What is the best way to store passwords?
- What is the best way to store passwords?
- Why should I even care?
- Typical approaches
- The basics of password strategies
- A proposed solution to the best way to store passwords
- Where do we go from here to implementing the best way to store passwords?
The best way to store passwords? According to recent surveys, the average person has 27 to 118 passwords. I would suggest these numbers may even be understated as I have over 500 passwords. Maybe I’m an outlier though. But, how do we manage and safely store all these passwords.
Why should I even care?
Many tend to follow the “head in the sand” system for managing their passwords. Of course, the primary reason should be the security of our information. There is, however, another practical reason, convenience. How often are you confronted with a website that you know you’ve established a password but just cannot access? Talk about frustrating.
Let’s look at some common strategies that many use to store passwords.
The “Modified Standard” method
In this strategy, you’ve established your primary standard password. Easy to remember and fool proof. You reverse the initials to your name, make the first letter capitalized and add the last six digits of your social security number. I mean, who would know “Rb554321” is you?
Now all you just need to be ready to modify it as needed by the various websites.
The first site requires a special character also. So, it becomes “Rb554321!” How easy is this?
The next site needs at least ten characters. No problem, you repeat Rb – “Rb554321!bR.” How smart, you’ve reversed the last two characters just to confuse the hackers?
The next site also needs a special character but only accept #, $, % and &. Oh well, we’ll just change the ! to &.
Pretty soon you’ve modified your original standard fifty different ways, and it’s now a hopeless mess. Not to mention the fact that you’ve not done anything to enhance your security. Certainly, this isn’t the best way to store passwords – there has to be a better way.
The “Post-it note” method
This can work. Just write the passwords down and either save them on your computer – in an Excel file entitled “pass.” Even more conveniently, you can write them on a Post-it note and hide it under the keyboard (kind of like you do the key to your house.)
The write it down systems seem to be the anthesis of computer automation, but sometimes old habits die hard. Also, a few problems. The note with the passwords is not readily available when you’re away from the master computer; security is, of course, questionable, and the note starts to look a little ragged, after a while, to the degree that someone trying to hack into your computer couldn’t even use it.
The “request a new password” method
Since you’re the master of options, you’ve created yet another best way to store your password – just ask for a reset. This get’s old, fast, and again, your security is about the strength of the actual password, but at least you can forget about memorization. Convenience is out the door, but one out of two is not bad. Oh well…
The basics of password strategies
The truth is, we’ve never really had to deal with such a significant security/convenience quagmire. Today, everything needs to be password protected and yet accessible and conveniently so. That includes your bank accounts, your credit cards, your websites, your bills, etcetera, they all require passwords. Is there an easier way? Let’s discuss some basics first.
The password needs to be safe.
That is to say, it must be hard to crack. One of the best and most definitive resources to analyze the security of a password is ZXCVBN which is an open source tool from DropBox. ZXCVBN displays not only the strength of the password, known as “entropy,” but also details the estimated amount of time necessary to crack the password.
For example, the passwords above, would produce the following results:
- “Rb554321” – entropy – 24.506; crack time – 21 minutes
- “Rb554321!” – entropy – 28.353; crack time – 6 hours
- “Rb554321!bR” = entropy – 41.493; crack time – 6 years
The password needs to be memorable.
Okay, so the initials to my name and part of my social security number may be easy to remember, but it’s not hard to imagine that some smart hacker hasn’t already pre-populated that information before even beginning to hack my password.
But we’re still left with a big problem. We can’t possibly remember all the passwords to the 27 to 118 sites we need to access. Let alone more than 500 sites.
A proposed solution to the best way to store passwords
The answer is pretty simple. You establish two to four, high-security passwords, let’s say a 75 entropy or higher, that you can remember and use a password protection program to develop and manage the remainder of your passwords.
Let’s break that down.
1) Establish two to four, high-entropy passwords, that you can memorize.
Why two to four passwords? You must, at least, create and remember the password to your computer and your password management program. Additionally, you may want to remember your Apple ID and even your DropBox or Evernote system. These would be for convenience since they open other resources you may commonly use.
If done correctly, you can develop a few, super safe, and easily memorized passwords. Use a combination of upper and lower case letters, numbers, special characters and even spaces. Spaces? Yes, spaces can significantly increase the entropy of a password.
Here’s an example:
“testimony” – entropy – 11.271; crack time – instant
But, what if I use a special character “+” for the t, use some spaces, capitalize the M and use zero instead of o.
“+ e s t i M 0 n y” – entropy – 106.118; crack time – centuries
Can I remember it? Sure, it’s only nine characters.
Is it safe? If I believe the ZXCVBN algorithm, its entropy is much greater than 75 and the estimated crack time is centuries. You can always change it before then. 😉 That should be safe.
You can do this.
You only need two to four passwords. Understand that some sites don’t allow spaces.
That’s not a problem. Your computer and password program do allow spaces.
Although Apple won’t allow spaces, experiment with other combinations to develop the other passwords you want to memorize.
Random number, letters, special character passwords have the highest entropy with the fewest characters.
Password managers also have built-in password generator, some even with “pronounceable” suggestions that may help in memorization.
Additionally, LastPass has a free password generator you can explore with a pronounceable feature.
Always, however, check any password with ZXCVBN to ensure you have high entropy.
2) Use a password management program to create and manage the remainder of your passwords.
These password managers not only generate and manage your passwords but can also manage your other personal financial information such as credit card accounts, bank and brokerage accounts as well as addresses and social security numbers. In other words, they become a personal security vault, protecting your confidential information.
Where do we go from here to implementing the best way to store passwords?
Using one of the password management programs along with a few memorized and highly secure master passwords is the key to protecting your confidential information and to ensuring that everything is readily accessible to you and no one else.
You can explore other safety feature such as two-factor authentication, but the best suggestion is simply to use high entropy passwords along with a good password management program and periodically change your passwords.