We have talked in the past about how important a passphrase is to unlock your smartphone, instead of a numerical code, or if you’re still not up to date with how law enforcement abuses their powers, especially don’t use biometrics like your fingerprints or FaceID.
If you have not read about smartphone passphrase, you should start here: https://unoffensiveanimal.is/2021/03/16/creating-a-safe-passphrase-for-your-smartphone/
Now that you have read that, we MUST talk about all other passwords you use to log in to every other account you own.
Passwords are normally stored in the servers of those accounts (let’s say Facebook for example), as hashes. That means that people cannot simply access your password as plain text. But many tools are able to unhash and find your passwords.
So how do we protect ourselves from a major data leak, that would release into the internet the key to open every account you own?
Firstly, we need to visit a few rules:
- You should NEVER reuse your password. It doesn’t matter if it is for an account you don’t care about. Just DO NOT reuse your password. If it leaks for one account, it will leak for all accounts!
- Your passwords should be complicated and should be lengthy. There are many ways of “creating” passwords, but we will explain a very simple one later on in this article.
So once we have learnt those two rules, how can we create, manage and memorise very long, complicated passwords, that are single-use so you do not repeat them in every single account?
The answer is using a password manager.
A password manager is a vault that keeps all those passwords safe and away from prying eyes. For most of our readers, whose threat level is probably low, we will recommend a cloud-based password manager due to its ease of use, but if you believe you should go a step further, once you’ve read about password managers check KeePass, a completely off-cloud alternative.
Our recommendation for a cloud-based password manager is Bitwarden. Bitwarden is an open-sourced password manager capable of storing all the information you need, but also able to generate new passwords on demand and synchronising within all your devices if so you wish.
Storing all your passwords in a single drawer sounds like a huge, scary thing doesn’t it? This is why you should think before you even create a new account with Bitwarden.
1- Create a new, never-used-before email address. Only use it to create that password manager account, so it doesn’t leak. That means it is more difficult to try to brut force the password manager credentials if the attacker doesn’t even know what email address you could’ve used.
2- Create a MASTERPHRASSE. Remember how we talked about a passphrase for your smartphone? Follow those rules, but double it, or even triple it in size. Write it down for a few weeks until you are 100% sure you will not forget, and practise using it. Make it the longest, most complicated password you can create whilst being able to remember it because it is the password that will rule all the passwords.
Now, you can log in to Bitwarden, and start storing all your account’s passwords. And because we know what your like, this is the moment we prompt you to CHANGE THE 6-YEAR-OLD PASSWORD YOU’VE NEVER IN YOUR LIFE CHANGED. Seriously, go on Facebook, change your password. Go on your proton mail, and change your password. Go on your amazon account and CHANGE-YOUR-PASSWORD.
You will find this a very good little tool within Bitwarden. When you’re changing a password in whatever account, you can click on “generate password”, choose the length and how complicated you need it to be, and the software will create the password for you. You copy it, change the password in the account, then save the new credentials in your Bitwarden and voila! You are done!
But I can imagine more than one person complaining about putting all the vegan eggs in a single, steel basket, and hoping that that does not fuck things up.
And you people are right. That master passphrase could be broken. All your accounts, compromised. And we also have remedies for those problems.
In a future instalment, we will talk about 2FA and how to use it (not the one where google sends you a text with a code mind you!). but for now, this is a cool little trick you can use to secure your accounts a step beyond the password manager.
Let’s imagine that the FBI has decided to check out all the nudes you send over Instagram DMs. They try to enter your IG, but they are unsuccessful. Sadly, they find a plaintext of your password manager master passphrase, and they learn that your Instagram login credentials are:
User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&ppaY@xbe *(a very nice password created by the PW generator within Bitwarden!)
When they try to log in, “username and/or password are invalid” prompts the screen!
Why? Because you did not put all the vegan eggs in one steel basket. You kept half an egg to yourself.
That metaphorical egg is “something you remember”, an add on to your password, something extra that you don’t forget.
For example, let’s say that you really like plants, and your favourite plant is a pothos. Maybe that something you remember can be {p0th0%s}, and when you are creating new passwords to all your accounts, you keep adding “{p0th0%s} at the end of the randomly generated password that Bitwarden is giving you.
When you save your passwords, you are not saving {p0th0%s} alongside it, but you simply remember it, so when you need to log in to IG for example, Bitwarden gives you this:
User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&ppaY@xbe
But you remember that the actual password is:
Password: z3JtBqGT$ZRjWY!cf&ppaY@xbe+{p0th0%s}
And tada! You made your life a little safer by spending a couple of days learning a new tool that will really, really help you in the long run.
Enjoy, and for the love of bunnies, stop using “password123” as your password, please.
UA Tech and Sec department.