Passwords are widely used today for restricting access to certain information. And almost always you’d have more than one password to remember. And that is where the problem often starts. Managing passwords can become very hard for pretty much anyone. If a person loses a password, it may lead to even bigger problems. Storing passwords securely is a very important aspect of any professional field or personal use. System administrators, IT specialists, bank officers or anyone who works with critical information or has to restrict access to data are dealing with passwords. Following basic rules for using and storing passwords is very important for anyone who wants to keep information private. A lot of people think that their home computers won’t become a target for bad guys. This is not true! Anyone can face data theft problems if not being discreet.
The main problem for users is to remember all the passwords since almost anyone has a dozen of those. Some people use only a single password for anything, some use variations but it still looks the same, some could set their birth date or pet's name and some could store passwords in plaint text.
How can you make sure none of your passwords is available to a third party and especially to cyber criminals? Below are some tips and advice to avoid such issues. So, why exactly are those rules worth following? Well, in some cases restoring information can be very expensive. Losing access to personal user data may lead even to greater losses. Insecurely restricted access to mission-critical areas (that people’s lives depend on) means potentially irreparable damage, immense expenses and reputation loss.
It’s quite obvious and easily implemented: choose secure passwords. Still, this is a common problem, even among people who are smart enough and understand you can’t be light-minded when it comes to security. By far, the most obvious and popular are the “123456” and “qwerty” combos. It’s a no-brainer such passwords can be easily figured out. The most widespread type of password attack is brute force when password guessing attempts are made using a victim’s language dictionary. Dictionary is a list of words that contain most commonly used words.
Another case is setting your pet's name or mother's (maiden) name instead of a strong password. Social engineering is a way for stealing such types of data. Criminals are just searching for such information and then use it to access private data.
So, what is a strong password and how you make it? Below are some rules:
Another advice mostly applies to IT pros but it could come handy for anyone. If a new device or some program use a standard default password such as “1234” then better change it before you use it for the first time. It is very often becomes a problem when cyber criminals exploit such types of negligence and successfully hack systems since such information is available in device manuals.
As we’ve noted above, a lot of people use a single password for everything. This totally is an invitation for stealing your data. Remember the rule: use a unique password for every password-protected asset. Those who fail to follow this rule will almost certainly face problems someday. Someone who successfully steals a password once, can then try it with other services you use. Then, if it works, the owners problems will multiply. While at first you may compromise access to non-important information, then you may have your personal email inbox or even office computer hacked. Simply put, never ever use the same (or a similar) password more than once.
Such advice mostly applies to IT tech specialists and still some of them face such problems.
There are some means for avoiding such type of attack, so if it's possible for the system administrator to enable such features then they better do. The idea behind this protection is that password attempts’ count and frequency are limited. After a series of unsuccessful logins, the system will ask you to wait for some time before a new try. In some cases, the system blocks the user account. Then the access can only be restored by reliably confirming the account owner’s identity.
Sometimes weak and reused passwords are not the main problem. Even if you have a strong and unique password there are always ways for stealing it. The idea of those techniques is to steal passwords over an unsecured connection. It could be a website without SSL or a fake web page looking like the original one. To put it simple, the technical means that allow access and not secure enough. To avoid unsecured connections, be sure to check the status icon in your web browser (normally located on the left from the website address). In most cases, for HTTPS connections a green icon appears. It is also wise to enable secure connections whenever possible and set up the “HTTPS Everywhere” extension for your web browser. Another way is to avoid entering passwords over open networks (such as public WiFi) and to use a VPN connection when accessing vital information.
Another problem similar to the above one is phishing attacks. The idea behind this technique is to send user to fake web page which looks very much like the original. The domain name could look the same at the first glance, but a closer inspection will show a difference (could be “mai1” instead of “mail”, another domain suffix, etc.). Sometimes the domain name may appear exactly correct, but the web page could still be a fake (while looking exactly like the original). Then there could be a network or the local hosts file problem. Again, better make sure that the connection is trusted and nobody has accessed your PC or your network settings.
Another way for stealing passwords is sending emails to users asking them to login with their password. Hence a rule, do not enter your password if you feel you shouldn’t be asked to login. Also, do not tell your passwords to anyone.
Another way for stealing a password is to intercept user input from keyboard (or other input device). To steal a password, the cyber criminal has to install a program called key logger on the victim’s computer. The program then reads all key presses and sends them to the bad guy.
Protecting yourself against this hack has already been described in the article Staying Safe on the Internet. The main idea is being very discreet about opening suspicious URLs and installing unwanted software, especially if asked by a stranger. It is also highly recommended to regularly update software and install system updates, especially, security fixes. It’s therefore advised to enable automatic updates’ installation.
This technique provides an extra layer for security when authenticating users by introducing an additional step before accessing the information. It is advisable to use this technique to restrict access to services with sensitive data such as personal email accounts or social networks. By default, bank accounts are enabled to use this technique thus providing more secure access.
During two factor authentication, after entering the password, the user is asked to supply a temporary code. This code could be emailed to a personal email box or texted to a phone number. Some apps may even work only by using temporary one-time passwords sent to user phone number (e. g., Telegram Messenger).
Setting expiration dates for passwords is an accepted practice for system administrators. For example, a password will work only for 6 months, an then the user must change it. So why shouldn’t regular users sometimes make use of this practice? Just change passwords every year, for example. This could apply to the most important services such as bank accounts, social networks, personal email boxes, etc.
Very often users store passwords the wrong way. They could be pinned on the monitor, written down in paper notebooks or in day planners or typed in plain text files. Sometimes users would restrict access to such files but still plain text is not the right format. How to store passwords securely if you can't remember them all? The answer is pretty simple: use password managers. They are intuitive and don't require specialist knowledge. Below is a list of some tools and techniques for storing passwords securely.
There are a plenty tools for storing passwords with different features. Below are some of them, but of course there are many more out there. There are different approaches to password storage, including in-browser storage and third party tools, offline or online. The latter are mostly cloud-based services that store passwords online making them available to you through the Internet. Offline tools can also have some online syncing features via third party services such as WebDAV or Dropbox. There are pros and cons for both ways. The main idea is to use and remember only one master password and store other ones in a database, which eliminates the need to remember them all.
The most famous and readily available way for storing passwords is in-browser storage. The program saves passwords only for those web pages where they were entered. To secure the storage, such programs require a master password. All saved passwords are encrypted and not stored in plain text, of course. Plain text would allow for being easily hi-jacked by malware. The pros of such approach is that it is readily available for any web browser user and most browsers do offer such functionality. The main advice here is: always use a strong master password.
Some web browsers provide cloud sync functionality for synchronizing passwords between devices. The passwords are stored in user accounts located at the browser developer’s servers.
This is a popular tool for storing passwords offline. All passwords are stored in a database which is encrypted with strong algorithms and protected with a password and a key file. The latter is an optional feature but it provides an additional layer for security. The database can be stored on any devices locally or on a USB flash drive or online. Only the owner holds responsibility for hosting the database file and maintaining its availability and security. The tool does not provide password auto-insertion feature natively, but it offers auto-typing. Web browser integration and auto-insertion are provided by third party tools.
KeePass is officially available for Windows only, offering two versions. The main difference is the database format (comparison of both versions: http://keepass.info/compare.html). Unofficial versions are available for Mac OS X, Linux, Android, iOS, BlackBerry, Windows Mobile & Windows Phone, J2ME, command line interface and so on.
KeePass is an open source and free project, and official website is available at http://keepass.info/
1Password is yet another tool for storing passwords. It provides an installation utility with cloud synchronization. Browser integration for auto-inserting passwords is provided as well. The native program stores passwords in a file. This tool is available for Windows, Android, Mac OS X, iOS. Synchronization is done using Dropbox (any platform) and iCloud (Mac OS X only).
1Password is a paid software and is available on company's website at https://agilebits.com/onepassword
As the name implies, the master password to this service is the very last and only password you need to remember. LastPass is a cloud-based password manager that implements many ideas from KeePass and 1Password though it works in a bit different way. It is available as a browser extension or as a standalone Windows or OS X application.
The advantage of the LastPass’s approach is that all your passwords are stored online, so you can access them from anywhere. The main downside is that everything is stored online, so the password owner has no direct control over it. Therefore, if anyone hacks company's servers, then all the passwords of all the clients are compromised. The integrity and security of the passwords is the responsibility of the company who owns the service. So, it’s up to user to decide whether to trust the company or not.
The service is freemium, free for anyone with optional paid features. For companies, an enterprise version is provided. The officical website is located at https://lastpass.com/