Crucial Importance of Passwords and Credentials

By /

Good signup and login credential are of utmost importance for privacy and security.  

According to NordPass, the most common passwords in 2022 were:

  • password
  • 123456
  • 123456789
  • guest
  • qwerty

Many people use the names of family members or a pet.  Perhaps they spice it up a bit with some l33t replacement of some letters with numbers.  Maybe they even are ‘clever’ enough to use ROT13 encryption.  All such passwords and more can be cracked by a reasonably competent hacker in minutes.

One of the reasons people take such approaches is that they do not use a password manager effectively to make using very strong passwords easy.

Another common bad practice is using the same email and password on multiple online sites and offers.  There are two serious problems.  If the reused credentials are leaked or stolen or cracked anywhere then hackers first bet to break into other things of yours is to try the same credentials.  This is especially bad if the same credentials are used for really important sites like financial ones.  

The second serious problem grows out of using the same email too many places.  When this is done it serves as a singular unique identifier for the person.  Everything the person does on line with the same email in their credentials is easily tied together.   Having multiple emails, aliases and temporary emails is part of how we break out of the data gathering matrix we find ourselves in.   Many of these alternate emails can also be obtained and used in ways that do not connect the email to your true name further diluting the amount of information gathered on you .  Subsequent posts will go into details of how these things can be done without too much effort.

Some sign up forms may also ask for phone number and even your physical address.  Most people will just give out there primary cellular number here.  This should not be done except for some government and financial sites that will not accept anything else.  Your phone number is another unique identifier and in the case of a cellular number it is directly tied (unless you take measures) to your true name.  So it is important to not give it out too easily.

There are a few cases to consider for the phone number:

  • Site uses the phone # for one time verification.  In this case a VOIP phone # works as well or even a temporary phone number that accepts only one SMS for the verification.
  • Site will use the phone # for 2FA (two factor authentication) on a repeated basis.  Here you need a phone # that will remain your own but a VOIP # is much more private and secure than giving out your cellular number..
  • Site doesn’t use the phone for anything but just is using a form that asks for it and may store it, perhaps not securely.  In this case make something up if the form won’t work without it like all 9s.

Some registration sites also asked for home address. One should be very careful about giving home address out to random sites.  If the site is not shipping anything to you then there is no reason to give them real home address.  Make one up or use a mailing service address that will inform you when it receives packages and sent them to your address if you wish.    If using a false address make sure the postal code matches the address as some sites do have automatic checks for that.  

The goal

Every site that has a password should have a unique very strong password. This is easy to do with a good password manager and cumbersome without one.

Characteristics of good Password Management

  • ability to generate strong passwords with various constraints such as use of letters, numbers and special characters and minimal requirements on each. Also convenient if password phrases can be generated.
  • ability to store title, usernamme (or email), password and notes relevant to site.
  • end to end encryption with zero knowledge of how to decrypt the data by the password manager vendor.
  • independently audited and vetted preferably open source software
  • a bonus is being able to run it on your on computer or server.
  • support for mobile use

Inferior password storage alternatives

Paper notebook of passwords

This is only as secure and dependable as the notebook itself. With physical paper it is doubtful one has a backup. Also this gives no way to generate the strong passwords that should be used everywhere.

Paper satisfies almost none of the ideal requirements.

Use of spreadsheet

This is one level superior to paper in that it is easier to secure the spreadsheet file and back it up. Of course it would be not good practice to trust Google to a spreadsheet of all your credentials!

Almost none of the other criteria except for storage of the recommended minimal fields is met by this method. One could encrypt the spreadsheet file however.

Use of browser password storage

While some browsers seem to do a fair job on encryption there are several problems.

  • this is a sideline for a browser. they are not specialist in securing such data
  • the passwords are only usable on that browser unless there is synchronization and then the synchronization mechanism is a possible security weakness
  • the passwords are wide open for anyone with access to your computer with the browser open
  • browser password managers rarely provide password generation or storing additional information on sites one has credentials for
  • browsers from heavy data gathering Big Tech companies may be extra problematic.

Recommend Password Managers

Bitwarden

Bitwarden has never been hacked like a competitor, LastPass. Bitwarden is open source and heavily vetted by independent audit and scrutiny of its code.

Being open source you can run Bitwarden on your own server eliminating any remaining worry of depending on their apparently very secure internal web storage.
Bitwarden works well on desktop and mobile.

It includes password generation, notes, and directly handles TOTP 2FA eliminating the need for a separate application for this purpose.

keepassxc

Keepass is designed around a highly secure encrypted file as database. It has no centralized web app to be concerned about. Its encryption has been widely vetted and it is of course open source. It also support password generation, notes, even better TOTP support than Bitwarden and other features.

There ere browser extensions to enable automatic filling of passwords in the browser.

Its weak points is it takes a bit more technical sophistication though not terribly much. And while mobile apps exist you must decide how to synchronize the password file yourself. Since the file is well encrypted it is possible to do this with file sharing applications. Or one can simply schedule updating the file on mobile periodically.

Getting to the goal

Clean up old passwords

Remove no longer used sites and services

Most of us have lots of sites that we signed up for at one time or where part of a past business connection that are no longer of use. Remove these first.

Find weak passwords and replace with strong password

Many PMs will show you which are your weakest passwords.

Fixing them will require visiting each site and following its procedure for changing the password.

NOTE: Take your time. You don’t have to do all of them in one sitting. Perhaps do a few more in odd moments when you have some slack time.

Helpful hints
  • When in the sites password change open the site in the Password Manger (PM). For many PMs the PM will recognize the site and open the entry automatically.
  • Go into edit mode in the PM.
  • Copy the old password temporarily to notes field in case new password doesn’t take on site
  • click button on password field in PM to generate a strong password.
  • save in PM to be sure some slip of finder doesn’t lose the new password.
  • Copy password in PM and paste into sites password change form and submit that form.
  • log out of site and log back in to test new password.

for new sites

  • create new entry in PM
  • record username / email, title for easy lookup, have PM generate a password
  • record the site main url in the url field if not automatically picked up.
  • save the new entry to avoid mishap
  • copy email/username from PM and paste into site registration form
  • submit form
  • log out and log in with PM credentials

Avoid Big Tech OAuth Credential Use

This is that oh so convenient “sign up with Google/Facebook/Apple/etc.

Note that this is a variant of the having the same credentials on multiple sites problem. While OAuth is harder to crack if you are unfortunate enough to lose control of your Big Tech provided account then all of your sites with that OAuth are compromised and all parts of your digital identity associated with that account are stolen. Why risk it?

Lastly these Big Tech companies get a lot more information about you and your online activities across multiple sites by this practice. The sites themselves get some access to parts of your information managed by the Big Tech provider.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top