Open in app

Sign in

Write

Sign in

Fixing Your Passwords

Scott MacWatters
10 min readApr 17, 2020

--

As I’m writing this, most of us are stuck around the house due to Covid-19. If you’re quarantining on doctors orders, isolating on governors orders, or just taking the weekend off from your essential work, this may be a good time to fix your passwords.

1Password

Are your passwords bad?

Statistically, yes. Studies come out all the time showing that a majority of people use terrible passwords, and they reuse them for every website. Until last year, I was re-using 3 passwords all over the internet.

Online security is like regular security: There’s levels to it.

If you want to secure your house or work, you may do these:

  1. Lock your door knob lock when you leave
  2. Get a deadbolt
  3. Get a motion activated light
  4. Get a security system
  5. Get security cameras
  6. Hire an armed guard

There are obviously reasonable parts of this that everybody should do, and there are more advanced security that few people need. It doesn’t make sense to secure your house the same way they secure 1600 Pennsylvania Avenue.

The same is true with passwords.

Here are some reasonable steps you can use to secure your online accounts:

  1. Use a different password for your email, bank, and social networks
  2. Use a different password for every website
  3. Lengthen and randomize your passwords
  4. Use a phone number for 2 Factor Authentication
  5. Use an Authenticator App for 2 Factor Authentication
  6. Use a physical security key for 2 Factor Authentication

How Passwords should be Stored online

I tried to keep this section simple, but it can get a little complicated.

The summary is: Good websites don’t store your password, but instead store some text that only your password could have created, but can’t be reversed.

Imagine that your password is: “potato1"

Good online sites will not store “potato1” in their database. They will store what is called a “hash” or, even better, a “salted hash.” These are not just breakfast terms anymore.

Like breakfast, they take your password and cut it up and fry it in a pan in such a way you wouldn’t be able to determine what your original password was. This may look something like

f1535ce1805987f0d854e54688476a02d14f33b47db57f26d17237b390960a47

No matter how hard you try, you won’t be able to turn this random output back into “potato1”.

However, next time you try to log in, they can hash your “potato1” and turn it into the same thing every time. If it matches, you’re in!

You can try this out yourself using this useful site.

But what if multiple users use “potato1” as their password? In the database, their passwords would match, and if you guessed one, you would get access to another.

To prevent this and some other attacks, websites “salt” hashes. Think of this like adding a different set of other ingredients to each user’s hash to make it different.

potato1bacon” -> “0e46bdf666355a16cdc550c17c1f79fa9a6b2ca072dfa783a8ad9cb66b8ad2a4

potato1eggs” becomes

28185e62879ece5e63fbac5b4d1185759e6470202d590682aa2abf2d191cb018

Good websites only store your hash and the salt they added, and there’s no way to match users or get your original password.

So if passwords are stored securely, why bother?

Websites should store passwords securely, but sometimes don’t and it’s almost impossible to tell which ones are doing it correctly.

Also, even if a website stores your password securely, you also have to send your actual password to them so they can log you in. What if they did that incorrectly? What if you’re in an insecure environment on public wifi? What if somebody managed to install something on your computer to track your keyboard inputs? What if somebody just guesses 10,000 passwords on your account?

All of these risks are reasonably small, but it could and does happen. Like with somebody breaking into your home, you’re trying to secure it enough so somebody will move on. At some point, if you have a big enough target on your back, somebody may still find a way to get in, but you don’t have to make it easy.

Also, consider that the target may not be directly on your back, but on your workplace. If somebody is able to infect a workplace’s network with key loggers, they may get access to hundreds of accounts. Stealing one Amazon account is a lot of work for potentially very little reward, but stealing hundreds of accounts is much more likely to be profitable.

Two Factor Authentication (2FA)

“Two factor” authentication is when a website uses two distinct factors to identify that you are who you say you are. The three common factors to choose from are:

  1. Something you know: typically a password
  2. Something you have (or have access to): SMS verification, Phone verification, email verification, Authenticator Apps, Physical Security Keys
  3. Something you are: Biometrics like Fingerprint, FaceID

These three things are independent and hard to get access to. If an attacker is able to guess your password, it’s unlikely they’ll also have your fingerprint or have access to your cell phone.

Given how complicated biometrics can be, most websites use “Something you know” and “Something you have.”

SMS Verification (not great)

There have been lots of reports recently of people being hacked who had set up 2FA using SMS verification. This is done by an attacker who convinces your cell phone provider that they are you. All you have to do is trick some call center employee and they can get your phone number activated on the attacker’s spare SIM card and then they can get into your account, maybe even resetting everything with it.

SMS Verification is better than nothing, but given how frequent this attack is reported, I highly recommend staying away from it.

Authenticator Apps (preferred)

Authenticator apps are a mechanism that you can set up in advance with a website that generates a new code every 30 seconds. These are easy to use and very secure. There are very few attack vectors for these other than getting physical access to the device that was set up.

Physical Security Keys (probably overkill)

Physical security keys are little USB keys that contain a tiny computer which stores and processes data in a secure way. They are extremely secure, but sometimes cumbersome to set up or use frequently. If used, a user will plug in the USB key and touch some button on the device. The device reads data from the requesting website, does some calculations, then sends some data back to the requesting website which validates the response. It’s overkill for most people.

Fixing the problems

The best way to fix your online security is to combine 2FA and strong password usage to manage your risk.

Strategy 1: Security Tiers for 2FA

We use a variety of sites that have different levels of impact if people were to get into them.

For example:

  1. The “I don’t care” tier: May contain things like Netflix, Hulu or other passwords you actively share with friends and family
  2. The “I care” tier: Facebook, Twitter, Instagram. If somebody gets into these, you’re going to be upset, but you should be able to recover from it
  3. The “I’m never going to financially recover from this” tier: Bank, Email, Amazon. If somebody gets your email, they can generally get access to any other website. If somebody gets into your bank, they can steal your money

By dividing up your sites into tiers, you can add security to the ones that need it and have the highest risk. For example, for your most secure sites, it is a good idea to set up 2FA using an Authenticator App. It is probably a good idea to do this for your “I care” tier while you’re at it.

Strategy 2: Different Passwords for each site

There are multiple ways to use different passwords for every site, but there’s one clear thing that’s not an option: making up and remembering a totally unique password for each site.

A simple option is to take a few base passwords and modify them based on the websites you’re accessing.

Let’s say one of your base passwords is “Password1”. To modify it, you could decide to use the 2nd letter and the length of the website’s name and add that into your password. For Amazon, you could add “m6” to form “Passm6word1” and for “Facebook” you could use “a8” to form “Passa8word1”. You could even do more complicated things, as long as you memorize how it works. With this approach, you’re basically salting your own passwords.

The better approach here is to use a password manager. A password manager is a website which stores all of your other passwords in a secure way. You can create completely random, long passwords and store them. With this, you just need to be extremely careful with your password manager password. If somebody can get into that, then they can get everything.

Some well known password managers:

  1. 1Password (I use this one!): $3 a month
  2. LastPass: Free option, $3 a month for slightly better plan
  3. DashLane: $5 a month plan includes VPN
  4. NordPass: Free option, $2.50 a month for slightly better plan

When evaluating Password managers, you should consider the following:

  1. Do they support all of the devices you use?
  2. Do they have a good track record of security? (Look up the company!)
  3. Does it support 2FA to secure the password manager?
  4. Price?
  5. Other services?

Applying the strategies

Once you have selected a password strategy and decided on your 2FA tiers, you can begin the process.

If you’re using a password manager, I suggest you expect to sit down for at least an hour or two to get the process started. Your goal should be to secure all of your high risk websites, maybe all of your social media, and a couple of low risk sites within the first sitting so you are comfortable with your new tools.

Print your Recovery Kit

Most password managers have some sort of “Recovery Kit” or “Emergency Kit”. Your first step should be to print that and secure the paper. For a good password manager, if you lose your recovery kit and forget your password, you will be out of luck getting your passwords back.

Do not proceed until you have exported this kit in some way ideally printing it.

Set up Password Manager 2FA

Your password manager likely has 2FA using some mechanism. Given how high risk a password manager can be, I suggest using an Authenticator app for this. If you have a physical security key, this is a great place to add it, but be mindful that it may be hard to use it on a phone to log in there.

Start simple

Try to just change one of your low risk websites. This will give you an understanding of how the process and the tools work. If you do it wrong, you can always “reset password” and get it back through your email.

Do this once or multiple times until you’re comfortable. Try to access this website on your phone and tablet to make sure you understand it.

Bulk Import

Before I started using 1Password, I was using Google Password manager to auto-populate all my passwords in Google Chrome. Scarily enough, it offers an easy bulk export option where you can export all of your passwords to a file.

If you have the same, this is a good time to bulk import all of the passwords into your password manager. Here is a guide from 1Password. Try logging into websites and when you’re comfortable that you have all of the passwords in your manager, this is a great time to delete them from the not-very-secure Google Password Manager and disable that functionality. Here is a guide from 1Password.

High Risk Sites

Now that you are totally within your password manager’s ecosystem, it is a good time to reset passwords for your high risk websites and add 2FA.

Since every site is different, you will have to log in and look around for yourself. The options should be under “Settings” or “Security” or something like that.

Change the passwords and add 2FA. Many Password Managers offer a built-in authenticator app. Storing these two bits of information within the Password Manager gives you convenience when using it and ensures that an attacker would need access to your password manager to get into this site. It’s great and I highly suggest it.

Also, this is a good time to do a “Force log out” on all of your high risk accounts. This will ensure that any places you previously logged in can’t get into your account.

Don’t try to do it all at once

If you have a lot of passwords, it can be daunting to try to do it all in one sitting. Don’t push yourself. Once you have all of your high risk sites secured, take a break. Come back to it in a few weeks. You’re taking the right steps, so you don’t need to push yourself.

Video Streaming sites

Many of us share access to video streaming sites. Also, video streaming sites are often logged into on smart TVs.

Most of the time you should use the random passwords, but this is an exception. These accounts are frequently logged into using TV remotes or game consoles and shared around, it’s best to use a human readable “memorable” password. It is still a good idea to have a separate password for each streaming service.

Did you get hacked and not know it?

Confession time: When I went through this process, I found 2 separate accounts that had been compromised for months and I had no idea: Hulu and Twitch. For me, I was locked out of resetting my own password on these two sites for various reasons. Shoutout to whoever got into my Hulu and made their own profile as to not mess with anybody’s recommendations!

You may find this has happened to you. You may have to reach out to customer support. Explain to them how you are changing to use a password manager and you may have to tell them which email you were using on the account. They should hopefully be able to reset it to that specific email.

Passwords
Password Management
Password Security
Quarantine
2fa

--

--

Scott MacWatters

Written by Scott MacWatters

24 Followers

Software Engineer. Photojournalist.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams