Hackers have more powerful algorithms and launch attacks on larger scales, so everyone is at risk. And most password cracking is automated and systematic, rather than a human guessing passwords. Follow this guide to improve security for your devices and online accounts, both personal and work-related. There is background on the tools and the guide ends with steps to setup 2FA and a password manager for yourself.

Passwords

Changing all your passwords on a cycle such as yearly also decreases your risk - any password can be cracked with enough time to try combinations, so regular changes are good for preventing this.

Choose a password which is long (but easy to remember) rather than one which uses a large character set (but it difficult to type and remember).

This article on The Eternal Password Riddle covers information entropy (or randomness) as way of measuring strength. It shows that a password made up of 12 characters picked from a set of 26 (the lowercase alphabet) is stronger than an 8-character password which has 41 characters including special characters. The shorter one has two thirds the length and one and half times the size yet it weaker. The article also explains brute-force attacks and how to generate a strong password.

Passphrases

When it comes to your laptop or LastPass password where you have to type and remember easily (and perhaps don’t want even want to store anywhere), use a passphrase password.

A passphrase is typically 3 or 4 words which are either random or form a sentence (preferably only one which makes sense to you). You can also come up with an image or a story which helps you relate your random words together, or keep generating random words until you find a list that works.

The Use A Passphrase site will generate passphrases for you and it will explain how secure each password is.

e.g.

  • across region guard takes
    • Length: 4 words, 25 characters
    • Approximate Crack Time: 15,936 centuries
  • reversal netview drilling plot
    • Length: 4 words, 30 characters
    • Approximate Crack Time: 6,136,851,976 centuries

Though, the advice I read is usually to generate a passphrase by rolling a physical die and then use that to choose from a downloaded list of words. As a die is truly random and uncontrollable, compared with a password-generating site.

I know of a company which is very serious about security that changed to setup a system where a pass phrase of at least 16 characters required for computer passwords. Spaces are allowed and having only lowercase letters is sufficient.

More complex passwords

I usually get LastPass to generate a strong password for me, using at least 24 characters.

You may want a password which is mostly lowercase letters and so easy to type and remember. But sites often require at least one capital letter, number and special character - you can manually add these somewhere in your generated password (such as the beginner or end) instead of letting LastPass add them through the password. Or if, you only ever will copy and paste or autofill your password, you can let LastPass generate a 24-character password for you which uses a set of over 60 characters.

Example output when generating a password with the LastPass browser extension:

Generate password with LastPass

Password managers

Using a password manager is a convenient way to securely store usernames and passwords for all the sites where you have accounts. They can autofill the values for you to save you having to remember them. If you have multiple accounts on one site, you get a choice of which account to use.

LastPass has been recommended to me before and is a required at my work, therefore it is my password manager solution for work and personal credentials. As an alternative, there is 1password.com, but I have not used it.

Example screenshot of LastPass browser extension:

LastPass sample

Reasons to not use a browser’s own credential storage

  • There is a risk in someone accessing your passwords if your browser is left open.
  • There is no master password setup default.
  • Your passwords could be synced, so someone signed into Chrome/Firefox as you on another machine could get your passwords.

Reasons to use LastPass

  • LastPass is built as a central credentials storage location and it does this great. You don’t have to manage credentials across Chrome, Firefox and whatever other documents you use.
  • You can force LastPass to require a password after a period of inactivity or reopening the browser.
  • LastPass has a more elegant way of adding/updating/viewing/searching your site logins.
  • LastPass allows storing of text notes, for extra details around a site.
  • It works on desktop and mobile.

How secure is a long password?

  • One-digit password
    • Imagine a password which has a character set of 10 characters (0 - 9).
    • And only one character long.
    • That would be 10^1 (10 to the power of 1) = 10 possibilities.
  • Two digit password
    • Character set of 10 characters.
    • And now two characters long.
    • That would be 10^2 = 100 possibilities.
  • Long number
    • Still using digits.
    • If your password is expanded to 24 characters long.
    • That covers 10^24 possibilities.
      • Range from 24 zeroes to 24 nines (which as a number is 10^25 - 1).
      • Which is 999,999,999,999,999,999,999,999 possibilities.
  • Passprase
    • Why is a passphrase hard to guess? From 10 characters, add lowercase (26) and uppercase letters (26), then you get 52.
    • And 24 characters still.
    • Then you get 52^24 possibilities.
      • Which is 152,784,834,199,652,075,368,661,148,843,397,208,866,816 possibilities - or about 1.5 x 10^41.
      • Range from 24 zeroes to to 24 of the letter Z.

Add special characters and increase limit to 32 or 64 characters and then the number becomes impossibly large.

Using random characters is safest, but even using common words in uncommon combinations (not well-known phrases) plus adding special characters between words gives a password which is still very secure.

With a deck of 52 cards (each is unique so the set is 52) and if you use all 52 of them once only, then use combination formula as 52! (i.e. 52 factorial) to get to 8.0658175e+67 combinations. The number of possible shuffled card combinations is amazingly large. Discussed here on Reddit.

Two-factor Authentication

Some websites support two-factor authentication (2FA). This means that you need both the password (entered on desktop or mobile) and your actual mobile device (for a one time pin) in order to login in. Use this for your most important or sensitive accounts where 2FA is supported, to protect them even if your password is stolen/guessed. Such as for your password manager, Twitter, Gmail, GitHub and AWS.

Method

You can use SMS, which is tied to a simcard in a mobile device and does not need an internet connection. You need to wait for an SMS to arrive with a security code.

You use can use a security app like Google Authenticator (see below), which is also tied to a physical mobile device but works without needing a simcard or internet connection. This generates codes every 30 seconds for all your accounts - the codes expire in 30 seconds and are replaced by new codes.

Using the SMS method to get a security is sufficient, but using a security app can be more convenient and more secure. There is no waiting time like there is for an SMS, which may not be secure and also the SMS code does not have the same 60-second expiry.

Example screenshot showing a few accounts setup in the security app.

Google Authenticator

Show me how!

Setup 2FA

Steps:

  1. Download the Google Authenticator app for your phone. Do this now or as part of the next step.
    • See Android and iOS links here, with instructions.
    • You can read about the app on Wikipedia here.
  2. Follow the steps here to setup Google 2-step authentication, which will protect your Google account. You will be guided to setting up Google Authenticator app, starting with your Gmail account address under a Google item.
  3. Add more accounts to your Google Authenticator, as in the screenshot in the previous section above. It is easy to add additional sites. Sites which support 2FA usually make use of your camera phone to scan a QR code on your desktop screen.

Setup LastPass

Below are the steps I suggest to completely replace your password storage approach with LassPass and two setup two-factor authentication for Google, LastPass and any other sites you wish to.

Steps:

  1. Setup LastPass on your devices.
    1. Register an account on LastPass.com with your e-mail and a password (ideally at least 16 characters).
    2. Setup your LastPass account with 2FA (Google Authenticator or SMS).
    3. Install the LastPass browser extension at this link.
      • The extension works well for me on both Chrome and Firefox.
      • On the extension’s page, will look almost identical to the website view.
      • The extension will add a button to your browser’s toolbar and also the extension will provide autofill functionality and recognize details that need to be added/updated.
    4. Install the mobile app (see mobile tab for above link or search your app store).
  2. Clear your desktop browser’s passwords.
    1. Open your browser.
    2. Open preferences.
    3. Open Passwords section.
    4. Site by site, transfer the details to LastPass. You can do this by clicking the add button in LastPass, but see steps below to get LastPass to import for you you:
      1. Visit a site where you have an account.
      2. Login, using your browser’s credentials autofill if you like.
      3. LastPass will recognized credentials when you sign in (or register). When prompted by the LastPass extension, click Add site.
    5. In browser Password section, delete all your saved site passwords from your browser, provided you have moved them across completely.
    6. Repeat for all your browsers.

Store 2FA backup codes

Make sure you have a way to login to Google and LastPass without your device, in case you have an issue with 2FA (such as your device is lost or not with you).

These systems often provide one or more fixed backup codes which can be noted down and entered as a last resort in place of a code generated by your device.

Go into your account and under the security section, get the backup codes. There will be about fixed 10 codes which can be used once (you can also generate a new set in case they are compromised). For site like Google and GitHub, can save your codes as a long text note in LastPass. Though of course there is the danger that if someone is in your LastPass account without your device, they can get into other accounts even easier.

An alternative is to print out the backup codes and keep them somewhere secure at home or work or at a friend.

Printing codes is needed for LastPass, as the codes will be inaccessible without the codes or a device.