Forty years ago, people authenticated themselves by providing usernames and passwords. Today, despite the availability of vastly more advanced technologies, people are still mostly using this archaic method to authenticate. Meanwhile, in this past 40 years, hackers have been improving their password cracking capabilities by leaps and bounds. As you can see in the news media, more and more government departments, institutions, businesses, corporations and individuals are getting hacked in recent years. Far too often, passwords were the weakest link in those hacked systems. Obviously, this is a serious problem for everyone. Until the information technology industry get their act together and find a solution to this problem, the password is going to remain the weakest link in your digital armour.
Unfortunately, most people are not using a password manager to reinforce this weakest link. Consequently, it is a matter of time before they become a victim by having their passwords compromised.
Computers can guess passwords OVERWHELMINGLY faster than you come up with one
It may be true that your password is un-guessable by other people. But today’s computers are so powerful that it is feasible for them to guess your password by trying out all possible permutations and combinations. This is called the brute-force method of password cracking. The shorter your password, the quicker the computer can find it out.
Passwords are becoming more and more trivial for computers to crack as they become more and more powerful. As this article reported on May 2013,
... a 25-computer cluster that can cracks passwords by making 350 billion guesses per second... It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords.
That was late 2012. Imagine how much more capable and powerful computers are today!
One way to defeat the brute-force method is to limit the number of tries that can be made to guess the secret. For example, in wartime, if a soldier gets the password wrong, he will be assumed to be the enemy and be shot immediately. Another example: if you enter your Internet banking password wrong more than a specific number of times, the system will lock you out and an alert will probably be sent to the system administrators. But unfortunately for you, hackers usually work by hacking a website and stealing its password database. Once they have the password database on their hands, they have all the time they need to make any number of guesses they want to crack your password.
Another way is to use a really long password that requires far more guesses than what is technologically feasible to crack with the brute-force method. Today, this is around 20 characters or more. In future, as computers become more powerful, this will soon become too short.
Hackers have ALREADY picked your brain on how you come up with passwords
In 2013, an article titled How crackers make minced meat out of passwords gave a chilling insider's view of the capabilities and resources available to hackers when they crack passwords. Basically, this article reported that hackers already had access to hundreds of millions of real-world passwords and had analysed them to figure out all the tricks and schemes people used for coming up with passwords. As this article reported,
The other variable was the account holders' decision to use memorable words. The characteristics that made "momof3g8kids" and "Oscar+emmy2" easy to remember are precisely the things that allowed them to be cracked. Their basic components—"mom," "kids," "oscar," "emmy," and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.
In other words, all the substitution, transposition, re-arrangement, pattern and other schemes you can come up with to make your password hard to guess but easy to remember is most probably already known to hackers!
If you reuse passwords on different websites, hackers can compromise you multiple times
Nowadays, with too many passwords to remember, the temptation is to use the same passwords across all your different online accounts. Unfortunately, this is a very unsafe practice. If one of your online accounts is compromised and your password leaked as a result, then all other online accounts that use the same passwords are in danger of being compromised as well.
So, for example, let’s say you have an online web account where the username of the account is your email address. One day, hackers raided the web site and obtained the email address and password.
So, what can the hacker do?
He can try logging into PayPal with the same email address and password. If you happen to use the same password for your PayPal account (and has not activated two-factor authentication), the hacker will compromise that as well. Next, he can try the same with LinkedIn. If your LinkedIn account uses the same password, you will lose your LinkedIn identity as well.
To make matters worse for you, the web site that was hacked may not even be aware it is being infiltrated. So, you will have no idea that your LinkedIn and PayPal accounts are compromised. You may accidentally discover that your LinkedIn account is no longer working as usual and dismiss that as a technology glitch. But will you be able to draw the link that your PayPal account has already suffered the same fate? What about your other accounts that uses the same password?
So, remember this carefully: do not ever use the same password across different accounts! Each website/accounts must have its own unique password.
2nd-factor authentication (2FA) may not be secure anymore
Given the fundamental problems with passwords, a more secure alternative is required. An alternative called “Two-Factor Authentication” (2FA) is becoming more popular. Broadly, 2FA relies on proving you have two of the following:
- Something you know—e.g. password or PIN number
- Something you have—e.g. smart card or physical hardware token
- Something you are—e.g. fingerprint or iris scan
Usually, in addition to utilising something you know (i.e. password), 2FA also utilises either something you have or something you are as well as a second line of defence. Obviously, this type of authentication is more secure than the traditional one-factor authentication (e.g. password only) because it adds an additional layer of security. Even if a hacker manages to steal or guess your password, he will still be unable to subvert your authentication by pretending to be you.
For most websites and online services, 2FA requires you to enter a second password that you obtain on-the-fly from somewhere else each time you authenticate with the traditional password. Usually, the second password is obtained from:
- Your mobile phone as a text or voice message
- An app in your smartphone
- A physical hardware token issued by them
The second password is unique for each authentication attempt. Also, to increase security, the second password will usually expire quickly after a while.
But the problem is that 2FA is starting to become insecure. For example, many banks use text messages for 2FA. But as this article explained,
Hackers can read text messages, listen to phone calls and track mobile phone users’ locations with just the knowledge of their phone number using a vulnerability in the worldwide mobile phone network infrastructure.
Also, many apps that generate the second password in 2FA (technically called a TOTP algorithm) requires a shared secret between the app and the website. If hackers can crack the first shared secret (i.e. your password), then it is equally likely that they can crack the TOTP shared secret as well.
So, you better make sure your first line of defence is as strong as possible.
Humans are easily tricked into giving out their passwords
There is a popular saying that goes something like this:
On the Internet, no one knows that you are a monkey.
Remember, a web site is just facade. Behind the facade can reside a large, legitimate and trusted organisation or a lone cyber-criminal. Any monkey can quickly and cheaply create an impressive looking facade that looks extremely similar to the ones created by legitimate organisations that you trust. Some cyber-criminals even go to the extent of simulating the functions of legitimate web sites (there is a case where cyber-criminals create a fake banking web site that allows you to ‘log in’ and check the ‘balances’ of non-existent bank accounts).
This nefarious activity is called “phishing”.
The most common way for cyber-criminals to trick users into visiting their phishing web sites is to send them emails with links to these fake sites. These emails are fakes because they do not come from where they claim to be. It is extremely easy to create an official-looking email that purportedly comes from say, your bank. In fact, it is so easy that hardly any technical knowledge is required. These emails will use fear, uncertainty, doubt, flattery, threats and other trickery to induce you to click on the links. Once your web-browser opens the link, you will see a facade that looks almost exactly like the web-site of the organisation that the email claims to be. If you are not vigilant at this point, you will submit your secrets (e.g. passwords, credit card numbers) to the fake web-site.
How a password manager shore up your digital defence substantially
If you are not using a password manager, it is a matter of time that you will be compromised. A password manager will raise the bar against hackers considerably:
- It is mentally unfeasible for a human to come up with a unique password for every website/account. So, many people resort to either re-using their passwords or coming up with a scheme to make it easy to remember. Both practices are now known and defeated by hackers! Since a password manager can help you keep track of every password for every website/account, you don't have to remember all of them. That means it can help you ensure that you can have unique passwords for each website/account.
- As I mentioned before, to beat the hackers from cracking your passwords with the brute-force method, you need to come up with really long passwords. The problem with long passwords is that it is very difficult to remember. With a password manager, you no longer need to remember very long and unique passwords for your ever growing list of accounts. You can have passwords that are extremely long without worrying about forgetting them.
- A password manager can generate passwords for you by randomly combining random upper/lower case letters, numbers and symbols. As I mentioned earlier, hackers have probably know the schemes you use to come up with a password. A truly random password, on the other hand, follow no schemes, patterns or methods. That means all the brain-picking expertise that hackers have already acquired does not apply! Therefore, this makes you safe.
- A password manager can save you from phishing attempt by checking the website address first before pre-filling your password for you. For example, if you use a password manager to ensure you have unique, extremely long and random passwords for a website. There's no way you can remember the password. So, there's no way you will be able to manually enter the password in a phishing website. Usually, you will rely on your password manager to pre-fill your password for you. But in this case, since it is a phishing website, your password manager is not going to pre-fill your password. So, that will be a red-flag for you that something is wrong. Some password managers launches the website and pre-fill for you. So, you don't have to manually enter the web address and risk having a typo-error causing you to go to a phishing website.
Which password manager?
Basically, there are 2 types of password managers:
- Cloud-based password managers: They are certainly convenient as they can automatically sync all your passwords across all your devices and computers. But they usually require a payment subscription. Also, some people may simply be uncomfortable with storing their passwords in the cloud, regardless of how cryptographically secure that password manager is.
- Offline password managers: They store your passwords locally in your computer/device. So, you will have to be responsible for backing up your password database and syncing them across your devices and computers. And usually, they only require a one-time payment to use indefinitely.
Most password managers I've seen in the market are cloud-based ones. Given that a lot of people have reservations about storing their passwords in the cloud, the only choice left is to use offline password managers. For this, I recommend the KeePass. Although it is free, it is a proven and popular software used by millions. It encrypts your entire password database securely with your master password (and/or a key-file). Although KeePass is available only on the Windows platform, there are KeePass-compatible software for other platforms. For the iOS platform (iPad or iPhone), there is KyPass 3. On the Mac, there is KyPass Companion.