Password Manager & 2FA: How to properly set up your password

Passwords! The key to almost everyone’s privacy. We are all wary and paranoid about how we handle our passwords, yet most of us don’t know how to implement and safeguard our passwords the right way. Because remembering passwords is a pain, most of us use a single password or at most two different passwords for almost every service we use. Do we really have to store passwords in our brain? do we have to remember each password? why not just store them like we store contacts on our phone. (But more secured). Besides, the brain is the least place to keep anything secured. All an adversary need is a wrench and an isolated environment to torture the password out of us. (Just kidding, it is not that serious.)

Before we get into how to properly set up a password, let us refresh our memory by discussing the aim of having passwords. Passwords are not only meant to help us gain admission or access, but they are also meant to help authenticate us. When we use a password online, what we are doing is using a key (the password) to gain access or admission, not really authenticating whether the user inputting the password is the authorized user. Because passwords do not validate the true identity of a user, it makes it easy for us to share our passwords if we want others to access any services we’re authorized to access. Well, with such ease of sharing comes a vulnerability. The tendency of an adversary getting our password and using it without authorization.

Though it is agreed within the security community that using a complex password that looks like Egyptian hieroglyphs is much better that using plain passwords like “12345” or “password”. It certainly doesn’t mean it is safer, the only thing it does, is to make the password more complex in the event an adversary attempts to brute force the password. (In layman’s terms, brute force is guessing passwords until you get the right one — this could be done using hacking tools or the human brain).

Let’s say we use the same login credentials (password/email) for Netflix and Facebook. By sharing our Netflix credentials, we have indirectly given access to our Facebook.

The likelihood of someone exploiting these types of vulnerability is low unless we are a target. However, it is not safe and it is considered a bad practice. It is like leaving our door open in a safe neighborhood. Chances are no one is going to go into our house, but are we really going to take that risk? Besides the internet is not a safe place.

Now that we understand we have been setting up our password wrong, how do we fix it? Well, first we must ensure that our passwords are achieving exactly what passwords are meant to achieve. That is ensuring that the passwords we use do not only give us access only but also help validate us.

2FA — Two Factor Authentication

To ensure more security, we have to implement two-factor authentication sometimes called 2FA or 2fac. 2FA is using any two of the three recognized factors of authentication:

  • Something we are (fingerprint, retinal scan, etc)
  • Something we have (ID, token, phone, etc)
  • Something we know (passphrase, birthday, etc.)

When we use an ATM card, we are achieving 2FA. Because we have the card (something we have), and we know the PIN (something we know). When we pass through airport security, we are also using 2FA. We have to be there in person (something we are), and we have to present our passports (something we have). When our banks give us token or send us a code in a text, we are also using 2FA, because we have to use the token or text codes (something we have) along with our passwords (something we know). These features are part of what makes ATM, traveling and online banking safe from our side.

Most Internet provided services have the 2FA feature. We just have to enable it. Facebook, Instagram, Twitter, Gmail, Twitter, Banks etc. Almost all sites that have something to do with personal information have some form of 2FA. Some use text message, some uses Authentication Tools like Google Authenticator. Websites like https://twofactorauth.org/ help us check which websites support 2FA.

For services that don’t support 2FA, setting a complex unduplicated 25 bit or above passwords are encouraged. Because complex passwords are hard to remember, especially if they are different for each service. That is why the use of Password Managers are recommended — We don’t even have to remember our passwords anymore.

Password Manager

Passwords managers are our personal passwords wallet, they help us generate and store secured complex passwords. No more guessing our passwords every time. No more guessing whether the first character in our password is a capital or small letter. All we have to remember is one password: The password to our Password Manager.

Recommendation:

Every Internet user should create a strong password using a Password Manager and then enable 2FA. There is no better option between the different Password Managers & Authenticators, it is really based on one’s need. But most of the major ones provide some free services, which is sufficient for an average user. The major Password Managers are safe, because the passwords are encrypted, meaning no one but the user can access the stored passwords. Not even the Password Manager providers.

What I use:

I use LastPass as my Password Manager and Google Authenticator for 2FA. I use a different password for each service I use. For each password, I generated more than 35 bit long passwords that look like a Cuneiform. I don’t even want to know my passwords. The headache is too much. I only know one password. My master password (the password to LastPass.) And my master password is not some date or name, it is actually a movie quote. With over 100K movies in the world, good luck guessing that.

And if someone were to ever get my LastPass master password, I have LastPass’ 2FA enabled. So they would have to steal my phone, and if they were to steal my phone, how are they going to get into my phone without my thumb or 6 digit code. Unless my code is something uniform like 111111 or 000000, Ideally, it should take more than 10 tries to brute force the code. Well, I have set my phone to lock itself after 10 tries. Before the time resets, hopefully, I should be able to realize my phone is missing so I can unauthorize LastPass on my phone remotely or better wipe the phone.

All this might seem a bit hectic to implement, but it is really not that hard. The best thing to do is to look up how to enable 2FA for everything you use (Facebook, Twitter etc), then google how to use LastPass and how to use Google Authenticator. I find YouTube videos to be the best guide. Everything should take like 30 minutes to set up. But it pays eventually. Not only does it provide more security, it actually saves time. LastPass browser extension provides an auto-fill option, so you don’t even have to copy and paste. As for the mobile apps (iOS & Android), it is actually quicker to copy & paste from LastPass to another app, than it is to type the passwords.