Introduction

I have a talk for seasonal work coming up that I need to relate back to tech for the average user. One thing I always mention is how most password policies are broken and causes most people to have bad habits. I’ll be writing this post in a Q&A style to help explain to others what we’ll be covering.

Why should I care about my passwords?

Most don’t care about the password they use for sites. You’ll be required for it to include a special character, number, or capital letter. This way it’s harder to guess and less likely to be compromised. But everyone has a story about how they know someone that got hacked, but don’t think it could every happen to them.

I use a strong password, why would I be worried?

Password complexity is good, but often people will take shortcuts that will undermine them. This xkcd comic about password strength summarizes it best. Most do the minimum requirements, which makes a password that’s easier to crack, and harder for you to remember, so you’re more likely keep it an unsafe way.

But what if I reuse the same password so I only have to remember one?

Password reuse is how most people get pwned. Even if your password is so secure it’d take billions of years to crack, if only one site that you use it on get’s hacked, now all of the sites you use it on are hacked.

How do I know if my password has been leaked?

You can search on have i been pwned? to see if your password, email, or phone number has been involved in any leak. Firefox Monitor also does the same by actively monitoring leaks for any email you provide.

Isn’t remembering a lot of passwords hard?

It can be simplified with a few tools. There are a few xkcd inspired password generators but I think they’re either too simple or too complex. The best in-between I’ve found is Dinopass’s strong password option. It breaks up dictionary words with simple non-alphanumeric characters, and you can add on as needed.

To keep track of all your new passwords, use a password manger like Bitwarden (recommended) or LastPass (not recommended).

Does changing my password help?

NIST’s current guidance states that length is better than complexity, and changing often doesn’t help much. As mentioned before, when inconvenienced most will take shortcuts, and either use a weak passwords, or just start reusing them again.

I have a bunch of passwords, can’t they still get hacked?

Use multi-factor authentication, either SMS texts/emails, or apps like Google Authenticator or Duo. Remember that you’ll need a way recover an account in case you lose your authenticator, usually single use codes or recovery questions. Now if any of your passwords are leaked, even if someone has them, they’d still need access your secondary authenticator.

Potpourri, Speculation, and Well Actually’s

  • SMS two-factor authentication isn’t 100% secure
    • Yes, SIM-swapping attacks have become easier, but they’re targeted, and having any 2FA is more secure than not having any. If SMS 2FA is all that a service offers, I’d recommend it.
  • A random password generator is more secure than a “horse-battery-staple” since it’d be larger
    • First, most RNG made by computers is Pseudorandom unless explicitly stated. A random string can have more permutations since it’s the [character set] ^ length. But a “horse-battery-staple” password would be [every english word] ^ [number of words]. The first set probably has more permutation, but that’s by millions when we’re already in the order of billions. You can strengthen any “horse-batter-staple” password by including a extra special character to break up dictionary word. Also passwords are meant to be typed, so when you enter it manually, “horse-battery-staple” is a lot easier than “random string”.

Anything else?

If you need to make an online account but aren’t sure about your own (or their) commitment, try using a throw away email like temp-mail. Or if you want something more permanent mail.com is a great option too.

Make sure that when you advocate for someone to use unique passwords and a password manager, understand that most people don’t think or worry about being hacked, so focusing on keeping things simple to make their adoption easier.