Most of us have a lot of accounts out there. Almost every service on the Internet offers the creation of a service account. Rarely is the use of a service “free”, in many cases you are literally forced to create an account, even if you could use the service just as well without an one. This is the case, for example, when shopping online, where the store would like to monitor your shopping habits in order to make product recommendations tailored to your needs. As a result, each and every one of us has several dozen accounts to manage, and most use the same login data for the majority of their accounts for the sake of simplicity. However, what many don’t know or ignore is how easy it is to guess most passwords. If you don’t believe it, feel free to take this test. Just compare your passwords to those here: https://en.wikipedia.org/wiki/Wikipedia:10,000_most_common_passwords.
If you find it in the Wikipedia article, you can be sure that a possible attacker will find them. And there are a lot of such “most commonly used passwords” databases on the net. But even if you use a secure password, it could be that it is already available on the Darknet as a result of an existing breach of your service provider. On this page you can test if one of your accounts has already been compromised in a KNOWN privacy incident (there are certainly many more not publicly disclosed): https://haveibeenpwned.com/
You cannot avoid using a password manager
The consequence is that you need secure login data for every Internet service, and that means secure passwords (as long and complex as possible, i.e. using as many characters as possible) and, above all, no reuse of passwords for different Internet services. The BSI has a good summary of criteria for secure passwords here, which you can take a look at if you are interested: https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Sichere-Passwoerter-erstellen/sichere-passwoerter-erstellen_node.html.
Few, however, can or want to memorize all their complex passwords without running the risk of using their passwords multiple times. Of course, it makes sense to know a few important passwords by heart so you can log into your most important services without having to rely on a password manager. But most of us have a bunch of accounts that aren’t particularly critical. You will be able to survive a few hours or days without access to the online store of “Zalando”. However, you certainly can’t go too long without access to your online banking or SSO (single sign-on) data to get access to your employer’s services.
That is why it is very important that you use a password manager at least for your non-critical accounts. By now, there are very good opensource options and you don’t even have to pay for the program. So there is no excuse anymore not to use a password manager! Also, syncing passwords is not a problem, since you can always keep the password database in sync using a cloud service.
Syncing passwords in the cloud?
However, some are now wondering whether the idea of creating all passwords in a database and storing them on a cloud account doesn’t open the door for attackers to access all our accounts. Why bother to keep all the passwords complex and define separate login data for each account, if you’re going to store them in the cloud anyway?
Well, it’s not quite that simple, because the password database itself is encrypted by the password manager. The opensource password manager “KeePass”, for example, uses the Advanced Encryption Standard (AES), with a key size of 256 bits. A 256-bit key has 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984.665.640.564.039.457.584.007.913.129.639.936
possible combinations. No supercomputer on this earth can crack that in a reasonable time frame (a few million years). With quantum computers, things look different again, but until that time comes, “KeePass” and other alternatives will certainly already offer “quantum safe” encryption methods.
Define accounts critical to you
As mentioned above, you should consider for which accounts it makes sense to know the login details by heart, because you don’t want to risk having to rely on the password manager to log in, as with online banking, for example.
So, to identify your critical accounts, first go through your account list and ask yourself these questions:
- How long can I get along without this account?
- What would happen if an attacker had my login data … Can I live with the consequences of completely “flattening” the account in that case?
- If the data of this account were to get out to the public, could that make me worse off health-wise, socially or financially?
- After all the preset questions, is it worth my mental capacity to memorize the account or do I want to have the data additionally available in the password manager (as a local password file)?
After these issues are resolved, you should have a list of critical accounts defined. I hope it’s less than 10 … if it’s more than 10 or you’re afraid to lock yourself out if you forget a password, then maybe it’s worth the idea to keep another password database for these accounts locally, as a backup. Now you just have to think of a strong password that you can remember.
Strategies for creating a strong password
A strong password means that the password should be as long and complex as possible. This is because each additional character increases the amount of calculation required enormously if the password is to be guessed using special password hacking software. If, for example, a 10-character password consisting of lowercase and uppercase letters and additional numbers would take about 7 months to calculate, it would take about 2000 years to calculate the same combination of characters using a 15-character password.
This is also where the beauty of so-called “passphrases” becomes clear. Passphrases resemble sentences, a longer string of characters that can consist of a variety of words, only without having to pay much attention to grammar. Therefore, for the critical approaches, you should think of a phrase that is easy for you to remember and here, for example, make some capital letters or fill the spaces with characters or replace parts of the phrase with numbers. And of course it is important not to use too obvious sentences, like “My name is Sarah and I was born in the year 2000”, but rather “My4MenAccountBekommstDU.net” or similar.
Use multi-factor authentication where possible
And last but not least, use multi-factor authentication (MFA) wherever services offer it, especially for critical accounts. MFA means that you can log in not only by entering user ID and password, but also need at least one more factor (e.g., pin from a separate app; fingerprint, etc.) for the login process. This is often a little tedious because you still have to think of that second or third factor. But for your attackers, it is many times more difficult to compromise your account when MFA is active. Whereas, again, there are attack techniques, such as MFA Bombing or MFA Spamming, where a user is nagged with MFA requests until they confirm a request. Therefore, be careful here as well and do not click “approve” hastily before you are sure that it is a legitimate MFA request.