Fitting for the start of this blog and still almost the start of the year, I want to discuss passwords and account security. I will discuss topics such as: How to choose passwords? How many passwords do you have to remember? How do you store your passwords? Why should you do things this way?

This article is intended to give you some basic best practices on how to keep your accounts secure. Account security is not complicated but requires a little bit of time to set up. How much depends heavily on how many steps you have already completed. In the end you will save time when following these best practices and stay more secure!

The Gist

The shortest possible explanation of everything you find below without much explanation:

• Every account requires a unique and strong password, which contains >50 characters including numbers and symbols
• Use a password manager, it will make your life easier, more secure, and more convenient compared to whatever you have now
• The safest password manager strategy is an offline password manager like KeePassXC
• The more convenient way is to have an online password manager. Choose a reputable one, examples of such are Bitwarden or LastPass
• In addition to passwords all of your accounts should be protected with two factor authentication (2FA)
• The best way to do 2FA is with a hardware token, such as a Yubikey
• If no hardware token is available / possible, use a software token
• The least favorable 2FA method is via SMS. If necessary, do not use your cell phone number, but set SMS 2FA it up using a VOIP number, e.g., Google Voice
• Any of your accounts is only as secure as the recovery method:
• Use unique and random answers to security questions. Ideally generate these answers using a password generator

You always hear that you should use random passwords with numbers, symbols, upper, and lower case letters. Let’s see why this is true, what you need to consider, and why you should not be able to remember your passwords. Working through this post and implementing it will take some time and some getting used to. However, you will gain a lot of account security and will, once all is set up and you are used to your new workflow and tools, have more convenience as well.

Why a strong password? Let’s assume your password is flower and you only use it for your bank account. A hacker won’t get into your account by credential stuffing, but could still get into your account by a brute-force method, i.e., by password guessing. In this case, the password flower is a standard word in the English dictionary. If a hacker simply tries through the whole dictionary, your account would be wide open in no time. So what should you do?

Use randomly generated passwords that contain numbers, symbols, upper, and lower case letters! Let us go through how to create randomized passwords, look at how describe it in physical terms, and how to make your life safer and easier by using a password manager.

While my actions often seem random to me, they are not really. To come up with truly random passwords you want to have software that actually truly randomizes this process. Many password managers (discussed further down) come with a random password generator. These usually let you choose multiple settings:

• Letters
• Numbers
• Symbols and special characters
• Extended ASCII characters (in some cases)

Play around with these random password generators and see how to use them and how the settings work. Generally you want to turn on as many special characters as are allowed for a given password. When it comes to length, why not choose a password that is as long as is allowed? With a password manager you won’t have to remember it anyway. Personally I started playing the game on how long of a password am I allowed to choose for a given website… some already drop out at 20 characters, some make it up to 60, some a lot more. How many characters do your services allow in a password?

Maximizing Entropy

A detailed break down on randomized passwords, entropy, and password strength can be found on Wikipedia. Let us consider the following scenario: we choose a password of length $$k$$. If there is a total of $$N$$ symbols available to choose from, the number of possible passwords with that length are $$N^k$$. Your ATM PIN, assuming it consists of 4 out of 10 possible digits can be guessed in 10000 tries. Assuming it takes 5 seconds to test a pin for a (very dedicated) human being, your ATM PIN could be guessed by such a manual brute-force hacker in roughly 14 hours. A computer will be much faster.

It is common to give password strength in terms of information entropy, which is measured in bits. Instead of giving the number of possibilities (as calculated above), the entropy $$H$$ of a password is simply defined as:

$H= \log_{2} \left(N^{k}\right)$

These numbers are a bit handier to deal with. If you think about computers and binary the makes sense. In binary you have 2 possibilities per bit to guess, 1 and 0. For a password of length $$k$$, you thus have $$2^k$$ possibilities. Here, this would result in the entropy $$k$$.

A more complicating password will contain more characters and draw the characters from a larger pool. All printable ASCII characters (so most of the things on your keyboard) are 95 characters. If you have a password of 10 characters, you will have an entropy of 65.7. This means, that guesses are necessary to surely guess your password. I let you calculate the actual number.

There are two kind of password managers: online and offline password managers. Examples and recommendations are discussed below. You have to answer the question on what you want: do you want to have your passwords online and easily sync-able, however, give up some privacy / security in order to have a (hopefully reputable) company manager your passwords, or do you do everything yourself offline. I will outline both approaches below. For most people, the online password manager approach is likely the best way to go. However, if you are slightly paranoid (like myself), the offline method is for sure safer. But backups, file corruptions, etc. are all completely up to you if you go the offline way. This should not scare you however.

As so often in science, a mixture of the two methodologies - an online and and offline password manager - might be even more in the sweat spot for you!

A reputable online password manager will have the following features:

• Encrypts the password (using strong encryption) on your device prior to sending it to the storage
• Provides you with plugins such that you can easily auto-fill passwords in browsers and on mobile devices

Don’t choose the latest super password manager with all bells and whistles that you have just read about on some social media post from a friend. You should choose a reputable password manager. I will discuss two online password managers. This is not meant as a comprehensive list but rather as two examples of reputable online password managers that I have tested.

Let’s have a look at some online password managers now:

Bitwarden

Bitwarden is an online password manager with several advantages over other competitors, so if you don’t have a password manager and want to go with an online solution, this might be a good one to start with. The reasons I like bitwarden are:

• Source code has been independently reviewed and is available open source on github
• You can self-host your own password manager (however, you could simply go with an offline version in that case)
• Paid account with additional features is very cheap at $10/year For bitwarden I highly recommend a paid account. A paid account will let you add a Yubikey as your second factor authentication. This is to be preferred over a software token (see below for details). In addition you get 1GB to store files. This can be useful if you need certain documents available on the go. LastPass LastPass is another commercially available password manager that follows the freemium model, i.e., you can create a free account which has a decent number of options, but certain options and features require an extra subscription. I have tested and used LastPass. In general, it is fairly similar to bitwarden. The features of LastPass: • Reputable company: Yes you’ll find information on data breaches online that talk about LastPass. Don’t let this information drive you crazy: no passwords have - as far as is known today - been compromised and the company has disclosed the data breaches in a rapid way. The questions should never be if a website get breached, but when. • Clear business model: Freemium The paid / professional accounts are$36/year, which is significantly more than bitwarden. At first glance, you also get Yubikey support (so again, you want to have a paid account). This will also allow you to store files, up to a total of 1GB.

So you’re paranoid (that’s a compliment in this context!), congratulations! The safest way to protect a file from getting stolen in a data breach is to never have it online! An offline password manager will help to exactly do this.

Here, KeePassXC is my recommended password manager and also the one I use heavily. It comes for every operating system and you can also have browser plugins for Firefox and Chrome/Chromium/Vivaldi. Let’s be honest, if you are using an offline password manager, you are most likely using Firefox as your web browser anyway, or you don’t want the plugin feature anyway.

For two factor authentication with your Yubikey you will have to set one slot of your Yubikey up with an HMAC-SHA1 challenge response. Here is a video on how to do this. If you have never personalized your Yubikey, it should be save to configure slot 2 for the HMAC-SHA1 challenger response. Note: if you want to use the Android password manager mentioned below, make sure to select Variable input for the HMAC-SHA1 Mode, otherwise it won’t work. Once your Yubikey is written the configuration manager will ask you to save your secret into a file. Do so and store the file in a secure location. You can use the same Secret Key to program another backup Yubikey as well.

At this point you should have your KeePassXC ready to go and can go ahead and get used to it. However, even an offline password database could have its use on mobile devices. For android, use Keepass2Android. For iOS use Strongbox. These two apps are the ones that are also recommended by KeePassXC.

To set up Keepass2Android with your Yubikey, you want to additionally install ykDroid. This app exposes the challenge response from your Yubikey and makes it available to other apps. KeePass2Android requires this in order to accept the challenge response for database decryption. Then load your database, select Password and Challenge Response for KeePassXC, allow the usage of ykDroid to read your challenge response, and insert or tap your Yubikey (with NFC) to respond. You should be logged in.

For Strongbox, there is currently no way of using a Yubikey. This will likely change in the near future since Yubico, the maker of Yubikeys, is developing keys that will also work with iOS. However, as of this writing, you will have to manually copy the secret into Strongbox. This defeats the 2FA on this device, since you’ll need the Yubikey secret (which you stored into a file above) and type it into the app. You can find more details on the current development on the Strongbox’ github site and in this issue tracker.

Backups

No matter what password manager you choose, you must have a backup of the database. This is obvious for your offline password manager but should also be done if you go the online route: What happens if the service suddenly goes away? What happens if the server of the company gets hacked and is offline for an extended period of time until it gets get patched?

In case of your KeePassXC it’s simple: back up your kdbx database. This is an encrypted file. In addition you want to consider to save a new version of the file every now and then and keep a manual history in case of file corruption. And furthermore, you want to have at least two backups of your database in two different locations!

For online password managers you should have an offline copy. You will only use it in case the company goes out of business, if their server gets hacked or wrecked, or if it is down for an extended period of time. For all online password managers you can export the database, usually as un-encrypted files. These files you want to store in a secure location, e.g., on an encrypted hard drive, or even better, in an encrypted Veracrypt container (a blog post on hard drive security will come soon). Since this password file is readable by anybody that has access to it, make sure you store it somewhere safe. Under absolutely no circumstances store it in the cloud! The cloud is not a location for unencrypted (password) files!

Two-Factor Authentication (2FA)

Two factor authentication should be used for any account that allows it. Basically, it adds a second part to the login process, you will need something you know (your password) and something you have (a Yubikey, phone, etc.). Here only the basics are given, a more detailed write-up on 2FA will come soon.

As with the password manager, you will need a backup of your 2FA token or the security code that can defeat it (which is usually given when you set it up). Store this code in a safe location!

Hardware Tokens

Surely the best way to stay secure is a hardware token. These are generally devices that you can plug in via USB and that provide the second factor authentication. Yubikeys, sold by Yubico, are some of the most widely used hardware tokens and should be part of any security plan.

If you use a hardware token you’ll need to have at least two, one for daily use and one as a backup that you keep in a secure location. If your whole family has hardware tokens (and you trust them), it is okay to share the backup key.

Have a look at the Yubico’s website, they have a lot of step-by-step instructions on how to set up Yubikeys with various services.

Software Tokens

Many websites don’t allow hardware tokens but can be setup to use 2FA with software tokens by using an authenticator app (such as, e.g., Authy). These software tokens can also be stored on Yubikeys, instructions can be found here.

SMS 2FA

The least secure two factor authentication is SMS 2FA (see the section on security risks below). If there is absolutely no other way to get 2FA going, SMS should be used - it’s better than not having 2FA. If you need to make use of SMS 2FA make sure you DO NOT use your cell phone number. Use a VOIP number instead (e.g., Google Voice) that, e.g., forwards all incoming text messages to a secure e-mail address. Otherwise, you will be a potential target for a SIM swapping attack.

Security Risks

No system is perfect, but if you follow the outlined tactics, you will have made yourself a harder target than most and should be safe from broad attacks that use credential stuffing, etc. If a hacker or nation state actor targets you specifically the basic steps lined out here are probably not going to cut it!