Passwords are like Chihuahuas

Passwords are a fundamental part of using technology, and that's to say they are a fundamental part of life these days. Passwords are incredibly important, the source of immense frustration sometimes, and there isn't a lot of good, usable information out there around them. Most of us are just told to follow the password parameters dictated to us when signing up for things, which don't seem to have any form of common standard, and that's it. That's what users see, this says nothing of how passwords are handled by our favourite websites, applications and browsers. It's all too hard sometimes.

Are passwords here forever?

In discussing passwords it would be remiss of me to not mention conversations around getting rid of passwords completely. There are lots of interesting discussions about life after passwords, but at the moment I've not seen a solution that one, I'm happy with from a privacy point of view, and two, would receive wide spread adoption. Passwords are, I think, here to stay at least for a little while.

So, since we have to deal with them I'm here to encourage you, passwords are important! But why should you care about passwords, which will then hopefully encourage you to consider some healthy password practices?

Little dogs and low hanging fruit

You should care about passwords because passwords are like Chihuahuas.

We often read about zero day exploits and all manner of hacking buzzwords, but for most home internet users sophisticated hackers are not something to worry about. One of the main threats to your average home internet user is someone with bit of technical knowledge, just enough to make them bold. For these kinds of relatively unsophisticated attackers it's all about low hanging fruit. Weak passwords to emails, social media or online banking that can be guessed or brute forced, guessed incredibly fast by a computer program.

How do you beat a brute force attack, I hear you ask? And how exactly are passwords like Chihuahuas? I'm reading for the Chihuahuas! The Chihuahua bit is coming, but the way you beat a brute force attack is the same way you beat the human guessing your password, use a password that's not commonly used. A brute force attack might sound overwhelming, a thousand or more guesses a second, but ultimately it's doing exactly what the human would, guess. It's running through a predefined wordlist of common passwords. So don't use a common password. Don't be the low hanging fruit.

And now we come to Chihuahuas. I was told a fact about robbery while studying at university and it holds true online. There are two houses on the same street, one has a Chihuahua and one doesn't have a dog at all. The house with no dog will, nine times out of ten, be burgled over the house with the Chihuahua. It's not that the Chihuahua is scary, it's just that it's a dog. A dog that might bark and that makes breaking into that house just that little more difficult. Doesn't matter what type of dog, it can be a tiny Chihuahua, but there is a dog present and that house is not the low hanging fruit. The path of least resistance is the one the thief will usually take. A strong password is just like a Chihuahua in this instance.

I now care about passwords because they are like Chihuahuas. But what what do I actually do?

If, like most people, you hate passwords, that imagery of passwords being little fluffy dogs might endear you to them a little bit more. And we see why passwords are important. We might not like passwords but we get that they make us safer online. At the end of the day everyone wants to be the house with the Chihuahua that gets robbed less, since so much of our lives is shared and stored online. Now, moving from abstract to practical principles, what are some poorer (still incredibly useful to know) and great password practices?

Issues with password rotation

I personally don't believe in rotating passwords. If the Chihuahua is keeping you safe no need to throw it away and get a new one. There are lots of rules out there that say you should rotate passwords, but the tide seems to be turning in the security community against these rules.

The reason password rotation was brought in originally is that if an attacker was able to get hold of your password, it would only give them access to things for so long, the locks would effectively be changed. This is great but if you're using weak passwords because of rotation, you're constantly changing passwords and need something easy to remember, the attacker will be able to easily re-establish access, making the rotation next to pointless. Also, if you're using weak passwords due to rotation, the attacker might be able to guess your password right off the bat, meaning they have access they otherwise wouldn't have.

Strong passwords

We've just mentioned weak passwords. What is a weak password? A password that is short, simple and predictable. Strong passwords are therefore long, complex and unpredictable. How can I easily make strong passwords? Read on...

Unique passwords

What else wouldn't I do? I wouldn't repeat passwords. It might be convenient for you, but it's also convenient for an attacker. Imagine having lots of Chihuahuas for security but they are all the same. They all react in the same way and the attacker knows what all the Chihuahuas like. The attacker throws a ball and all the Chihuahuas go chase it. You might as well have no Chihuahuas, or in our case, no passwords.

We want unique Chihuahuas.

This means that, if you have put a different Chihuahuas in every room of your house, someone trying to get access to a single room will have to know how to get past that individual Chihuahua. In password terms an attacker will need to get that exact password off you in some way, it will be hard to guess or brute force. You are not the low hanging fruit.

If someone does get access to that room they only have access to the contents of that one room, the single account they've got the password to. The rest of the house is secure. This greatly limits the opportunity for an attack to do damage along with limiting the damage they can actually do. Why go after such a hard target? Why rob the house with the dozens of Chihuahuas?

Managing multiple passwords with password managers

Strong and unique passwords are the two takeaways. But this is a hassle, I know I can't remember more than a few strong passwords. How am I going to manage all these Chihuahuas?

The solution is a password manager. Think of a password manager as an automated Chihuahua super kennel. A password manager is a program that generates strong passwords for you and stores them in a secure manner, allowing you to generate a unique password for everything without needing to remember it. This allows us to meet our two needs, strong and unique passwords.

At first I was leery of password managers. All my passwords in one place? No way! I was trying to run multiple passphrases, entire phrases used as passwords, but it wasn't a practical solution. Everywhere I looked in the security community people where talking about password managers, so I did my reading, looked at how password managers work, encrypting the password storage file to keep it safe, and them looked at the different password managers out there. I tried one out and I've not looked back since!

I use KeePass because it is free and open source, but you might find a different password manager that suits you. I can't live without my password manager, where many people live from favorites or just browser tabs open I work from my password manager, opening whatever pages I need to log into with a simple key stroke. It then autotypes your crazy long passwords. Logging into things is actually fun, hit the hot keys and watch the computer type for you for a change!

I've found password managers useful for work as well, it's great for managing an ever growing and shifting list of credentials for test accounts, different development environments, tools, etc. Do you write your passwords down? Do you keep spreadsheets of credentials and login urls? You don't need to anymore! There is a more convenient and secure way of managing your Chihuahuas! Just try it.

Downsides to password managers

Are there downsides to password managers? There is one immediate downside, my initial reaction is still valid. Regardless of the encryption used, it still means you're putting all your Chihuahuas in one basket. If someone knows how to access to your password manager, they have access to everything stored within in. This makes the password you use to open your password manager super important. Remember how I mentioned passphrases above? Use them. Password managers are just software and software can have vulnerabilities, so it's also good to make sure your password manager is kept up to date.

Passphrases

You also can't use a password manager for everything. Logging in to your computer, for instance. Again, passphrases are your friend for anything you cannot use a password manager for. It's not too hard to remember one of two of them. xkcd has a good summary of why you shouldn't be scared of passphrases:

And actually use dice when generating them, that's not a joke. Online random number generators are not your friend, do yourself a favour and dig up some dice from that copy of Monopoly most families regret buying.

In short

To summarise everything:

• Passwords are like Chihuahuas, they are the dog out the front of our house and make sure we are not the low hanging fruit
• Strong (long, complex, unpredictable) and unique passwords are good, functioning like lots of Chihuahuas to guard various parts of the house
• Password managers help us create and store strong and unique passwords, allowing us to have strong unique passwords for every login we have, allowing us to manage our our Chihuahuas
• Password managers are not perfect and we still need to practice the simple things like creating a good password for the password manager and keeping the password manager up to date
• When you cannot use a password manager, use a passphrase
• Passphrases are not scary, much like Chihuahuas they can be your friend