Passwords: A Necessary Evil

Most of us hate them. Even though they give us so much security, they are only useful if we know them and if we don't use the same everywhere. Passwords are a necessary evil in today's digital age.

pin pad out of metal on a grey wall with 4 screws

This blog post was improved with the use of ChatGPT, a large language model developed by OpenAI.

Remembering Passwords

More than 30 percent of people admit to using their pets’ names to come up with passwords that are “easy to remember”(1). Replacing letters with numbers may seem like it makes them secure, but it’s not always the case. Comparing the password strength using the estimated time to crack the passwords “Tr0ub4dor&3” and “correct horse battery staple” turns out that the first only defies a few months, while the 4-word string lasts centuries(2).

Password Managers: The Solution?

A much more effective way to create and remember passwords are password managers. These are software programs that you can install on one or more devices. If you decide to use one, be sure to check if it’s open-source and has been audited. Most password managers can sync passwords between devices and even automatically fill in the username and password field on websites for you. They also detect less secure passwords and warn you when different services are sharing the same password. If one service is caught in a data breach where hackers gain access to passwords, they typically try to use the stolen password on all services to check if they can get in.

Alternatives

“Ideally, we don’t want to rely on passwords at all”, says Google Developer Advocate Eiji Kitamura(3). This can be done with security keys like YubiKeys or NitroKeys. These are often used as a second factor of passwords. If they are lost, someone could use them to authenticate as you. You just press on them, and a string will be used to authenticate you. Some security keys even let you generate codes, which update every 30 seconds. No insecure SMSs needed. These are vulnerable to social engineering(4), where attackers try to get your telecommunications provider to send them a new sim-card or e-sim to get access to the messages and therefore your accounts.

All information is supplied without guarantee.

Sources:

  1. https://cyclonis.com/report-83-percent-users-surveyed-use-same-password-multiple-sites, 26.08.2022
  2. https://bitwarden.com/password-strength, 26.08.2022
  3. youtu.be/6vnQDn3AUbo?t=120, 26.08.2022
  4. https://wikipedia.org/wiki/Phishing#Social_engineering, 26.08.2022

#tech #security