PSA: Password Security tips from Chris

This is a bit of a weird subject and post here on the Keto Chow blog, but the subject comes up frequently enough during our live streams that I decided it would be wise to put together something written to refer people over to when it comes up next time =)

There are a few fundamentals for passwords that everyone needs to learn and practice:

1. Do not use the same password on multiple sites.
2. Using a longer group of random words is FAR better as a password than using a single word with numbers replacing letters at predictable places.
3. Use 2 factor authentication (2FA) whenever you can.
4. ANY 2FA is better than no 2FA
5. A good password manager is your friend. Create a good pass phrase to unlock the manager and let it create secure passwords you don’t have to remember.

1. Re-using Passwords is a really, really, bad idea

Let’s assume that you’re like most people and you don’t like having to remember a password for every website that requires authentication.

Welcome to being human! Like most humans, maybe you come up with a cool password that you like to use for just about any time you get asked for a password. You use it for your Costco account, for your Lowes rewards account, your old alumni email account that you rarely check, and for about a hundred other websites.

Everything is fine. Until it isn’t.

On a weekly basis, some random website will be compromised and the usernames and passwords for that site will get stolen. OK, does it matter that someone can log in as you to a RUSH Fanclub forum? Probably not.

The problem arises if you used the same password on a more important site: like your bank, your email, or your cell phone account.

If you used that very same password on a few dozen sites you can be almost certain that “not very nice people” will be attempting to use the passwords and email usernames they stole to log into OTHER sites using automatic tools that can test hundreds or thousands of combinations a second.

Fun fact: someone used up $150 in Sams-Club cash on our account because we re-used a password. Physician, heal thy self!

So: you need to not use the same password twice, don’t be like we were!

2. For passwords you need to memorize, generate one that is easy for you to remember but difficult for a computer to guess.

How would computers guess a password? Brute force. Think of it like a combination lock: to open the lock you to either know the 3 number combination or you have to try every possible combination and see what opens the lock.

For a human, trying all those combinations is pretty time-consuming with spinning a dial taking actual time and effort.

For a software program, it can virtually try combinations at insane speeds, sometimes millions of times a second. If you use an 11 character password like “Tr0ub4dor&3” with numbers and special characters, it might take a computer 3 days to guess your password. 4 random English words that are easy to memorize, on the other hand, would take 550 years for the computer to break.

And for the arm-chair security researchers like me: Yes, I’m ignoring the discussion of rainbow tables and salting. Let’s just get people the basics they need to know =P

You can see this concept taken to the extreme with recent cryptocurrency wallets which use 12 or 24 random words as their passphrases. It’s not the sort of thing most people could memorize, but it is far easier to type in without needing 15 tries!

I always recommend that people go to one of the many “XKCD Password Generator” sites, hit the generate button a few times to get a combination of words that they like, and print out the page for future reference.

If you REALLY want some fun, throw in some extra punctuation or numbers or take out or remove spaces. Just make it something that is easy to remember and ONLY USE THIS PASSWORD IN ONE PLACE. If you need another high-security password, come back and make another one.

3. Multiple Factor Authentication: aka 2FA

In most classes about security, they teach about the 3 main kinds of authentication:

• Something you know. Like a password or a lock combination, it’s something you have memorized and could share with someone.
• Something you have. Like a key that fits into a lock, a device that makes special codes, or a special USB device that unlocks stuff.
• Something you are. Also known as biometrics, this is fingerprints, retina scans, all that.

When you only use one type of authentication, it can easily be broken into or compromised. When you are required to use 2 Factor Authentication, it becomes increasingly difficult for someone to break into your accounts. Imagine a door that requires a key and a combination or a fingerprint scan.

2 Factor Authentication (2FA) is a bit of a hassle: If properly configured, every time you go to access an account you’re going to get asked for one, or BOTH, of the factors.

Is getting asked for a 6 number code every time you try to log in to your bank a pain? Absolutely… Until someone steals your password and can’t drain your account because they couldn’t get past the extra requirement, then it seems like it’s quite worthwhile.

The joke is that there are 2 kinds of people: those that have lost a hard drive of data, and those that are GOING to lose a hard drive of data. The same can be said about getting your accounts broken into.

If you have the option to use 2FA, USE IT. Period.

4. What kind of 2 Factor Authentication is best? (any!)

This one is easy: compared to just a password, ANY 2FA is the best 2FA. Use whatever is available but here are my personal recommendations in order of worst to best.

Email code

Only really suitable if your email account is ALSO protected by strong security and 2FA.

Text message code

You go to log into a web site and it sends you a text with a code. It’s pretty easy to use, doesn’t seem like a big deal and is (again) WAY BETTER than just a password. Be aware that it is possible for bad people to steal your cell service and grab text message codes, so this isn’t the best option if others are available.

Code generator app

I recommend using Authy or a code generator built into a password management program. These code generators give you a new 6 digit code every 60 seconds, usually on your phone. Authy is nice because it can run on multiple devices and you don’t have to reset everything if you get a new phone (like Google Authenticator requires and it sucks).

Hardware key

These look like a USB flash drive and are kindof the ultimate in security. Personally I use a YubiKey as it was the best option at the time, the Google Titan key is pretty awesome and what I would buy currently.

Some services allow you to have multiple 2FA methods. For example, you can configure Facebook or Google to ask for a hardware key but also allow a code generator or it will have you open your phone and click the giant “ALLOW” button.

Also in most cases, when you configure 2FA you will get a list of backup codes that can be used if you ever can’t get to your 2FA. Store these in a password manager!

5. Use a password manager program/app, they’re worth it!

OK, so you know how to make a secure password that’s easy for you and hard for a computer. You know what 2FA is. You know not to re-use passwords.

Let’s bring this all together for the final piece: using a password manager. Password managers are a bit like the equivalent of having a spreadsheet with all the usernames and passwords you need to remember but with WAY more functionality.

A typical password manager will let you securely store logins (and more), will generate unique high-security passwords for each website, some generate 2FA codes, and allow use on multiple devices (phones, desktop browsers, tablets, etc…).

You can set up your password manager using one of the 4-word XKCD passwords from above that you memorize and you don’t need to memorize any other passwords! If any single website gets passwords stolen, you don’t have to worry about them getting any of your other accounts. Some managers even scan for password leaks and warn you if there’s a potential problem.

Let’s look at some of the password manager options available, and I’ll tell you how I use the one I like the best.

KeePass (free!)

Up until recently, this is what we all used at the Bair house, because it’s free =) It does lack some of the nicer features available in paid offerings and is more technical to set up and maintain, but it’s free!

You can create a password database and keep it on one computer, or store the database on a service like OneDrive, DropBox, or Google Drive, and access it from multiple devices. That means you have to be able to log into that service before you can get to your database.

The password database is encrypted with a password, or a password plus a key file for 2FA extra security. Support for mobile devices is available via various apps and there are browser plugins that let you use it with those also. There is no support for 2FA codes so you have to use Authy or a similar app.

1Password ($3/mo for 1 person, $5/mo for a family of 5 and $1 more for additional users)

This is what I currently use for my password manager. We have the family plan with 8 total people on it. Got elderly parents that could REALLY use some better security? add them to your family plan! 1Password supports 2FA and will auto-fill the codes for you (SUPER convenient!).

You can share passwords with other people in your family/group (“hey Dad, I need the Netflix password”). There are Android and iOS apps along with browser extensions so it’ll work on just about everything. Switching all the kids from KeePass to 1Password was really easy.

Of the different options I looked into, this one checked all the boxes for our family’s situation so it’s what we’re using. I like that I can also store identities with addresses for auto-fill, along with credit card payment methods, and other sensitive information.

LastPass (free for 1 device, $3/mo for one user on multiple devices)

There’s a Family plan for $4/mo but it’s limited to 6 users and no way to add more users unless you get a business account for $4/mo per user. LastPass supports 2FA like 1Password, so no additional 2FA app is needed. The free plan only works with a single device so you could not use it on a web browser and a phone, or on 2 web browsers on different computers. It’s a solid offering.

NordPass (free – $1.49/mo)

The family plan only allows 6 users so I didn’t research it a bunch. Seems comparable to LastPass and likely a good option if you’re already using NordVPN (which I’m NOT going to go down the rabbit hole of the validity of needing a VPN – Tom Scott did a great job discussing it)

Bitwarden (free – $10/year)

This one is a bit like KeePass in that you can use the software with your own storage (like Google Drive or DropBox) to store a database for free, or you can pay $10/year to have them host it and get 2FA and other features.

Dropbox Passwords (free with most paid DropBox plans).

I haven’t looked into this one very much so I don’t know a lot other than it exists. Seems OK but rather basic in functionality.

My personal setup for password security

1. The whole family is set up with 1Password accounts as a password manager with the Android app on their phones and the Chrome extension on the desktop.
2. Everyone uses an XKCD style long password to get into their 1Password account.
3. We also use a different XKCD style long password for our Google accounts, mostly because that’s the sort of password you have to enter when you are first setting up a new device and it’s pretty hard to get 1Password running BEFORE logging in to Google/Apple and I like typing something like “spoken electric give situation” more than something like “4y3dXie?n_F*tfg8kRW%” (neither of those are actually being used)
4. If an account supports 2FA via a code generator, I use that feature in 1Password – there’s even a “capture the setup QR Code via screenshot” feature that makes it really easy to get set up.
5. If a service additionally supports my physical USB key, I’ll configure that too.
6. I have to unlock 1Password using the long password if a device has been idle or restarted, otherwise I can just use a fingerprint scan to unlock it and it will auto fill passwords.