Basic Internet Security for Authors – Strong Passwords
Long passwords are strong passwords. Even better when you put in special characters and numbers that are not the birthday of a loved one or something like that.
Please read this article to the end first. Think of craft how-to or knitting pattern or recipe … There might be some information on the way that will spare you time and work, depending on what solutions you’ll choose.
How Long is Long Enough?
16 characters or more. If you use a password manager this is absolutely no problem. Just set a decent default and you’ll never have to worry about that again. I usually have 30-37 characters. It’s my password manager’s default and I seldomly have problems. Sometimes the platform where I want to open an account on doesn’t support 30+ characters, so I a) know that they are using very old settings or don’t care and b) just set my password manager to the max the platform allows and let it generate a new password.
Upside of good, strong passwords: you don’t need to exchange them every three months or so. Only if you think that someone could somehow have stolen it, then, of course, you should exchange it.
Is a Password Manager Safe?
Yes.
Reason 1: We humans are really bad in choosing secure passwords and a password manager can generate real random combinations, which our brain is not built for. We all have favourite numbers and combinations, favourite words etc.
Reason 2: The bad news: We are neither so special individually as we use to believe nor so clever that a simple computer script can’t beat us. If we think that iterating a number at the end will make a completely new password every time, we’re unfortunately wrong. This is a function that is just a line of code to try out consecutive numbers in the beginning or end.
Reason 3: The good news: Computers are painstakingly dumb, but pretty good with random numbers. They can generate really good passwords so it’s the best idea to let a computer do that task for us.
Reason 4: A password manager creates a special vault for your passwords that encrypted and stored on your device. There are also some that create the vaults on some cloud storage of the provider, but I’d be careful with those. Everything that’s only in a cloud and not in your possession, just think of those things as non-existant (in the best case and worst as public for everyone). The encryption on the vault file on your computer is state-of-the-art and even in case someone would stal your computer there should be several other barriers to overcome first: the harddrive encryption and the password of your user account. The password to your password-vauult would be the third barrier to overcome.
Reason 5: It is, of course, better than a plaintext text file or spreadsheet, which lays openly on your desktop.
Reason 6: A password manager adds an entire layer of security for all your online logins. Because computers are stupid they only do what they are told. So when you give it the URL of the login page of a service, it will only offer to log you in automatically on this specific site. Not on any other one, even if the URL looks the same at first glance. But criminals are, unfortunately, quite clever in luring us humans into traps by using different characters that look quite similar. A capital i looks pretty much like a lower case L: I <-> l or Il. Or they use an i with an accent rather than a dot above: i <-> ì etc. Especially mean are the two types of a: a <-> α because we know both versions from different fonts and our brains just see: It’s a letter a. So what our brains redigate out as „looks close enough to the real thing“ or maybe „there’s a bit of dirt on the screen“, a computer and in this case your pasword manager will recognise for you. So it comes with protection against phishing sites.
How Does a Password Manager Work?
It’s a pice of software that securely stores all your passwords, softwares license data, credit card information and more.
You can enter a username, additional mail address (if applicable), the login URL (very good idea to do so!) and let it generate a password for you (30-37 characters). It can also manage things like two-factor-authentication for every entry.
It integrates neatly with you operating system and every time you click on a login field, your operating system will offer you to use the information from the password manager. On desktop systems like MacOS, Windows or Linux you can – and I encourage you to – install the accompanying browser add-on. (Btw: Firefox is currently still your best option.) This will transform your online experience so much. I never want to be without a password manager ever again. It just does everything for you and you can be sure that if it offers to log you in that you really are on the real site and not a phishing replica.
What About Apple Keychain?
Apple offers its own Keychain and now also Passwords apps. Thing is, the vault is in the iCloud then. So it’s on US servers and after UK government forced Apple to stop encrypting iCloud data, it’s no longer secure. … A dedicated password manager with a vault file on your own local machine is a much better idea.
And Google / Samsung / Xiaomi …
Any pre-installed thing that comes from Big Tech companies be it in China, Korea or the US which probably even stores all your passwords in a cloud … Well, I’d rather not.
How to Start Using a Password Manager
Download and install a decent password manager on your device. I usually recommend KeepassXC. It’s a modern password manager which can do everything we need to protect our passwords and also features two-factor-authentication and passkeys. We’ll come to both a bit later. It also can sort your passwords neatly in folders, which helps with staying on top of things.
-> Download KeepassXC for desktop (Mac, Linux, Windows)
If you use a mobile device and no laptop/desktop computer, there are also password managers for mobile devices which use the same vault files as KeepassXC. You can use them if you use a desktop system as well as mobile devices and want to synchronise a vault file between them. Or just use them if you only have a mobile device.
-> Keepassium (iOS, MacOS)
-> Strongbox (iOS)
-> Keepass2Android (Android)
-> KeepassDX (Android)
First Start and Your Only Password
On the first start your new best friend – I mean your newly installed password manager – will ask you to make a new vault. This will need a password. This password will be the one you’ll be entering a lot, since this will unlock all your logins and transactions.
Use a sentence you like. Maybe something from a song or poem, something encouraging and „up-beat“. You’ll enter this password a lot. So make sure you really like the message and it’s a positive one. If I give workshops for women’s health organisations I’m especially keen on the positive-thinking-effect. Rather than „Iwillmakehimsufferforthat3TIMES!!“ I’d recommend things like „iLIKEmyselfandiamSOOOmuchbetterthanhim.“ or something like that.
It’s okay if you write down this master password on a piece of paper for the first two or three weeks until you get used to using it. You don’t need to exchange it every three months or so, if it’s a good long password.
Filling Your Password Manager
Your most important password is the one of your mail account. Exchange this one first for a good long password generated by your password manager. Save the new password in your password manager. Celebrate for a moment.
You don’t have to exchange all your passwords in one day – except, of course, your password was leaked and some criminal is actively using your accounts! Then you really should exchange all of them as soon as possible!
For the next days and maybe weeks, every time you log into an account, exchange the password for a generated one, saving the new one in your vault. If it’s a rainy day, do 5 or 10 in a row.
Two-Factor-Authentication (2FA)
Many platforms offer two-factor-authentication. This means that you have an additional factor next to your password to authenticate. So you would enter your username, your password (factor 1) and an additional token (factor 2).
There are two major varieties of second factors. Some still use four to six numbers sent via SMS. But this costs the platforms money for each login. Also, SMS are not secure. It’s better than not having a second factor, but there’s a better option.
The other one are so-called one-time-passwords, OTP or TOTP. The latter stands for time-based one-time-password.
Hardware Tokens
Another form of 2FA are hardware tokens, so-called FIDO-Keys. FIDO is short for „Fast IDentity Online“. There’s the FIDO-Alliance which develops the security-standards and software- as well as hardware-manufacuturers can manufacture hardware tokes for 2FA after that.
These are, basically, special USB-keys, but not with a storage chip inside. Instead they contain a chip that’s specialised in a modern form of encryption and features unique secure identification. So when you want to log in or release a transaction, you plug in the USB-key to your device and instead of a second form field, the second factor request enables the USB-key, looks on it for the identification and you have to touch the conductive field to make sure, a human is actually using it in this moment.
The best-know ones are maybe Yubikeys. But there are other manufacturers like Nitrokey, for example. I’m currently quite happy with a GoTrust Idem Key FIDO2, which is one of those supported by the official digital signiture recognised by the Austrian state. Make sure to use the newer versions which support the FIDO2 standard, so you’re future-proof for a while.
Tip: Set up two keys with your computer and the logins you wish to use with it. Use one, put the other in your bank deposit box (or somewhere else where it’s safe).
Passkeys
The FIDO-Alliance went another step further and developed a new standard for logins, called passkeys. A passkey is something like password and 2FA in one piece, but actually working securely. Generally they are a good idea. Just make sure you can store them securely in your password manager and your device doesn’t „insist“ on storing them in the manufacturer’s cloud. This had been the biggest problem for the last few months, but by now most password safes support passkeys.
There are already a lot of sites which support passkeys. Just have a look and maybe the next time you want to exchange a password, it’s already for a passkey then.
Sync Between Desktop/Laptop and Mobile
If you use a laptop/desktop computer and mobile devices, it’s possible you want to take some of your passwords with you on the go.
You can sync your vault file at home via your own WiFi or a cable with your phone. If you use an Android device, have a look if it’s possible to NOT store it on the SD-card. The SD-card is the shared storage, which every app can read. That’s maybe not the best place.
It’s probably safe to say that you won’t need all of your logins, banking data etc. on your mobile device(s). So you can also make a second vault with KeepassXC on your laptop/desktop system and copy the handful of logins you really need on the go into that second vault. Then only push this second, your mobile vault onto your mobile device(s).
If have a little home server or NAS, network-attached storage, you can also store your vault(s) file there and sync to your devices.
If you’re in the EU, it’s an option to use your own NextCloud (instead of Dropbox or an other Big Tech cloud provider), wether self-hosted or managed doesn’t matter. There are providers for your own cloud solutions that are trustworthy like Manitu, Windcloud, Hetzner, green Webspace or Uberspace.
Erst bei Caythlin und dann bei Cherryblossom – Mädels, Ihr seid klasse! 1. Was sagst du jeden Morgen zu dir? „Jinxx hat keinen Doppelgänger.“ (Wäre mir auch neu…) ?2. Was sollen andere Leute über dich sagen?? „Jinxx can do.“ (*höhö*) ??3. Wenn dich jemand einlädt, sagst du..?…
2 Kommentare