Password Manager

Password managers - unfortunately still much underused «data securers»

Short, trivial passwords and their insecure use are very often the cause of cybercriminals gaining access to personal accounts, both private and corporate. Theoretically, we are all aware that we should use many different passwords and that they should not be obvious at all. In practice, however, things are unfortunately usually different, because nowadays you need so many passwords that no human being can remember them all, especially not if they are long and complicated. A password manager would often be the solution to this problem. Why isn't it used more often yet? Let's take a look at the current password situation:

 

The recommendations of the experts

At first glance, the recommendations for choosing secure passwords sound simple: for each website and service, please use a single password that is complex, contains numbers, letters and other characters, and is not easy to guess. But nowadays, this can very quickly involve 100 different websites, apps and services, considering every app and website you use. How is this supposed to work?

Let's take a look at the problem first!

 

No. 1: the reuse of passwords

Anyone who reuses passwords for different websites makes it unnecessarily easy for attackers. There are several reasons for this:

There are some big websites and services for which almost every Internet user has an account. According to «Similarweb, Juli 2023», the following 5 services and websites were the most popular:

RankWebsite
1google.com
2youtube.com
3facebook.com
4instagram.com
5twitter.com

In addition, there are other services for which almost every user has an account, such as Microsoft, Apple (everyone with an iPhone), Android (everyone with an Android smartphone), Samsung (everyone with a Samsung smartphone) or Amazon, Netflix and LinkedIn.

Now, if a third party gets hold of one of the passwords used for these websites and services, it is easy to simply try this password elsewhere for one of the popular services. And already, instead of one account, 2 or more accounts have been hacked.

 

No. 2: Long passwords

Why passwords should be «complex» is quickly explained: The shorter a password, the easier it is to «crack». In the simplest case, an attacker simply tries all possible combinations of letters and numbers until he guesses the right password. A good computer program on fast hardware can do this within seconds. However, each additional digit in the password considerably increases the complexity and thus the time needed to calculate the solution - an example:

Let's assume that a password may consist of a-z, A-Z and 0-9. This means that for each digit there are 62 possible combinations - namely: 26 + 26 + 10 = 62

Example:

  • If we now choose a four-digit password, this results in 62 * 62 * 62 possibilities, i.e. 14'776'336, approx. 15 million possibilities
  • If we add only one more digit, and use a five-digit password, it is already: 62 * 62 * 62 possibilities, i.e. 916'132'832, about 920 million possibilities

  • A computer that can try out 500,000 passwords per second needs about one minute to calculate 15 million possibilities, but for 920 million already about 30 minutes! Choosing a long password can therefore make cracking the password much more difficult, or make the process very long.

 

No. 3: Complex passwords

Now you could get the idea to just choose a long word and maybe add 2-3 numbers to make it more complex, but so that you can still remember the password. So for example a combination like «Password123456».

According to the above calculation, this is a 14-digit password with 12'401'769'434'657'526'912'139'264 possibilities; exactly how many this is does not really matter here. Unfortunately, the attackers have another trick up their sleeve that significantly reduces the security value of this 14-digit password: They carry out so-called «dictionary attacks.» They do not simply try all letter and number combinations, but also dictionary entries or frequently used words. These often contain frequently used passwords (like our example above). In this way, the programs again only need seconds to determine the correct password.

You can find an example of such a list here.

 

No. 4: Spare yourself the trouble of exchanging and swapping letters

By the way: Swapping letters, e.g. a to @ or o to 0 (zero) and the like, is also not necessary, because the attackers know this trick, too. Most of the time, the word lists they use already contain the corresponding word variants with the possible swaps.

 

But what does a good, secure password look like?

Well, unfortunately, preferably like these examples:

  • oq9izQ3JHGH7ZN*evy..
  • 74ApCKC-4egKHTY_Dws@
  • sYpx9ApY3HDt.gJaZ*Ln

If you now say that you can never remember these passwords, then you are right. But you don't have to, because that's exactly what the password manager is for. It stores all the passwords you use for you and you only have to remember one password. You will learn how this works in the next chapter.

 

The password manager as a savior in times of need

You can think of a password manager as a secure notebook, with the difference that you won't lose it and that only you can read it. Now, in this secret notebook, you simply store all your long and complex passwords. The slightly less good news: you also need a very good password for the password manager, but at least only one.

And there are good methods how you can remember this: For example, think of a phrase or word structure that only you can come up with: e.g. DoctorGlassThumbNeedleSuture (for example, think of a story to help you remember the phrase).

This is how you create your «master password». In the near future, you will only need to remember this single password. Important: Do not use the password (not even in parts) in any other place and for any other purpose!

 

How to set up a password manager

After you have selected a password manager and set it up with your master password, the first step we recommend is to save all your logins (as they are) to the password manager and familiarize yourself with it.

Give yourself a week and simply save every password that you «stumble upon» in everyday life in the password manager. Use this time to install the apps for the password manager on all your devices.

 

Password change

Now that you have «collected» your passwords for a week, sit down and go through your passwords. Replace all passwords with new, strong passwords. The best way to do this is to use a password generator, which is integrated in most password managers and with which you can create strong passwords and save them immediately in the password manager.

 

What else you can do

Another very useful measure to protect your accounts is the use of so-called multi-factor authentication (MFA) or 2-factor authentication (2FA), which you can use to secure your accounts (read our article on the topic).

In addition, as always, if you have any questions or uncertainties on the subject, please feel free to contact our IT support on +41 61 500 16 30 or support@primetrack.ch. Of course, we can also recommend a particularly user-friendly password manager if you are looking for one.

Marius Dubach, IT Security Consultant

+41 61 500 16 15
marius.dubach@primetrack.ch

icon_datalynxgroup_colored-1png
Ergänzende Services der Datalynx Gruppe