Many of us use dozens (or hundreds) of online websites that need a password. Traditionally, experts have offered two pieces of advice about passwords: first, strong passwords are those with random characters and second, avoid using the same password for different accounts. Most Internet users manage an increasingly large portfolio of password-protected accounts – and that includes us here at CompSecGlobal. It has become a practically impossible task to remember a long-string of alphanumeric characters. We have some many passwords that we MUST use a password manager.
There might be a different way…
An article from The Brookings Institute suggests that a tiered approach to password security would be better. The use of easy to remember, but quite long passwords, would provide more security.
The premise of the article is simple – with websites that have little to no value, you should use a password that is long, but not terribly difficult to remember. The graphic above shows that a password of 4 words would take quite a few lifetimes to crack, but a much smaller password, even though it is more complex, could theoretically be brute force attacked successfully in a few days. The strength of the password comes from the length of the password!!
The key to strong security for your identity, your banks and your money though, would to continue using long and UNIQUE passwords for all your HIGH VALUE sites.
Some website compromise your security for you…
This brings us to something of a security conundrum – many banks, credit unions and the like have a policy where they enforce the rules. We recently changed as password on a banking account and the requirement was for a password between 8 and 12 characters. Why? We have no idea, but it would make much better sense to allow us to use a 60 character string – that would be MUCH stronger and make it next to impossible to brute force.
Should you embrace impossible to remember passwords?
We happen to use something of a hybrid approach – looking inside at our password manager, we have 600+ passwords stored in our vault. That’s probably more than most people – but 600 passwords? We couldn’t use that many without a tool to help manage them – unless we re-used the passwords heavily. Clearly we have to use a tool to manage such a large number of strong passwords – even if we used 4 word combinations, remembering hundreds and keeping it straight which password went with which site, would be an impossible task with so many passwords.
But how strong is strong? We used to subscribe to the flawed theory that 12-20 character with numbers and special characters was ‘strong enough’. Not any more! In the last few years, we’ve come to understand that short passwords are bad passwords – we’ve been replacing our passwords on even low value websites. When we replace a password, we use a MUCH longer password. Generally we won’t use passwords that are LESS than 30 characters.
So which password manager do we use?
Our chosen password vault is a free tool called KeePass. You can install KeePass with our favorite installer – Ninite.com – here is the Ninite KeePass Installer link.
We like keepass because it’s free and effective. There is no keepass cloud – but we back up our database using our backup solution (in-house we use Carbonite) – and we use a cloud drive system to store a copy of the database we might need while we’re on the road. You could use any of the available cloud services – OneDrive, Google Drive, DropBox or which-ever cloud drive you use. There are KeePass ports for linux + macintosh, plus mobile devices.
KeePass is able to use multiple password database files – merge them if you’re using them on a shared drive so that if a colleague changes a password, you get that change instead of over-writing it.
Other Password Managers: LastPass, DashLane, RoboForm – to name just a few.
Once you embrace the idea that you need a password manager, it is only a tiny step to embrace random passwords for every website you visit – when you begin using a tool to manage these passwords, does it matter if the password is difficult to remember? Maybe it does – or there might be exceptions for convenience – some sites need you to enter your password all the time on their mobile apps – a 32-character random password on those sites might be a total pain in the butt… so – Brookings might be onto something – a long + strong, but easy to remember password on *some* websites might be ok… but NEVER on your banking site!!