If you are a developer that is passionate about security or even a security expert, chances are that you know a thing or two about passwords – if you find yourself with a couple of online accounts as well, you probably know how important it is to secure them.
However, what does password security mean to you? Character count? The variety of characters you use in the passwords themselves? Their entropy? What is it exactly? What is the thing that makes your passwords “stronger” than the passwords of the people around you? Have you ever thought about that?
As far as password security is concerned, various security experts would probably tell you different things – however, one thing they would all agree with is that there are no safer password than a generated one.
Neglect to generate one or some of your passwords and you will:
- Raise the possibility that you will forget them.
- Think of passwords that are easily rememberable which is not a good practice due to the fact that what’s easily rememberable can easily be broken into as well. We mean, think about how many seconds it would take for an attacker to think of a password in the space of “space177” (which is similar to something that most people think of, let’s be honest.) How many? Five? Ten? Neither of those guarantee a good outcome.
- Be apart of the 45 percent of Americans who think of passwords that are easy for attackers to crack (source: security.org)
- Will probably reuse your password and raise your ability to be a target of identity theft attacks.
- Worsen your overall security posture.
- Do we need to go on?
You see, thinking of passwords like most people do isn’t exactly ideal for a couple of reasons – one, your password will probably be very, very easy for attackers to guess (or “crack” as attackers call it – “cracking” essentially refers to the action of a computer guessing every possible password combination (attackers have specific text files with lists of millions of possible passwords that you may use), second, you might forget it quite often (how often have you used the “Forgot Password?” link underneath a login form? Be honest.) Third, you find yourself at an increased risk of the aforementioned identity theft attacks – reuse a password here, reuse a password there, and while it might get pretty convenient to live this way, it’s very dangerous. One password compromised and your identity is cactus. Not so great, is it?
So, what do you do to better your password strength? The answer is plain and simple – you generate them.
Passwords that most people think of generally look something along these lines: “spaceship1712”, etc.
However, most passwords generated by password managers would generally look like so:
Do you notice the difference? It should be pretty apparent. Generated passwords are usually better than passwords thought of by people on the spot because they contain much higher amounts of entropy (in other words, a measurement of how strong your password is – the higher amount of entropy, the stronger and vice versa), so they cannot be guessed or attacked (“cracked”) by nefarious parties. Here’s where password managers come in – they are a part of the solution letting you generate (and store) all of your securely generated passwords as well. The majority of password managers are also able to store “secure notes” (essentially anything in text you might want to keep safe from prying eyes), and credit card data for easy and intuitive access of yours as well.
Now we might hear you screaming – “why should I entrust all of my passwords to a password manager? What if someone breaches it? After all, you guys over at BreachDirectory deal with data breaches every day, right?”
And hey, partly you’re right – we do. However, trust us – you can trust password managers. Here’s why:
- Password managers are looked after by the world’s best security experts.
- Password managers work in your browser (yes, you now know that as well), but only if that browser has been signed by a verified security expert or a developer.
- Everything in your password manager is always encrypted – that means that nobody can access the secrets you store in your password manager.
- Most password managers use one password – a “master password” – to protect your data. Each master password is only residing locally and is secured with the widely known “PBKDF2” (Password-Based Key Derivation Function 2) which essentially is a function that makes it extremely hard for sophisticated computers and attackers having access to sophisticated resources to crack your password. It’s extremely costly on the money side too – for example, a password having 10 characters (that’s below the medium length for one master password) would cost around 800,000$ to crack for an attacker. Chances are that attackers don’t have that kind of money and even if they do, they are not going to spend it to gain access to the data of one person. It’s simply not worth it!
- Password managers regularly remove things you have copied from them and clears your clipboard if you elect to copy-paste your passwords somewhere, so you can make sure you are safe on that front as well.
- Password manager security is regularly audited by the world’s leading security companies and if any security issues are found – big or small – the password manager team will immediately let you know that they are plugged and you can make sure those security issues do not affect your data either – your data is encrypted locally, remember?
- If an attacker would want to access all of the passwords stored inside of your password manager, he or she would have to have the file containing all of your encrypted data on your computer located and acquired, then he or she would have to guess your master password (a master password is the password that protects all of your data.) Remember the weird combination of words and the number – we mean PBKDF2? Make your password contain an uppercase letter, a lowercase letter, and a digit, and the cost to crack it for an attacker skyrockets to around 200,000,000$ (source of both calculations: a popular password manager 1Password.)
With that being said, allow this blog to state one more thing – while having all of your passwords (or accounts) available to an attacker is terrible, the risk of that happening is almost none compared to the risks of getting it taken over by the means of a data breach. How many data breaches do you hear about in the news day in and day out? Let us guess – hundreds. How many data breaches do you hear about that involve password managers? Zero. Part of the reason is one or more of the reasons above, another part of the reason is the security of password managers themselves – refer to the 1Password’s security documentation. Still think that the passwords you think of are more secure than the ones generated by password managers? You probably do not. And if you do not, congratulations: make sure to try a popular password manager – NordPass – to try things out yourself. You will enjoy it!
With that being said, password security doesn’t begin and end with password managers themselves – data breach search engines like BreachDirectory can also help you not become a victim of identity theft. Hey, BreachDirectory also has an API at its disposal – that means you can even integrate the system into your own website as well! Can it get better? Make sure to try BreachDirectory out today and secure yourself with a password manager as well, and once you do, stick around the BreachDirectory blog – we have a lot more content prepared for you to see.