Password Manager & 2FA — How to properly set up your password
Passwords! The key to almost everyone’s privacy. We are all wary and paranoid about how we handle our passwords, yet most of us don’t know how to implement and safeguard our passwords the right way. Because remembering passwords is a pain, most of us use a single password or two different passwords for almost every service we use. Do we have to store passwords in our brains? Do we have to remember each password? why not just store them like we store contacts on our phone. (But more secured). Besides, the brain is the last place to keep anything secured. All an adversary need is a wrench and an isolated environment to torture the password out of us. (Just kidding, it is not that serious.)
Before we get into how to set up a password properly, let us refresh our memory by discussing the aim of having passwords. Passwords grant us admission or access without authenticating us. Passwords do not enable authentication, meaning they do not verify whether the user inputting the password is the authorized user. Because passwords do not validate the true identity, it makes it easy for us to share our passwords if we want others to access any services we’re authorized to access. With such ease of sharing comes a vulnerability—the tendency of an adversary to get our password and use it without authorization.
Though using a complex password that looks like Egyptian hieroglyphs is much better than using plain passwords like “12345” or “password.” It certainly doesn’t mean it is safer; the only thing it does is to make the password more difficult to brute force. (Brute force is the act of guessing passwords until you get the right one.)
Let us say we use the same login credentials (password/email) for Netflix and Facebook. By sharing our Netflix credentials, we have indirectly given access to our Facebook. The likelihood of someone exploiting these types of vulnerability is low unless we are a target. However, it is not safe, and it is considered a bad practice. It is like leaving our door open in a safe neighborhood. Chances are no one is going to go into our house, but are we going to take that risk? After all, we all know the Internet is not a safe place.
Now that we understand we have been setting up our password wrong, how do we fix it? First, we must ensure that our passwords are achieving their purpose - ensuring that the passwords we use do not only give us access only but also help validate us.
2FA — Two Factor Authentication
To ensure more security, we have to implement two-factor authentication, sometimes called 2FA or 2fac. 2FA is using any two of the three recognized factors of authentication:
- Something we are (fingerprint, retinal scan, etc.)
- Something we have (ID, token, phone, etc.)
- Something we know (passphrase, birthday, etc.)
When we use an ATM card, we are achieving 2FA. Because we have the card (something we have), and we know the PIN (something we know). When we pass through airport security, we are also using 2FA. We have to be there in person (something we are), and we have to present our passports (something we have). When our banks give us token or send us a code in a text, we are also using 2FA, because we have to use the token or text codes (something we have) along with our passwords (something we know). These features are part of what makes ATM, traveling, and online banking safe from our side.
Almost all sites that have something to do with personal information have some form of 2FA. Facebook, Instagram, Twitter, Gmail, Twitter, Banks, etc. Some use text message; some uses Authentication Tools like Google Authenticator. Websites like https://twofactorauth.org/ help us check which sites support 2FA.
For services that don’t support 2FA, setting a complicated unduplicated 25 bit or above passwords are encouraged. Using Password Managers is often recommended because complex passwords are hard to remember, especially if they are different for each service. By using Password Managers, we don’t even have to remember our passwords anymore.
Password Manager
Passwords managers are our passwords wallets; they help us generate and store secured complex passwords. No more guessing our passwords every time. No more guessing whether the first character in our password is a capital or small letter. All we have to remember is one password: The password to our Password Manager.
Recommendation
Every Internet user should create a strong password using a Password Manager and then enable 2FA. There is no better option between the different Password Managers & Authenticators. Most of the major ones provide some free services, which is sufficient for an average user. The major Password Managers are safe, because the passwords are encrypted, meaning no one but the user can access the stored passwords. Not even the Password Manager providers.
What I use
I use LastPass as my Password Manager and Google Authenticator for 2FA. I use a different password for each service I use. For each password, I generated more than 35 bit long passwords that look like a Cuneiform. I don’t even want to know my passwords. The headache is too much. I only know one password. My master password (the password to LastPass.) And my master password is not some date or name; it is a movie quote. With over 100K movies in the world, good luck guessing that.
If someone were ever to get my LastPass master password, I have LastPass’ 2FA enabled. So they would have to steal my phone, and if they were to take my phone, how would they get into my phone without my thumb or six-digit code. Unless my code is something uniform like 111111 or 000000, Ideally, it should take more than ten tries to brute force the code. Well, I have set my phone to lock itself after ten attempts. Before the time resets, hopefully, I should be able to realize my phone is missing so I can unauthorize LastPass on my phone remotely or better wipe the phone.
All this might seem a bit hectic to implement, but it is really not that hard. The best thing to do is to look up how to enable 2FA for everything you use (Facebook, Twitter, etc.), then google how to use LastPass and how to use Google Authenticator. I find YouTube videos to be the best guide. Everything should take like 30 minutes to set up. But it pays eventually. Not only does it provide more security, but it also saves time. LastPass browser extension provides an auto-fill option, so you don’t even have to copy and paste. As for the mobile apps (iOS & Android), it is quicker to copy and paste from LastPass to another app than to type the passwords.