-
Notifications
You must be signed in to change notification settings - Fork 3
Password basics
Passwords (and their variant forms known as PINs and passphrases) are near-universally used in computers, mobile devices, network protocols, and web applications to authenticate you as a user. In short, a password is supposed to be a string of characters known only to you; it is something you know. Other types of authentication may be based on something you have (such as a hardware token) or something you are (a biometric, such as your fingerprint).
Unfortunately, much of the prevailing password advice is decades old and fails to address the proliferation of devices, online accounts, and more powerful computers. Here is an example from the passwd man page:
As a general guideline, passwords should consist of 6 to 8 characters including one or more characters from each of the following sets:
· lower case alphabetics
· digits 0 thru 9
· punctuation marks
Compromises in password security normally result from careless password selection or handling. For this reason, you should not select a password which appears in a dictionary or which must be written down. The password should also not be a proper name, your license number, birth date, or street address. Any of these may be used as guesses to violate system security.
Most human-selected passwords of 8 or fewer characters are easily cracked or guessed by today's computers. Longer passwords are nearly always better, although several websites and legacy systems impose a limit on the allowed length of a password. (Early Unix-based systems truncated passwords to 8 characters, which fits the advice from passwd.) The use of mixed-case letters, numbers, and any other symbols on the keyboard to make a password complex can also help, but often leads to common substitutions in passwords (for instance, replacing s with $).
This TED talk by Lorrie Faith Cranor demonstrates some of the pitfalls in creating passwords that are both strong and memorable. Generally, passwords that are randomly generated are more difficult to guess compared to human-selected passwords.
Many people, in heeding the outdated advice to use complex passwords and never write them down, decide to apply the same complex password on all of their accounts.
This is extremely risky, and decidedly worse than using multiple passwords that are weaker, but unique. Many websites do not handle user passwords in a safe manner, so it's quite possible for an attacker to break into a vulnerable website and discover your password. The attacker can then use your password to log in on any other sites where you use that password. This is how most accounts are "hacked" today.
Some people try to be clever by using a random base password and appending the name of the service they want to log in to (for instance, 44[A<d + github would give a password for GitHub). Although this means that each password is technically different, modern password-cracking techniques can recognize this strategy and adjust for it.
Therefore, it's best to use totally unique passwords for each site, and it's OK to write them all down.
It can be very difficult to remember dozens of unique, strong passwords, but it's also dangerous to use the same password on multiple accounts. A password manager solves this dilemma; it keeps track of all your accounts and passwords for you.
In addition, it protects this information by storing it in an encrypted database, accessible only with a passphrase you provide when setting up the password manager. So you will still need to remember a password, but it's far better than remembering a dozen passwords or reusing the same password.
A good FOSS password manager is KeePassX, which is based on the Windows application KeePass. There are also several online password management services, which have the advantage of easily synchronizing with all your devices but usually require a paid subscription to do so.
The passwords you store in the password manager are essential pieces of information for ensuring timely access to your accounts and other data. Thus, you should regularly make backup copies of the encrypted database in order to protect it against a catastrophic failure.
"Failure" could result from an error in the password manager itself, a mistyped command, other software on your computer (including malware), or a failure of your computer's hardware. Either way, a "failure" could leave the encrypted data irretrievable.
If you already keep regular backups of your other files, add your password manager's database to your backup routine. If you aren't backing up your files yet, you should start doing so as soon as possible.
It is widely recommended to change your password for a given site as soon as possible following news of a breach and/or following a compromise of your computer or account. In addition, if you happen to use the old password anywhere else, you should change your password on those sites as well, and start using unique passwords.
It's also quite common for employers, academic institutions, and government sites to require changing a password every N months (where N is a small number). While these policies are annoying, it is very important to obey them, if for no other reason than to avoid discipline from the IT department.
Outside of these scenarios, it's unlikely that you will need to change your passwords on a regular basis. However, it's worthwhile to upgrade from a weak password to a stronger password.
Many sites use "security questions" to allow users to reset their password if it is forgotten. These questions are often based on personal information, such as "What was the model of your first car?" or "What is your mother's maiden name?".
Decades ago, these questions may have been obscure enough to prevent anyone other than close family and friends from guessing correctly (assuming your answers are honest). However, the rise of social media has led to a lot of people posting their personal information, making it available to the public. Thus, it's often trivial for an attacker to find out the answers to "security questions" and gain unauthorized access to your account. (Even if you avoid social media platforms such as Facebook, your friends and family probably use them, so it's difficult to mitigate this risk.)
To make this sort of attack more difficult, you may want to treat "security questions" like a secondary password. Give random, difficult-to-guess answers, write them down or print them out, and keep them in a safe place. (Since "security questions" are meant as a recovery mechanism, you should avoid storing them in your password manager alone.)
You may have heard of two-factor authentication in news reports, or in announcements from websites you use. But what is it, anyway?
Simply put, two-factor authentication means you need to provide two pieces of information instead of just your password. The first "factor" is almost always your password for the site/service. The second "factor" can take several different forms depending on the site/service, but typically it involves receiving a temporary code on your phone and typing it in while it is valid.
You can check which popular websites support two-factor authentication here. Additionally, read the Help or Support sections on any websites you have accounts with in order to see their instructions for setting up and using two-factor authentication.
Confusingly, Apple has two different two-factor authentication systems. The original, more compatible system is named "Two-Step Verification" while the newer system is named "Two-Factor Authentication". Here are the major differences:
-
Two-Step Verification
- Works with most recent Mac OS and iOS versions, plus iTunes/iCloud for Windows and icloud.com.
- Signing in requires your password, plus either a 4-digit code from a trusted device or your Recovery Key.
- Trusted devices are added on your Apple ID account page.
- If you forget your password, you need your Recovery Key and a code from a trusted device in order to reset your password.
-
Two-Factor Authentication
- Requires at least one device with Mac OS X 10.11 or later, or with iOS 9 or later.
- Signing in requires your password, plus a 6-digit code or confirmation from a trusted device.
- Mac OS and iOS devices automatically become trusted (and can receive codes) after they are signed in.
- If you forget your password, you need to request account recovery, which can take several days to process.
Valve eschews the standards used by many websites and authenticator apps, opting instead to implement two-factor authentication via the Steam mobile app (which requires your mobile phone number to set up). If you don't use the app, Valve imposes temporary trade blocks on any inventory items you try to sell.
The password on your operating system's user account protects it against unauthorized access. However, the files stored on your hard drive or SSD are normally left unencrypted; this means someone with physical access to your computer can boot into their own system, clone the data from your disk, and access your files.
The recommended defense for this sort of attack is full-disk encryption. This requires you to type a passphrase when booting your operating system; the passphrase is used to derive the encryption key that encrypts and decrypts your filesystem. Here are some details by OS:
- Linux: Many distros are capable of using Linux Unified Key Setup (LUKS) to provide filesystem encryption. Some distros such as Ubuntu allow you to set up LUKS as a step within the installer.
- Mac OS: You can enable File Vault in your Mac's System Settings; this will by default encrypt the entire disk. If you dual-boot with Windows or Linux, setting up File Vault becomes more complicated.
- Windows: Traditionally, Windows uses BitLocker (in Professional versions of Windows) to provide full-disk encryption. Some newer computers running Windows 10 allow you to enable Device Encryption if you have a Microsoft account. Device Encryption is similar to using BitLocker, but the catch is that the encryption keys are backed up to your Microsoft account (so Microsoft could potentially use them to transparently provide data for law enforcement).
- iOS: Recent versions of iOS automatically encrypt your data, as long as you set a PIN or password to unlock your device.
- Android: You can enable device encryption in Settings -> Security.