The Internet is not a safe place. It was never designed to be. Its adoption has increased far beyond what its creators ever dreamed could ever be achieved. Security was an after-thought, because the creators were too wide-eyed and optimistic to think that anyone could ever use this new technology for evil. But today we no longer use the internet for its original purpose of sharing academic papers. We use it for communication, for business, for commerce, for research, for recreation.
As we continue into the 21st century, one 20th-century holdout returns to bite us in the butt again and again: passwords. Companies fall victim to breaches carried out by state-sponsored actors, opportunistic hackers, and curious researchers. With each new breach comes another treasure trove of user logins and passwords. Thorough analysis of the exfiltrated data only confirms what we already know: people are lazy when it comes to passwords. They're short, they're weak, and they're re-used between different websites. It is important to stress that this is not your fault. Once upon a time, the average person only had a handful of passwords they had to remember. Whether it was the password to their local/work computer, to their email provider, or to their favorite message board, no one really cared if your password was only six characters and all lowercase. In most cases the password was stored locally--it's not as though it could be shared with anyone.
Today, however, the average person has dozens of logins. They have multiple computers they might log into in a given day. They have several different email addresses to manage their personal/work/student emails. They have logins for their various social networks, logins for their music streaming sites, their gaming sites, their e-commerce sites. They have logins for their banks, their pay-stubs, their insurance providers, their medical bills. And each site (for your safety, of course), mandates a password that must satisfy the following requirements:
When presented with such ridiculous requirements, one can hardly be blamed for constructing the perfect password once and using it for multiple sites. The problem arises when this one password becomes compromised. It is now no longer one account that is in danger, but every website on which you might have ever used that username/password combination. The value in the leaked username and password is no longer in providing access to that particular website, but in what other websites might also use that same username-password combo.
The only way to mitigate the danger posed by a password leak is to use a unique, random password for every site that you visit. Using a random, unique password provides the following benefits:
Once you have created a random, unique password for every website, you need a way to store them. This is where a password manager comes in. A password manager acts as a personal database of all of your passwords, allowing you to retrieve them whenever you need to login somewhere. Password managers come in all sorts of flavors. Some will simply store the passwords for you. Others will offer to generate random passwords for you as needed. Some can hook in to your browsers via add-ons or extensions so that you don't even need to go through the trouble of copying and pasting the password into the site's login form.
You have many options to choose from for finding a reliable password manager. If you only have one device (say, just a laptop), a limited, free password manager will probably work for you. If you have multiple devices, however, you may wish to invest in a password manager that is multi-platform. Some ones worth considering are:
Paid password managers are not the only option, however. The free application Keepass is a perfectly fine, free and open source password manager with community-made ports to various platforms. You can even sync your database between devices with a little bit of work.
Getting a password manager is only the first step. Now you have to start using it. This means that for all new websites at which you register moving forward, you should not try to come up with the password yourself. Instead, you should let the password manager generate a secure password for you, based on the requirements of the website. If the site will allow numbers, capital letters, and special characters (and most sites should), let the password manager put those into the randomly generated password in order to maximize its entropy. Sites rarely tell you what the maximum length of a password that they will accept (until you exceed it), but in general, you should endeavor to make the password as long as the site will allow. If the site will allow 25 characters, make it 25 characters. A longer password is more difficult to crack, and it makes no difference to the password manager how long the string is that it stores.
Next, you'll need to begin the process of 'migrating' your existing accounts to the password manager's password safe. This means doing the following:
Any password manager worth your time will take steps to make sure that everything within your password database is securely encrypted. Your password database will usually be secured by, you guessed it, a password. When securing your password database, this would be the one time you should not to use a random password. Instead, most password managers recommend that you secure your password database with a password phrase. A password phrase simply means that it is at least several words long. You are highly encouraged to come up with your own sentence that will be memorable to you. Failing originality, many pick something long but familiar to them: a line of poetry, a song verse, a particularly horrid pick-up line, etc. If written like a normal English sentence, with proper capitalization and punctuation, you are likely to achieve the desired mix of letter cases and special characters without going too far out of your way.
The average password is weaker than it should be because complex passwords are difficult to remember. Nobody wants to go through the agonizing process of making the long, heavily punctuated!!!, cAsE mIxEd, v0w3ls-r3pl@c3d-w1th-nVmb3rs passwords that are strongly recommended for every single website. But when you have a password manager, the passwords can be however long and complicated they need to be because you no longer need to remember them. When you only have to remember a single password phrase to open the password safe, it frees you from the burden of having to remember the individual logins and allows you to replace them with something secure.
Most websites store their users' credentials in a database of some kind. Within a poorly secured database (think of a message board created circa 2001), the database might look something like this:
The above is a simplification, because very few websites these days store the password directly (unfortunately, some still do). Instead they store something called a "hash," which is a way of transforming the password such that it can be used to verify a password's correctness without storing the password itself in plain-text. While this technique mitigates the risk of the raw password being figured out should the hash be exposed, it does not completely eliminate the risk. Hackers continue to find ways of reversing the hash such that the original password can be determined, either through brute forcing (which takes a long time) or via the use of rainbow tables (a precomputed 'dictionary' of common words and their computed hashes. What were once considered 'secure' hashes like MD5 have been so thoroughly broken by the speed of modern processors that it has become trivial to crack: an entire database can be quickly decrypted.
Most websites identify you via a username or e-mail address. While a unique username per site would be safer, you are unfortunately required to still submit an e-mail address in order for the website to send you confirmation and recovery e-mails. This means that your e-mail address is still being stored in the database, even if you login with a username. A bad actor who sees the exposed database will look at the second entry at the table, "email@example.com" and decide to see what other websites they can log into using firstname.lastname@example.org and password "Im@d3@s3cVr3p@ssw0rd!". If John registered for Facebook using that same e-mail address and used the same password, the bad actor can now login to John's Facebook. If John registered for Amazon using the same credentials, the bad actor now has access to John's Amazon account, and potentially John's saved credit cards.
In the past year alone, several dozen high-profile corporations and websites were hacked. Their databases were breached, and their users' credentials were leaked through no fault of their own. You cannot survive under the assumption that creating a secure password is enough to prevent it from being leaked, because you are implicitly trusting the website to do an adequate job of protecting it. As numerous leaks have shown, they don't.
Put another way, it is not your fault if your password gets leaked. It is your fault if that leaks allows an attacker to gain access to another one of your logins.
Maybe not. But maybe that e-mail address still has valuable information in it. Maybe there are old invoices from shopping purchases you made ten years ago that still contain pertinent billing information. Maybe that ten year-old Yahoo account is still listed as a recovery e-mail address for the Facebook account that you also set up ten years ago. In which case, a hacker could gain access to your Apple/Facebook/Amazon account by using the "Forgot My Password" option and triggering a password reset e-mail to be sent to the Yahoo e-mail which they now control.
Sure you do. Your Amazon/eBay/PayPal accounts gives an attacker unfettered access to your credit cards. Your Apple account can be used to remotely lock out and wipe your iPhone, iPad, or Macbook (before the Android crowd starts to gloat: your Gmail account can do the same thing to your Android phone, Android tablet, and Chromebook). Your Facebook account could lure your friends and family into infecting themselves with ransomware when they visit a bogus link posted on your wall. Your student e-mail address could be used to send a request to your university's Office of Admissions, asking them to drop you from all of your classes.
A plain-text file sitting on your desktop is highly vulnerable to access a third-party. It offers no defense against someone opening the file when you step away from your computer and now having an organized, human-readable list of all of your passwords. A good password manager will be encrypted, making it unusable to an attacker if the file is stolen without having been unlocked. Additionally, password managers with dedicated programs that encompass the database will often implement additional security measures, such as automatically locking the database after it has been opened if it is not accessed for a certain period of time.
Most of the "methods" that have been suggested for creating secure passwords that do not need to be maintained in a database consist of the following parts:
For instance, someone might start with a memorized phrase, "Sup3r_S3cr3t_P@ssw0rd", that they keep consistent across all of their passwords, but then append the name of the website to the end so that every website's password is technically unique. Their Facebook password would hence be "Sup3r_S3cr3t_P@ssw0rd_Facebook".
While seemingly effective at first glance, the password would still pose a security risk to your other passwords were it ever exposed. If someone were to figure out how you came up with one, they would theoretically be able to figure out how you come up with any of them. Should one of your passwords ever be included in a leak, someone who sees the word "Facebook" in the leak would easily guess that your Amazon password is probably "Sup3r_S3cr3t_P@ssw0rd_Amazon". Now you must come up with an entirely new method for generating your passwords!
If we take away the fancy terminology, re-hashing an already exposed password is sort of like taking your password "Sup3r_S3cr3t_P@ssw0rd_Yahoo" after it has already been leaked and adding a one or an exclamation point to the end of it, so that it now says "Sup3r_S3cr3t_P@ssw0rd_Yahoo1!" And if Yahoo really screws up and lets it get stolen again? Well, just hash it again, I suppose (or replace that '1' with a '2'). Yes, your password is now "secret" once more, and yes, you can still remember it, but this assumes that Yahoo is the only password of your that will ever be leaked (it won't be). Once four or five of them have been breached, forcing a password reset, you now have to keep track of which sites were generated via your original method, and which ones now have a '1' at the end of them. Or a '2'. You'll soon have to write down that info. And as long as you're storing a list of which 'generation' of passwords you're using on various sites, why not just store the passwords?