Online security and privacy for friends - Password

Friday, March 5, 2021

TL;DR: Use a password manager. Use a long passphrase that is easy for you to remember. Avoid sharing passwords as much as possible

Let's talk about passwords. If you have an account anywhere, most likely you will need to know your password to login. You may think it is like a key to get into your property. So it may be good.

But passwords are bad. You have to remember them and this creates most of the issues. I use a singular form "password" here because many people only use one password for almost every account. Why? Because they cannot remember many different passwords. Yes, it makes total sense to have differently passwords for different accounts, just like different keys for different locks you can open. So now, what do you think if the same key is used for all of your locks?

What do you think if that key can be stolen? And you do not even know that it was stolen. For example, I am not sure if any of you are aware of VNG database leak, but I have no idea until I check my email on Firefox Monitor and they told me my account was in that leak and showed me my password in plaintext. I have not used that account and password for a very long time. But you know what, Zalo of VNG is definitely a big thing in Vietnam. So, I used that leaked account with that plain password to log in into Zalo. And I was in. With all my friends who are actively using Zalo. I really don't know why VNG let it be that way. Leaked passwords are bad, even worse if you do not know that.

Even if there might be nothing wrong with your password, every once in a while, a website or your IT team will ask you to change your password because it is too old. Then you have to create and remember a new password, which often has to be different from the old password. Just like every once in a while, your mom will change the key and ask you to keep a new key and the old keys.

To make it worse, more and more places requires stronger passwords, like longer, more numbers, more weird characters. It is already hard for you to remember easy passwords, and now you have complex passwords to remember. Good luck with that.

And none of those issues is your fault. It is the failure of the engineering system. And the good thing is people have been trying to fix it, with mixed results. For example, if you are using a good smartphone, it can be a good example because instead of typing your passcode, you can just touch your finger to a button or just look at your phone and it will open. It works most of the time and can fall back to using passcode if it fails. One day it will work like that or better everywhere. But right now, we still live with passwords.

For passwords, my first advice for you (if you have not done it yet) is to use a password manager. A password manager is essentially a software that stores passwords for you so that you do not have to remember many passwords. You ideally only need to remember one password that opens the password manager. This password is often called the master password. So, you can generate a complex password for each website, save it in the password manager, and forget it. When you need that password to log in into the site, open the password manager with your master password, copy the complex password for the site, and log in. I am using BitWarden now but there are many other options and most popular web browsers also have this password manager feature. With a good password manager, you do not have to remember many passwords. And this would solve most of the problems. You can use different passwords for different websites, worry less if a data breach contains for your password, simply change password if your IT team asks, and use much longer and/or more complex passwords with ease. So, use a password manager.

No matter whether you use a password manager or not (although you should), use a long passphrase rather than a sU03&_C(0)iiiPL3x password. I think the requirement for such super complex passwords with weird characters is ridiculous. It is much easier to remember a long phase that is familiar for you than that super complex password. It is also often much faster to type. It is also more secure from all technical, social, and human interaction perspectives.

One more thing, avoid sharing passwords as much as possible. This includes not sharing the same password for multiple accounts and also not sharing passwords with other people. If you have to share it, change it later. In other cases, like if you need to use/share a password with a team, no problem. You will also see that in that case, using a password manager to share a password with a team is even more convenient and secure. But if it is your personal account, avoid sharing passwords as much as possible.