99/month. 1Password has partnered with HIBP, so if your account was part of any new breaches you will get notified as part of it’s feature called Watchtower.

1Password Watchtower

Dashlane

Dashlane is another competitive player in this space. It uses symmetric AES 256-bit key for ciphering and deciphering the user’s personal data on the user’s device. It has a free plan to store 50 accounts and premium plan priced at $3.33 / month. Password health in Dashlane monitors your passwords and scores it. It has breached passwords monitoring as well.

Dashlane Password health

There are more on the list, see below for a quick summary from Wikipedia

Name License OS Support Browser Integration Delivery Format
1Password Proprietary Android, iOS, macOS, Windows Yes Local installation with Cloud sync
Bitwarden GPLv3 Android, iOS, Linux, macOS, Windows Yes Local Installation, Cloud-based
Dashlane Proprietary Android, iOS, macOS, Windows[1] Yes Local installation with Cloud sync
Enpass Proprietary Android, BlackBerry 10, iOS, Modern Windows, Windows Phone Desktop:- macOS, Windows, Linux Yes Local installation with Cloud sync
GNOME Keyring GPLv2+ Unix-like Integration with GNOME Web and Chromium, through unofficial add-ons for Firefox Local installation
Intuitive Password Proprietary / Freemium Android, iOS, Linux, macOS, Windows, Windows Phone Yes Cloud-based
KeePass GPLv2 Windows, (unofficial ports: Android, iOS, Linux, macOS, Windows Phone) through auto-typing Local installation, optional file or cloud sync
KeePassXGPLv2 Windows, Linux, macOS through auto-typing Local installation
KeePassXC GPLv2 Windows, Linux, macOS Yes Local installation
Keeper Proprietary / Freemium Android, iOS, Kindle, Linux, Nook, macOS, Windows, Windows Phone Yes Local installation with Cloud sync
Keychain APSL iOS (as iCloud Keychain), macOS in iCloud version System utility
KWallet GNU GPL Unix-like Integration with Konqueror and Chromium, through unofficial add-ons for Firefox Local installation
LastPass Proprietary / Freemium Cross-platform (browser extension and mobile app) Yes Cloud-based with Local installation option available
Meldium Proprietary / Freemium Cross-platform (browser extension and mobile app) Yes Cloud-based
Mitro (defunct) GPLv3 Cross-platform (browser extension) Yes Cloud-based
Mitto Proprietary / Free service Cross-platform (browser extension) Yes Cloud-based
Myki Proprietary / Freemium Cross-platform (browser extension and mobile app) Yes Local installation with Cloud sync
oneID (defunct) Proprietary / Freemium Cross-platform (browser extension and mobile app) Yes Local installation with Cloud sync
pass GPLv2+ FreeBSD, Linux, macOS through Firefox add-on Local installation with git sync
Password Safe Artistic License 2.0 Android, iOS, Linux (beta), FreeBSD (beta), Windows (unofficial ports: macOS, Windows Phone) through auto-typing Local installation
Pleasant Password Server Proprietary Cross-platform (browser extension & mobile app) Yes Local installation
Psono Apache 2.0 Cross-platform (browser extension) Yes Local installation with Cloud sync
SafeInCloud Proprietary Android, iOS, Desktop:- macOS, Windows Yes Local installation with Cloud sync
Yojimbo Proprietary macOS, iOS (iPad only) No Local installation with Cloud sync

What’s your preferred password manager? Share them in comments below.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s