On the occasion of the International Safe Internet Day celebrated today, we return to the well-known issue of passwords, good practices to follow, recommended tools and others to offer you an informative guide to help you do things right, but also to understand why you have to do them in a certain way, and not in another.
And it is that until some new technology does not replace the current one (there are several in progress, of which the WebAuthn standard is one of the most promising), the passwords are a constant criticism of the Internet with which we have to deal with yes or yes . So pay attention to what follows, because you should put it into practice.
Pay attention to the basic recommendations
The basic recommendations for dealing with passwords have not changed in recent years and most of them are pure common sense: keep the keys safe, do not share them, etc. But there are two especially delicate ones, because of not complying with a third requirement, they are useless:
- Use strong passwords (long sequences of letters, numbers and random symbols).
- Do not reuse The same password in different places.
And one more that usually costs to apply rigorously:
- Change them frequently, and not only when you find the news that this service you use has suffered an attack. Among other things, because in the time between the attack, the people in charge of the service discover it and communicate it to the public, everything can happen.
Why it is important to follow these recommendations does not deserve much explanation, but just in case:
- Strong passwords are more difficult to violate by brute force attacks, and although most services you use have protections against such attacks (usually the number of identification attempts is limited), prevention is better than cure .
- Reusing passwords multiplies the risk exponentially, since anyone who managed to access a site with your credentials, will try them on more.
Also, do not forget the additional requirement to change passwords frequently, which is nothing more than a proactive measure with which to anticipate the events, but not for that reason it is not advisable to do so.
In summary: use strong passwords, don't reuse them and change them from time to time. Simple, right? It is, as long as you use a password manager.
Use a password manager
Unless you use more advanced methods, in which case you will not be reading this because you do not need it, you will only be able to apply the aforementioned requirements scrupulously using a password manager, the cornerstone of this whole issue that you cannot deny, otherwise It is impossible for you to do things accordingly.
In case you have not been clear, I repeat it with other words: your head is not a password manager. The sooner you assume it, the better. But don't hurry. Although "password manager" sounds like an advanced user application, it is not. All you have to take into account will still need to remember a password
The most common use case in basic users is the web browser, so if all your passwords are linked to websites and you use a single browser, the services of data synchronization They offer Firefox, Chrome or others, as well as very comfortable, they are very safe.
Don't you trust your browser to store your passwords? Use a master key so that synchronized passwords are encrypted in the application itself, before being sent to the server. This function has the main browsers and is reliable within what fits. However it is much safer if you only identify yourself on personal devices that are encrypted.
Just worry about getting a good password generator, which you will easily find in the form of extension. With two honorable exceptions Chrome and Firefox, which have already been incorporated. If you use one of these two browsers you are interested to know, in addition, that:
Dedicated Password Managers
If you use more than one browser and applications and services that go beyond the browser itself, a dedicated password manager is the best option, something that we have discussed in depth in MC for example in this article: What is a password manager, what is it for and how it is used. However, it differentiates between what is a password manager in the cloud and another in local.
Password managers in the cloud work similarly to web browsers, with the advantage of not being tied to any of them. The most common is to create an account in the service in question and install extensions for web browsers or mobile applications. Two tips when choosing an application of this type:
- It is essential that you have client side encryption, so that only you have access to your passwords.
- Put open solutions based on open source, because they are more transparent in relation to their operation.
With both premises in mind, my current recommendation would be Bitwarden, a kind of free clone of the popular LastPass that makes it very easy.
The safest password managers, however, are also the most uncomfortable to manage, the local ones: applications that only work on your computer and whose data base you can save wherever you want. A good option is KeePassXC, also free and available software for Linux, Mac and Windows.
KeePassXC has the advantage that its development is very active, in addition to offering an extension for web browsers that simplifies the task of identifying quickly, comfortably and surely on any website, with the addition that the format of your database is compatible With mobile applications.
In the mobile, therefore, you can use applications such as KeePassDroid or KeePass DX. Now, between the mobile and the PC, how do you do it? This is one of the handicaps of this kind of solutions: you are in charge of administering and protecting the database with your passwords, which means looking for life to make the difficult easy.
In the case that concerns us the difficulty is in making the use and management of your passwords accessible regardless of the device you are in, and there are only two ways to do it: by hand or by synchronization; and while doing it by hand will always be safer, it is also much more annoying and the more difficult you put into the process, the more it will cost you to carry it out.
Using some type of automated synchronization is the most accessible way and understanding that the database of your password manager is not more than a single encrypted file, in principle there would be no problem in synchronizing it using services such as Dropbox or similar, but … Isn't that better to directly use a password manager in the cloud? The truth is that it rides so much.
As an extra, here is a utility that solves the issue, providing encrypted synchronization to lime and edge, but without going through any external server: Syncthing, a very particular open source project that I recommend you take a look at.
About password managers
To finish this section, it is important that you understand several basic concepts about password managers, and that is to apply a successful, effective and accessible strategy. crucial to avoid rejection or misuse of these tools, which is more common than it seems (PDF):
- Password managers will make you forget all your passwords, except one: the one that opens the manager itself. With respect to the most secure, those that implement encryption on the client side, is vital not to forget or lose it, because that will mean losing access to all your passwords. How to address this point? Now, your head may be the solution, but keep in mind the following …
- Password managers use the key you assign to encrypt the database, so the stronger it is, the better (there are alternative methods to enhance that encryption, such as the use of digital signatures with GPG, but they add layers of difficulty to the process).
And of course…:
You can always add something else on this topic, so there are three more tips, beyond the password managers.
Additional security measures
Password managers are not the only measure you should consider to improve the security of your credentials and data. Technologies like double authentication or hardware authentication keys They are equally recommended options to improve the protection of your life online. Apply them whenever you can. And encrypt the storage of all your devices.
Not all passwords are worth the same
Anyone understands this: the password of your email or your bank is not the same as that of a cooking forum where you have signed up to ask something. It is because of that you should not treat all your passwords in the same way, and so adopting a two-level strategy, even complicating the matter a bit, may be a good idea. For example, keeping the most sensitive credentials apart.
Not everything depends on you
He said a little higher that "in the world of software and the Internet, there is nothing 100 percent secure," which includes everything: you may apply exquisite security practices and still see yourself in some trouble because the cases of bad practices are the order of the day, and it turns out that you do everything right, but that service or application you use does not. But that is precisely why you should do everything on your part to minimize the risks.
Assuming all of the above, that you have to take care of passwords and that the best way to implement it is to use a password manager, among other things, it is each one's decision how to do it. The concrete recommendations on tools in this article do not have to be taken to the letter; They are just examples.
The complicated thing is not to find the right applications, but the balance between security and accessibility that best suits our requirements, since otherwise it is easy to get discouraged and, worth the redundancy, throw the easiest way, which is usually not the safest.
This is just a beginning guide, not an end in itself, and does not cover everything that it could.