Password Management

Choosing a Good Password

Using the same password for all your logins or even variations is a very bad idea. Ideally all your password should be very different, very unique and very hard to guess. So what would make a good password? Well something like 4$WK5xp@}a7y.S+$%P!y5)! would be good, however I doubt many people could remember a completely different one of those for every login they have! This is where password managers come in.

The best advice I have seen on passwords is from Bruce Schneier on his blog - Choosing Secure Passwords - Schneier on Security. He also has good advice on password managers, do search his blog for password manager information. The following links are also useful:

Password Manager

Personally I use Password Safe. Sure it is not the most feature rich or cross platform, or flash but it does the job and does it well, for me, it was also designed by Bruce Schneier. Recently I have come across an Android port of this PasswdSafe / Wiki / Home which looks good but I have not checked it out fully yet, it also has a "sync" app to go with it.

There are some security people that say you should not use anything that stores your passwords in the cloud, which I think rules out LastPass and 1Password. However in June 2015 LastPass suffered a security breach, which led to technical media covering what happened and how LastPass operate. In summary they use good encryption techniques, including "slow hashing" of passwords. So whilst there was a breach, no passwords or master passwords were lost. Unless people had insecure passwords guessable from the password reminder. The summary seemed to be, LastPass are good, trust them.

So, clearly we need to know how to pick a good password, or rather find good techniques for doing so. I would not recommend putting your password into a website for it to tell you it is secure, just in case. In addition I am not sure I would use an online generator either, for the same reason. However an online generator can show you good patterns to follow and the impact of different rules, so here are some useful links. If you are using a password manager then the password to access your password manager clearly needs to be very strong!.

There's more....

Following on from passwords there is TOTP or Time Based One-Time Passwords, these are the one time codes that typically last about 30 seconds. They usually involve scanning a QR code and then setting them up in a password manager. This is also known as two-step verification.

Two Factor Authentication (2FA) is the next step, and it is a kind of Multi-Factor Authentication (MFA). This involves something like Yubico | YubiKey strong two factor authentication.