Worried about your data?
How much of your critical information is stored on your computer? Just about all of your personal and financial secrets – Right?
By Thad Brown
What is the best way to store passwords?
How much personal information is stored on your smartphone? Your computer?
Just about all of your personal and financial secrets. Right?
Now, how comfortable are you with the security of your personal data? Feel a little queasy? If you're unsure, you need to read this on the best ways to store passwords.
According to recent surveys, the average person has 27 to 118 passwords. I would suggest these numbers may even be understated as I have over 500 passwords. Maybe I'm an outlier though. But, how do we manage and safely store all these passwords?
That's the premise of this post, and understanding and implementing some very simple concepts will allow you to finally be secure with your personal information without freaking out. Or, at least as secure as possible.
Why should I even care?
Many tend to follow the “head in the sand” system for managing their passwords. Of course, the primary reason should be the security of our information. There is, however, another practical reason, convenience. How often are you confronted with a website that you know you've established a password but just cannot access? Talk about frustrating.
Let's look at some common strategies that many use to store passwords.
The “Modified Standard” method
In this strategy, you've established your primary standard password. Easy to remember and fool proof. You reverse the initials to your name, make the first letter capitalized and add the last six digits of your social security number. I mean, who would know “Rb554321” is you?
Now all you just need to be ready to modify it as needed by the various websites.
The first site requires a special character also. So, it becomes “Rb554321!” How easy is this?
The next site needs at least ten characters. No problem, you repeat Rb – “Rb554321!bR.” Clever, you've reversed the last two characters just to confuse the hackers?
The next site also needs a special character but only accept #, $, % and &. Oh well, we'll just change the ! to &.
Pretty soon you've modified your original standard fifty shades of grey, and it's now a hopeless mess.
Not to mention the fact that you've not done anything to enhance your security. Certainly, this isn't the best way to store passwords – there has to be a better way.
The “Post-it note” method
This can work. Just write the passwords down and either save them on your computer – in an Excel file entitled “pass.” Even more conveniently, you can write them on a Post-it note and hide it under the keyboard (kind of like you do the key to your house under you front door mat.)
The write it down systems seem to be the anthesis of computer automation, but sometimes old habits die hard. Also, a few problems. The note with the passwords is not readily available when you're away from the master computer; security is, of course, questionable, and the note starts to look a little ragged, after a while, to the degree that someone trying to hack into your computer couldn't even use it.
The “request a new password” method
Since you're the master of options, you've created yet another best way to store your password – just ask for a reset. This get's old, fast, and again, your security is about the strength of the actual password, but at least you can forget about memorization. Speed is out the door, but one out of two is not bad. Oh well…
The basics of password strategies
The truth is, we've never really had to deal with such a significant security/convenience quagmire. Today, everything needs to be password protected and yet accessible and conveniently so. That includes your bank accounts, your credit cards, your websites, your bills, etcetera, they all require passwords. Is there an easier way? Let's discuss some basics first.
The password needs to be secure.
That is to say, it must be hard to crack. One of the best and most definitive resources to analyze the security of a password is ZXCVBN which is an open source tool from DropBox. ZXCVBN displays not only thttps://www.theresoluteblogger.com/passhe strength of the password, known as “entropy,” but also details the estimated amount of time necessary to crack the password.
Check out your current password. If the crack time is immediate or some short period of time, you're in the right place and…well let's just say, you need this post.
For example, the passwords above would produce the following results:
- “Rb554321” – entropy – 24.506; crack time – 21 minutes
- “Rb554321!” – entropy – 28.353; crack time – 6 hours
- “Rb554321!bR” = entropy – 41.493; crack time – 6 years
The password needs to be memorable.
Okay, so the initials to my name and part of my social security number may be easy to remember, but it's not hard to imagine that some smart hacker hasn't already pre-populated that information before even beginning to hack my password.
But we're still left with a big problem. We can't possibly remember all the passwords to the 27 to 118 sites we need to access. Let alone more than 500 sites.
A proposed solution to the best way to store passwords
The answer is pretty simple.
- You establish two to four, high-security passwords, let's say a 75 entropy or higher, that you can remember, and
- use a password protection program to develop and manage the remainder of your passwords.
That's it – 2 easy steps.
Now, let's break that down.
Establish two to four, high-entropy passwords, that you can memorize.
Why two to four passwords?
At a minimum, you need a password to the password program – right? And, it would be nice to have a password for your computer. So that's 2 passwords.
Additionally, you may want additional passwords for Amazon and Google accounts. Although these are not critical, they may be useful as a matter of convenience.
But, at least 2 passwords – your computer and the password program.
If done correctly, you can develop a few, super safe, and easily memorized passwords. Use a combination of upper and lower case letters, numbers, special characters and even spaces.
Yes, spaces can significantly increase the entropy of a password. Now, not all applications accept spaces, but where you can use them, they are extremely effective. Your computer and password program do allow spaces, and those are the minimal two passwords you need to remember.
Here's an example:
“testimony” has an entropy of 11.271, or a crack time – instant.
But, what if I use a special character “+” for the t, use some spaces, capitalize the M and use zero instead of o.
“+ e s t i M 0 n y” – entropy – 106.118; crack time – centuries
Can I remember it?
Sure, it's only nine characters.
Is it safe? It is if I believe the ZXCVBN algorithm, its entropy is much greater than 75 and the estimated crack time is centuries. You can always change it before then. That should be safe.
Still easy to remember, but the security is substantially different.
You can do this.
You only need two to four passwords.
Although Apple won't allow spaces, experiment with other combinations to develop the other passwords you want to memorize. Try using pronounceable suggestions such as the those offered in Dashlane and LastPass.
Random number, letters, special character passwords have the highest entropy with fewer characters.
Password managers also have built-in password generator, some even with “pronounceable” suggestions that may help in memorization, but be careful. Many of these have a suggested secure rating – weak, strong, etc., but the ZXCVBN should be consulted in all cases.
Additionally, LastPass has a free password generator you can explore. It even has a pronounceable password feature.
Again, check any password with ZXCVBN to ensure you have high entropy.
Use a password management program to create and manage the remainder of your passwords.
A review of some recommended password managers is a topic for another post. I use and recommend Dashlane, but also have used and like 1Password and LastPass. Actually, all three of these programs are stellar, so check them out and see which one fits your needs.
These password managers not only generate and manage your passwords but can also manage your other personal financial information such as credit card accounts, bank and brokerage accounts as well as addresses and social security numbers. In other words, they become a personal security vault, protecting your confidential information. This also facilitates quick and accurate bank and credit card information when your purchasing on the Internet.
Where do we go from here to implement the best way to store passwords?
Using one of the password management programs along with a few memorized and highly secure master passwords is the key to protecting your confidential information and to ensuring that everything is readily accessible to you and no one else.
No doubt I could be accused of having too much personal data on my computer – but where else would it go. I can only remember so much and the only way to protect myself and my family is to adhere to a consistent password system – memorize a few highly secure passwords and trust in a password program.
The counterparts to this concept are to go paperless and have adequate backups.
That's right, have all your documents scanned and accessible but backed up appropriately. Then, of course, have a secure password to access your paperless system.
You can increase your security with other safety feature such as two-factor authentication (where offered,) but the best suggestion is simply to use high entropy passwords along with a good password management program and periodically change your passwords.
If you have any password related suggestions, please comment below.