My passwords all look like this:
LtyS81XYIVE9NF8IsGnn (not an actual password )
And I have a unique password for every site, router or thing I have a login to.
Sites get hacked
The reason I do this is because I know many of the sites I use have been hacked or will be hacked. Often this means hackers get a list of usernames, or emails and hashed passwords (see section below).
Often poorly secured sites just store a list of unhashed or poorly hashed passwords. Now hackers will sell your password and every site they hack next time they will try your email and password. So password reuse is bad!
To see if your email and associated (hashed) passwords were revealed one site publishes a list of this password dumps and allow you to search your email. It's really scary. (I personally appear on 20 of those hacked lists, but I sleep easy about it now).
Try it at: https://haveibeenpwned.com/
Hashed passwords are passwords that are scrambled by a one way function. So the site just stores the scrambled version of your password and don't know the actual password. When you login it just scrambles the typed in password in the same way and they check if the scrambled versions match. They cannot unscramble your password.
However if you use common words or phrases or poor passwords hackers can try thousands and thousands of passwords very quickly with graphics cards and the like until they happen to unlock your passwords. So they can even get your password in this way.
There are two conclusions two this:
- Chooising poor passwords are difficult and easy to get wrong. Hackers try 1000s of words and they substitute many common letter choices. Think "l33t" spelling helps? They try common substitutions etc.
- Don't reuse passwords. If your passwords gets hacked in one place it gets hacked everywhere.
How to solve this.
- Let a computer generate the passwords for you.
- Use a different password for every site.
- Lastly use two-factor authentication on your primary email as well as bank sites where possible.
I'll explain the above below.
Using generated passwords and storing them
This covers points 1 and 2 above. There are many options of using generated passwords and storing them. I use KeePass but there are others. I believe even Chrome is starting to do this.
You can find KeePass here.. It's an open-source and free application that stores your password in a password protected locked file. I have 100s of passwords in my KeePass and that's the only way to have truely random and unique password for every site.
Basically you download it and create a master passwords to unlock KeePass. That passwords needs to be really good but you only need to use it with keepass. And that is the only one your remember.
- Once you have a password in mind create a new password database file. This is an encrypted file with
- Pick a place to save it and then you get a screen like this:
- Enter your master password.
- Click OK on Database settings (or tweak them later if you want).
- Print the password emergency sheet and write your password down and store in safe place. KeePass has no password reset function.
- Let me repeat that again. Print the password emergency sheet and write your password down and store in safe place. KeePass has no password reset function.
- Once you are done you will have example screen like this:
- To create a new password click on a folder to create a password in that folder and then on the with the green arrow. It will look like this:
- It's already generated a 20 character password for you all you need to do is provide some info so you can find the password later. For example I store my forum password like this:
- Once done it should appear in the internet folder (where I created it).
- If you need to use this password select the entry and type Ctrl+c to copy the password and paste wherever you need to fill it in.
If you are happy that your browser rembers your password that's also fine (assuming nobody is using your PC that should not). I don't let my browser remember my email password or my banking passwords for example. But others I do (but I still generated them using KeePass).
You can copy the file to other computers and even sync it to different files. etc. There is also a mobile version.
There are others. People can add them here.
Two-factor authentication (2FA)
This is important to use two-factor authentication on your main email. Especially since other services often use email as a way to reset your password. So if your email is hacked pretty much all your services could be hacked.
I won't describe it here but I'll point to Google's explantion how on how to use it. The best form of 2FA is app based and not SMS based. People clone phones to get the SMS based authentications. Even though some banks use it, it's not recommended practice.
Get the Google Authenticator app and use it. Microsoft also has one. When they say write down your codes please do so as there should not be an easy "I lost my phone" solution for these 2FA solutions.
This post is like a wiki. Anyone can edit to improve or add stuff.