January 24, 2021

1538 words 8 mins read

Use a Password Manager

Use a Password Manager

If you are anything like me you have a lot of accounts to keep track of. Email. Social Media. Finance. Work. The list is endless. Each of these accounts all do different things. But despite those differences they all share one thing, you want to keep them secure. You want to make sure that only you have access to these accounts.

Typically the best way to secure your account is to make sure that you have a good password. Ideally across your different accounts your passwords should be:

  1. NOT password12345 (or any other of the most common passwords )
  2. Different for each account
  3. A decent length (at least 8 characters long)
  4. Complicated (using lowercase, uppercase, numbers, and special characters)
  5. Bonus: Random

But following these recommendations poses a problem. If you have so many accounts and each account needs to have a different complicated password, how do you remember them all? This is where a password manager becomes very helpful.

What is a password manager?

As the name suggests, a password manager is a software or service that keeps track of your passwords for you. It accomplishes this by helping you document what your password is for each individual account. And it keeps these records in a secure manner behind a “master password”.

A password manager allows you to maintain complex, random, and different passwords for each of your accounts without fear of ever forgetting what those passwords are. And all you have to remember is the master password that you need to access the manager.

Another way of thinking about it is that your account passwords are your “treasure”. They are precious and should only be accessible to you. Your master password is the “key” that you use to unlock the chest to get to the treasure. Only you know the key, so only you can access your passwords.

Screenshot example of LastPass

Here’s an example. Let’s say that you have taken the plunge and adopted a policy of using a password manager. Each of your account passwords is now a 16-character long string of random characters, all of them are different. And you want to log into your Reddit account. In order to get your Reddit password you open up your password manager and type in the master password (the one password you need to remember!). You look for your Reddit password and simply copy-paste it into the login page. And you’re done!

Why use a password manager?

Because it is secure. The strength of a password manager is that it allows you to use different random passwords for each of your accounts. In doing so you are able to quarantine an account if the password for that specific account is compromised.

Let’s assume that you use the same password for all of your accounts (which you really shouldn’t!). You use P@55w0rd for everything. Facebook, Twitter, GMail, Bank Accounts, etc. And then Facebook gets hacked or they made a mistake and left passwords unencrypted (which has happened ). Now your password to not only Facebook is compromised, but all your other accounts as well.

But if you used different passwords for each of your accounts, at the very least your problems would only be limited to Facebook.

But all my passwords are different! I have a formula!

Yes, password formulas are a trick to make different passwords easier to remember. But as experience has shown us they are not particularly adept at fending off would-be hackers .

I can just write down all my different passwords in a notebook

You could. But then the longevity of your passwords would only be as good as how well you can take care (and not lose) that notebook. Not to mention that your security is only as good as how well you can keep that notebook hidden from prying eyes or a stray photo camera. Not to mention the inconvenience of having to (1) carry that notebook wherever you go and (2) visually copy a hand-written password on a notebook to a computer each time.

A password manager is ideal because while the manager itself is accessible on a computer, it is locked by your master password (which only you should know). And that it can be accessible so long as you have your computer or phone.

And if you have a complex enough password it can become nigh-impossible for a hacker to ever access your account. Modern cryptography (the study of securing information) has reached a point wherein the tools used to protect passwords are close to unbreakable. When trying to “hack” an account, criminals (bad actors) no longer target the software, but instead engage in activities such as social engineering or phishing. If someone wants to hack into your account their best means of accomplishing this would be to either trick you into revealing your password or trying to guess it outright.

How secure are complicated passwords?

A password is only as secure as the number of times it would take to guess it. If a bad actor wanted to gain access to your account via your password and they were unsuccessful in tricking you into revealing it, then their only recourse would be to try and “brute force” their way into your account. Randomly guessing different passwords until they found the right one.

Brute force tactics are made possible by high-speed computers. A modern desktop computer is capable of guessing 588,235 passwords per second 1. Bad actors could also string together a network of thousands of computers to work on a single job to increase efficiency. They could for example create a botnet of 100,000 computers to increase the number of guesses by that multiple to 58.8 billion guesses a second.

A password is only able to hold off such a brute force attack if it is sufficiently complex. There are two factors that go into a password’s complexity, its length and the character set used. A password’s length determines how many characters make up the password. While the character set determines how varied those characters are. Different character sets can range from the inclusion of lowercase characters abcde, to uppercase characters ABCDE, numbers 012345, to special symbols !@#$%^.

Mathematically the number of possible password combinations for a given length and number of available characters is: $$ combinations = {x^{y}} $$

where: $$ x = \text{number of possible characters} $$ $$ y = \text{length of the password} $$

So for example if you were to have a simple password that was 9 characters long and only consisted of numbers (0-9), you would have a password that could have close to 1 billion different possible combinations ($ 10^9 $). A simple computer given enough guesses could find that password in 15 minutes2.

Whereas if you had a more complex password that was 12 characters long and included numbers, symbols, uppercase, and lowercase characters (62 possible characters), that password would have 3 sextillion possible combinations ($ 62^{12} $). A simple computer would take well over 86 million years3 to guess that password. A supercomputer bot-net would take 869 years4.

For more details on the math, check out this write-up from a user on Quora. As well as this blog post .

So what does this mean for me?

Use a password manager. It is costly enough to lose an account because it has been compromised. It would be catastrophic if all of your other accounts were lost as well because they shared a common password. There is no reason why you shouldn’t at least consider using some form of password manager. In fact, here is a list of password managers you could consider.

There is a fair mix of online and offline password managers here, as well as free vs. paid.

Which password manager do I use?

The option I have been using for the last 2 years has been KeePass . It is a free open source password manager. It works by storing all of my passwords on an encrypted file that I can save on my computer. You need to install the KeePass program into your computer, but after that it works completely offline. All data is stored on my computer and is not stored on any other external third-party databases.

For added convenience I save my encrypted KeePass file on my file server so I can easily access it across my different devices. While KeePass does take some getting used-to, I can highly recommend it. I can’t imagine how I would handle my plethora of passwords without it.

Bonus: Whenever you have the option, always enable Two-Factor authentication !

  1. Alternatively, 0.0000017 seconds to calculate one password ↩︎

  2. $ \dfrac{0.0000017*{10^9}}{2}*60 $, where we assume that the system has found the password after it guesses 50% of the possible passwords. ↩︎

  3. $ \dfrac{0.0000017*{62^{12}}}{2}*60 $, where we assume that the system has found the password after it guesses 50% of the possible passwords. ↩︎

  4. $ \dfrac{\dfrac{0.0000017*{62^{12}}}{2}*60}{100,000} $, same assumption as above. And assuming that a bot-net supercomputer is 100,000 times more powerful than a regular desktop. ↩︎