A comprehensive guide to password management

How to authenticate users and manage passwords is one of the biggest tech problems we face today. We want to prevent adversaries from accessing our apps and services, without locking ourselves out of them. There already exist strategies to protect our passwords or reduce the need for them. But each strategy carries its own set of caveats and security holes. We also contend with our ability to remember and maintain lists of passwords. They need to be complex enough to thwart attackers but hard to forget. Unified authentication systems used in enterprise environments and apps address some authentication issues. But, I don't believe one will ever exist for regular users that isn't in the form of knowledge and discipline. This will be the focus of this post. I'll itemize several authentication and password management solutions available to the average user. These range from the crude, simple, and insecure to the secure and complex.

0. Don't use computers or the internet#

This one is a bit silly, I'll admit. But many people still exist today who don't use the internet or computers at all. This has the advantage of not having to worry about remembering passwords, other than your credit card PIN. PINs are infamously insecure, by the way, and you should switch to contactless payment wherever possible. If you're reading this, you're already ignoring this ridiculous suggestion. But perhaps you know someone who isn't, like your grandparents. This is increasingly unlikely as even my own grandma has a smartphone. Even so, this is not a good solution for a variety of reasons.

The internet is now such a crucial part of our global infrastructure, that not using it puts you at a severe competitive disadvantage. Imagine trying to get around the world, or even your own locale without using any roads. That is what not using the internet is like today. The disadvantages clearly outweigh the benefits.

Even if you're determined to not using the internet or a computer, your information is still at risk. Major institutions store sensitive information in databases. These, in turn, run on internal or third-party servers. Think banks, government agencies, hospitals, etc... If an adversary gets access to these databases, and the information they hold, they may be able to steal the identities of their owners. This happens all the time. One of the more high profile cases being the theft of personal data in the US and Canada from Equifax customers. Know that in this age, no one is safe from identity theft regardless of their internet use or lack thereof. Tell that to your grandpa.

1. (Don't) Use a single password for every website/service#

It's worth a mention here since this is a strategy many people still use today and for good reason. Over time, the burden of managing passwords has increased in proportion to the number of web services we depend on. Out of convenience, many people simply use the same password everywhere. We're busy and don't have time to think about something we're going to forget anyway. It's also time-costly to have to use the 'forgot your password' feature everytime we need to log into Dropbox or Facebook. Without knowledge of a better way to login to our favourite sites, we fall back onto a single password for everything.

This method of password management gives me chills just writing about it. That's because if someone manages to discover your skeleton key password, they also have access to every website you use. An adversary can access everything you've guarded behind your singular password. They can sift through your emails, buy anything with your Amazon account, or impersonate you via social media. While you're at it, why not give them the keys to your house and your car?

I firmly believe in criticizing processes and not people. This section, and the rest of this post, is not intended to berate you or anyone else for using this type of password management strategy. Even I was guilty of using this strategy not too long ago, albeit for websites that carried minimal risk of sensitive exposure. I still used strong passwords for things that mattered, like my primary email and bank accounts.

What led me to completely abandon this strategy was an incident that occurred several jobs ago. My team was responsible for maintaining this organization's suite of bespoke applications. Each project was a silo overseen by a different developer. I abhor this practice enough that it may inspire a future post. I prefer to make a habit of learning about what other team members are working on. This opens up opportunities to learn, and also provides coverage if someone gets sick or dies.

I had the opportunity to learn about a particular app one coworker was responsible for. It was one I rarely used, so I had it 'secured' by one of my non-sensitive skeleton key passwords. As he was explaining how the app's database worked, I looked at the screen full of user accounts and found that all the passwords were in plain text. Human-readable. Plain text. Passwords. My password was random enough to be mistaken as machine-generated. That is, it wouldn't be interpreted as something significant to my identity. That was not the case for most other users' passwords. It was very likely the owners of these passwords used them elsewhere, and the developer knew it. I put on my best poker face, so as not to arouse suspicion of my password being important. I then changed it to [developer name redacted]KnowsMyPassword. With as much civility as I could muster, I suggested he should update his app to store password hashes instead. I doubt my advice was heeded.

The above experience did two things for me. It weaned me off the singular password strategy for good, even for non-sensitive sites. It also reaffirmed my belief that it is a form of professional misconduct to know someone else's password without their knowledge. It's similar to not indicating to someone when you're recording their phone call. The best defense against this kind of situation is to not use the same password for several websites.

2. (Don't) Use simple and easy to remember passwords, different for every website/service#

I'm not ready to talk about serious password management strategies yet, as I haven't gone through most of the ways this can go wrong. Using simple passwords for all your websites is one of them. It's still good that you don't use the same password everywhere. However, if it's too simple, it won't be difficult for an adversary to gain access to your accounts. Take a look at these sec lists if you need more convincing. Also, this one and this one. When viewing any sec list in your browser, press Ctrl+F and search for any passwords you currently use. If your password shows up in this list, consider it already compromised. Even if it doesn't, it's still entertaining to see what kinds of passwords people all over the world use. Here's some of my picks for silliest insecure passwords:

• bradpitt
• chandler
• Anything with the word 'sex' in it, most I don't care to reproduce here
• starwars
• iloveyou
• adidas
• aerosmith
• google
• Microsoft
• wahoo
• login
• beerbeer
• bigbum

Of course there is the obvious '1234567890' and permutations of 'password'. Most sites should be immediately rejecting insecure passwords like these anyway, but many aren't, which is why I have to warn about them here as well.

A basic principle of passwords is that no one should have knowledge of them. There are exceptions in the case of your IT administrator at work, or a trusted vendor for one of your managed services. In both cases, these individuals are contractually obligated to protect your data. Be wary of services like Plaid or Mint that require access to your online banking passwords to function. Do not give anyone, even a service, your online banking passwords. In most cases, this violates your banking platform's Terms of Use, and you might not have recourse if you're the victim of fraud.

If your password exists on one of the aforementioned sec lists, you should immediately change it to something more secure. Read on for guidance on how to do so.

3. Use passwords that are at least 12 characters long, different for each website/service#

Now we're ready to talk about more reasonable password strategies, but we're not quite there yet. They're still hard to remember, and we haven't covered how to manage several of them at the same time. But with this step, your passwords will be minimally secure. Software developer and security expert Jeff Atwood makes a strong case in this article for a minimum password length of 12 characters. I highly recommend this read regardless of your technical level, but the premise that "your password is too damn short" should be enough for most. Upper and lowercase letters, digits, and special characters among the 12+ characters of your password will guard against most brute force guesses. Remembering passwords and typing them out is a different matter altogether. As are websites that are insecure or store your passwords in plain text.

4. (Don't) Write down your passwords somewhere#

Now that you're able to use secure passwords, you now need a way to keep track of them and all the different sites that you use. The simplest way to accomplish this is with a logbook that contains this information. With a password logbook, you will have easy access to your passwords that you'll otherwise forget via rote memorization. The more complicated the password, the greater the need is to store them outside your brain.

As the title of this section implies, there are several reasons not to do this. Your passwords will be in plain text in a location that someone is able to find. If your home or office gets burglarized or robbed, your password logbook has a significant non-zero probability of being found. Then a lot more will be stolen than your physical possessions. Your house can also burn down, and your passwords with it.

A concerning number of people also store their passwords underneath their keyboards. It's the first place an adversary will look when they want to access someone's computer. From the perspective of a technical person, such as myself, it seems ridiculous for someone to store their password in such an obvious place.

However, I have to take a step back and consider the perspective of the person storing the password. Their assessment of threat isn't anywhere near as developed as it should be. This is likely because of their limited buy-in to anything technical. Most people use computers for email, word processing, online banking, social media, casual browsing, or games. They have other concerns in their lives than maintaining a healthy OPSEC strategy.

Personally, I'm far less likely to put more care into the care of my vehicle than a mechanic would. As long as my vehicle gets me from point A to point B, I don't want to think more about it than necessary. However, I probably should think a little more about it if I want to prevent expensive problems in the future. The same can be said of those who write their passwords down in plain text.

Writing down passwords is a lazy way to remember them. For many, it's the best way to do so within their capabilities. If this is the best you can do to store passwords, make sure that they're stored in a lockable box or safe. Or better yet, your bank's safe deposit box (if you trust your bank, and you probably shouldn't).

Finally, the greatest security risk of written down passwords is that someone does not have to steal your logbook or post-it notes to get access to your online accounts. You will never know if or when someone has stolen your passwords. The existence of written passwords should be a constant source of worry.

4b. (Don't) Store your passwords in a text file on your computer or mobile device#

This method of storing passwords has the same drawbacks of writing them down, albeit with a different storage medium. Your passwords are still easily accessible to an adversary. Please don't do this.

5. Use multi-word passphrases, different for each website/service#

These type of passwords give us the best of both worlds by being easy to remember, yet hard to crack. Multi-word passphrases are passwords that are composed of several unrelated dictionary words. The dictionary words are easy to remember, and the combination of them creates a password long enough to be near-impossible to brute force. This popular XKCD post summarizes passphrases nicely. Despite only containing common words and characters, the length of the passphrase makes it prohibitively expensive to guess.

Note that correct horse battery staple now has significantly lower bits of entropy than indicated in the comic. This is due to its exposure and has likely made it into the sec lists I mentioned earlier. Similar passphrases known to yourself only retain their original bits of entropy.

For added security, you can delimit words in your passphrase with characters other than spaces. For example, we can use correct.horse.battery.staple, correct&horse&battery&staple, or even correct_horse_battery_staple. There are many characters to choose from. Be sure to remember what those characters are. Avoid using different characters for delimiters as you may forget what these are and what order they're in. An example of what not to do is correct!horse@battery#staple. Note that the above examples now have very low bits of entropy, due to me exposing them in public writing.

6. Sparingly save passwords in your browser#

Web browsers like Chrome allow you to save your passwords when logging into services online. Once you do, you can enjoy fast logins thereafter. You have the benefit of storing your password securely without the burden of remembering them. This doesn't add anything to your online security other than convenience. If your saved password isn't strong, you'll get hacked anyway. Additionally, if someone were to gain access to your computer (e.g. you left your device unlocked) your passwords are conveniently saved for your adversary's use.

Web browsers like Chrome allow you to save your passwords when logging into services online. Once you do, you can enjoy fast logins thereafter. You have the benefit of securely storing your password without the burden of remembering them. This doesn't add anything to your online security other than convenience. If your saved password isn't strong, you'll get hacked anyway. Additionally, if someone were to gain access to your computer (e.g. you left your device unlocked) your passwords are readily available for your adversary's use.

Google states that they only store a hash of your password on their servers. The hash alone will not allow someone to gain access to your websites as it's tied to the device it's used on. This may not be the case with other browsers. In Chrome, if you lose access to your Google account, then you also lose access to your saved passwords. This is significant when using a new or unfamiliar device.

Generally, you should use your browser's saved password feature sparingly. Either for services that have low impact, or those backed by multi-factor authentication (MFA).

7. Use an online password manager#

A password manager is an application or service that stores encrypted versions of your passwords. When you need a particular password, you log into the app, find the password you need, then copy it to a password field. You only need to memorize the password of the manager itself. An easy to remember and long passphrase would be an appropriate choice for this kind of password (see section 5).

With a password manager, you can create passwords of your choosing, or let the app generate them for you. The benefit of letting software generate passwords for you is not having any knowledge of them. This also eliminates the need for memorization. Both of which are recurring issues in all previous strategies listed here.

The most popular online password managers are LastPass, Bitwarden, and 1Password. I won't get into detail on these services since there is already plenty of info on them available. It's important to note that these are hosted services. If someone were to penetrate the datacentres of these services, they may be able to access hashes of your passwords. I would hope that these services don't store them in plain text. The chances of password manager services being hacked is small, but significant enough to warrant a bit of worry. There is precedent of high-profile tech companies getting hacked, and these services would not be an exception.

Bitwarden provides the option to self-host their service. This option is better suited for technical users who are able to manage a server. The server can be at home or hosted with a cloud provider like Azure, AWS, and others. Self-hosting provides more control over your data, in exchange for time spent on maintenance. If you use a cloud provider to host your service, you can offload server management overhead for a monthly fee. Unfortunately, server minutes are too expensive for an application like this and may not be worth it in most cases, especially for a single user. An organization would find it more useful to host Bitwarden in the cloud. You can also self-host Bitwarden from your home on a Raspberry Pi. If you want to access your Pi remotely, you'll have to serve Bitwarden over the Tor network.

A major drawback of these password managers is that they require internet access. Bitwarden is a slight exception if you're only self-hosting from home. However, it suffers the same drawback when accessing your home server remotely.

With respect to pricing, most of them have a free option, but may withhold helpful features unless you pay. With 1Password there is no free option. If you would like to share the service with multiple family members, you will have to pay for all of the above services.

With respect to pricing, most of them have a free option, but may withhold helpful features unless you pay. With 1Password there is no free option. If you would like to share the service with family members, all the above services require you to pay.

You may run into some issues if you wish to create periodic backups of your password data. Exporting CSV data from these services will expose your plain text passwords. You will have to find a way to encrypt this file if you need to keep it from prying eyes. Often, this will require another service or application that burdens you with remembering another password.

In general, these style of password managers are good enough if you want to securely manage several credentials. If the limitations of this strategy aren't deal-breakers, you may, if you wish, skip ahead. Read on for a solution that addresses these limitations.

8. Use an offline password manager#

These types of password managers are standalone applications that produce an encrypted database of your passwords. This database is usually in the form of an encrypted file. Offline password managers work the same way as their online counterparts, except you have more freedom in how you manage your data. Backing up the password database is easy since the database can be moved around and copied like a normal file. This means you can store a copy on a flash drive, or even in secure cloud storage.

The password manager's database is protected by a master password. This password is the only one you will need to remember. In some applications, the password database can be opened in the presence of a key file, or an OS user account. I prefer to use a master password since there may be times when the key file is inaccessible, or when I want to recover passwords on a different device. The security of all your passwords depends on the strength of your master password. Thus, the master password should be a multi-word passphrase that's easy for you to remember.

My recommendation for an offline password manager is KeePass. It's free, open source, multi-platform, and can be run in portable mode. The portable mode of KeePass is handy if you're storing your password database on a flash drive. You can also store the application on the same flash drive to ensure access to your passwords wherever you go. One of my favourite features of KeePass is that it clears your passwords from your system's clipboard seconds after copying them. This ensures that malicious programs on your computer are unable to scrape your clipboard for sensitive information.

Depending on the length and complexity of your master password, you may not want to type it out every time you need to open KeePass. KeePassWinHello is a KeePass plugin that helps to shorten the authentication time for your password database. It uses the Windows Hello API to encrypt your master password in memory so that you can access your database via biometrics, facial recognition, or your PIN.

As long as no one knows your master password, it doesn't matter if someone gains access to your password database. You'll be long dead by the time technology advances enough to be able to crack it. This is assuming your master password has at least 80 bits of entropy. If someone does gain access to your file, it would still be wise to change your passwords and secure your database to another location.

This is my favourite method of securing passwords, and the one I would recommend to technical users. Those less technical would be fine with the online password managers mentioned in the previous section. Using an offline password manager is the most secure way for average users to store and access your passwords. It's worth it to learn how to bake it into your computing routine.

9. (Bonus) Activate multi-factor authentication wherever possible#

Multi-factor authentication, or MFA, is an authentication scheme that requires two or more pieces of information to correctly identify a user. Systems protected with MFA use at least two different types of information when authenticating a user. More often than not, a password is one of these. MFA protects resources (e.g. online accounts, devices) in the event that one piece of information is compromised. A common scenario is if an adversary discovers someone's password. If the adversary attempts to use the password on an MFA-protected resource, they will be denied access without the other type of information. There exist three types of information that can uniquely identify us:

• Something we know (e.g. a password or PIN)
• Something we have (e.g. devices, keys, certificates)
• Something we are (e.g. fingerprints, facial structure, iris pattern)

While MFA helps to further secure your resources, an adversary may still find a way to acquire that additional piece of information, as this classic example illustrates. Unless the resource you're guarding is worth seven figures and above, you won't have to worry about being maimed for your fingerprints or iris pattern. It's still a possibility to keep in mind. If you use a device or key as your second factor of authentication, you only have to worry about that being stolen. At most, being roughed up until you voluntarily give it up. I'll reiterate, this is not something the average user has to worry about.

In addition to managing your passwords with a password manager, MFA helps make it improbable for the majority of adversaries to access your accounts. For the most part, this is an optional step, but should be mandatory for online banking accounts and anything else financial, personal information that's damaging to have in anyone else's hands, and anything to do with critical infrastructure or intellectual property.

My favourite method of MFA is the use of authenticator apps that generate time-sensitive one-time passcodes. Google Authenticator is a good example of this kind of app. Some services use Authy as their MFA tool of choice, and others use their own in-house versions.

A warning about text message, or SMS, verification. This method is prone to SIM Swap attacks. This is where an adversary, via social engineering, is able to claim that your phone number is theirs on a different SIM card. If your second factor is SMS, then all one-time passcodes with go to their device and not yours. Wherever possible, avoid SMS as an alternate method of authentication.

10. (Bonus) Log in with your social media or email accounts#

Although you only have to remember a master password if you're using a password manager, it's wise to at least memorize the password to your OAuth-enabled accounts. OAuth is a method of authentication that enables a user to log into a service if they're already logged into another one. The OAuth-enabled service is able to give permission to the external service for accessing specific identifying information on its owner.

This is what happens when a service lets you log in with your Facebook or Gmail account. Since you're likely already logged into these accounts on your devices, it's a simple matter to log into services that support OAuth authentication. Note that these accounts are only as secure as the password strength of your OAuth-enabled account. Since you don't want to forget the password for those accounts, it's recommended that you use passphrases for them. Do also store these passwords in your password manager.

11. (Bonus) What if I die and no one can recover my accounts?#

This is a question that still keeps me up at night. It's also a problem for which there is no universal solution for yet. While it's possible to gain access to a deceased loved one's Facebook page, it might not be possible to gain access to their remaining accounts. That is, unless the deceased was forward-thinking enough to provide that information in their will. Other services have an inactivity timer that hands control of your account to a trusted person you designate.

This is probably something I may write about later when I figure this out for myself. I won't divulge what I have in place now, but I can tell you that it is less secure than I'd like. My current contingency plan does provide a glimmer of hope that someone is smart enough to find out how to gain access to my accounts.

As I was writing this, I did a quick Google search to learn about my posthumous options. This is a good place to start. However, everyone's last requests are unique, and you will 👀 have to find a solution that suits you best. If your will contains sensitive information like passwords, ensure that it's kept in locked storage.

This is kind of a morbid note to end this article on, but I hope the information here has inspired you to take more care when managing your passwords. Please remember the following:

• Don't use the same password for every website,
• Don't use simple passwords
• Make sure that passwords are at least 12 characters long
• Use passphrases as much as you can
• Use a password manager to reduce the number of passwords you have to memorize
• Use multi-factor authentication where possible
• Have a plan for when you pass away