How to manage passwords: how to create them, where to store them and how to automate their use

Latin name of an extinct mammal

Although it's common knowledge, let's reiterate that a password should be a string made up of upper and lower case letters, numbers and special characters (such as !,.><*?). When creating a password, we should avoid predictable positions, such as capital letters at the beginning of the password and numbers at the end. Why? It makes the hacker's job easier. Predictable positions reduce the number of possible combinations that, for example, a password cracking program might try to detect. What to do? Especially for passwords that we consider really important, we should show a certain amount of creativity. This doesn't mean that we have to create nonsensical strings that resemble the Latin name of an extinct mammal and that are hard to remember. The key is so-called passphrases. Let's show you how to use them.

How to create a passphrase

As their name suggests, passphrases consist of a phrase. To give you an idea, we've chosen a historical curiosity: Buckingham Palace was built in the first half of the 18th century. We then work with this phrase base. We can shorten the words according to the key we choose. For example, take the first two letters of each word, leaving out the conjunctions. In our case, the password will look like this: 'BuPaWaBuFiHa18.Ct'. This password contains not only a combination of upper and lower case letters, numbers, but also a special character in the form of a period. Despite its length of 17 characters, it is easy to remember according to the created key. With a little creativity it's a piece of cake, don't you agree?

Why you should treat your passwords like the underwear?

Now that you know how to create memorable passwords using phrases, let‘s take a closer look at how to care for them. Our advice is: „Treat your passwords like the underwear." What does this mean in practice? We don't lend them to anyone. It's our private information that we should never share with anyone. You may think this is absurd, but many users who have been the victim of vishing, i.e. phone manipulation of a victim to extort their login credentials, would tell you otherwise. We should also change our passwords regularly. The frequency is primarily based on the importance of the service they protect. An occasional change is also useful in the event of a login leak, on the part of the service. Especially simple and often repeated passwords are at risk, especially in combination with poor security on the service side. By using the Have I Been Pwned website, you can find out if any of your login credentials were part of such a leak. Simply enter your email. And what do you do if a service has leaked your login credentials? First of all, don't panic. It might not mean anything. But to be on the safe side, you might want to change your password for the selected services that were part of the leak. By the same token, you shouldn't use the same password for multiple services.

How to support your password

Technology is moving forward at a rapid pace and manipulation (or social engineering) techniques are becoming more sophisticated. It is therefore worth not relying on passwords alone, but also setting up two-factor authentication. This acts as an emergency brake in case a stranger gets ahold of our password. We are most familiar with two-factor authentication from online banking, where it takes the form of a text message or in-app confirmation. Two-factor authentication can also be set up for other services, such as email or social media. If you're used to authenticating with an app, the most common ones are Microsoft Authenticator or Google Authenticator. Don't worry, two-factor authentication doesn't necessarily mean you'll still have to copy code from the app with every login. Many services only require two-factor authentication when they record login attempts from a device other than the one you normally use or the location you're normally in.

Useful helpers for password management

If you're a fan of the "remember password" feature in your web browser, beware. From a security point of view, it's better to use a dedicated password manager, which is software that can generate, store and issue access credentials. That way you have all that information in an encrypted vault and you only use one super password to open it. There are a number of password managers out there. Some of the well-known ones include KeePass or Bitwarden. Both of these managers are open source solutions, meaning that their program code is publicly known and developed by a community of programmers. The advantage of KeePass is that it runs as an offline file without Internet access. It is therefore a more secure solution for some. In contrast, Bitwarden has a better user design, and more features that advanced users will appreciate. Both are available in the basic version for free for an unlimited time.

Conclusion

Passwords are an important element of protecting our data and finances. As such, they deserve proper attention and care. Learning a few basic rules for creating and handling passwords means not only more security, but often more convenience. To avoid having to rely solely on passwords, it's a good idea to also choose one of the two-factor authentication methods, and set it up wherever possible. If for no other reason, at least in case some of the services you use (unknowingly or not) leak login credentials and put your accounts at risk in critical cases.

Background illustration by andranik123

This piece was published in partnership with VIA Association