Intro

Welcome to my first post, originally it was going to be much longer but that would defeat the purpose, so i’ve tried to keep it concise as possible. I’ll also make it a series #passwordsec to cover all the info in depth. There is some particularly colourful language written so I would politely encourage you to not to proceed if you don’t like seeing the word FUCK written with exuberance.

The Problem with Passwords

It’s 2022 and if you aren’t using a password manager, it’s in my sincere opinion that you like getting fucked, hard, and not in the good, sweaty way but in the, you lost all your fucking money kind of way.

Security breaches happen every day, some detected, some not. You must assume any password can be compromised and you being a twat using the same password for everything, make it easy for (READER INSERT NAME OF: current hated cyber group/country or lazy/stupid/racist stereotype HERE) to have their grubby paws, all over your unmentionables.

To mitigate this risk, you need to: Never reuse a password.

Doing that prevents, any leaked credentials being used to access/molest other accounts and generally not fucking yo shit up.

How do you accomplish that? Use a password manager.

We’ve been using weak passwords for as long as we can remember, then there’s mishandling passwords (writing them on post-its) and reusing the one(s) we like with. Not exactly shocking news, we’re dumbasses. So, how did we get here, and what can we do about it? What self respecting blog/rant on cyber security would it be if I did not reference, xkcd whose comic ‘Password Strength’ put it clear as crystal. “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

xkcd

Why you should use a Password Manager

Using a password manager is like putting your passwords in a safe that only you have the key to. You don’t have to memorize all your passwords anymore. You only need to remember the master password that unlocks your password vault. And if you opt for a cloud-based password manager, you can access your password vault anywhere, from any device.

  • They can auto-generate highly secure passwords for you. Password managers will typically ask you if you’d like to use an auto-generated password whenever you create a new account with a website or application. (something else that thinks for you, saving all that precious brain power for the IG thirst traps)

  • They can alert you to a phishing site. Here’s a quick gloss on phishing scams. Spam emails are spoofed or faked to look like they’re coming from a legitimate sender, like a friend, family member, co-worker, or organization you do business with. Links contained within the email direct to similarly spoofed malicious websites designed to harvest login credentials. If you’re using a browser-based password manager, it will not auto-complete the username and password fields since it doesn’t recognize the website as the one tied to the password.

  • Password managers save time. Beyond just storing passwords for you, many password managers also auto-fill credentials for faster access to online accounts. In addition, some can store and auto-fill name, address, email, phone number, and credit card info. This can be a huge timesaver when subbing to OnlyFans, as an example.

  • Many password managers sync across different platforms. If you’re a Windows user at work and a Mac user at home, jump on your Android for the side piece and turn to iOS for your schemes, you’ll be able to quickly access your passwords. Same for all the most popular web browsers; i.e., Chrome and it’s inbred offspring, Firefox, Edge (because it’s pure), Opera and yeah…. Safari (audibly sighs).

  • They help protect your identity. In a roundabout way, passwords managers help protect against identity theft, and here’s why. By using a unique password for every site, you’re essentially segmenting your data across each website and application you use. If a criminal hacks one of your accounts, they won’t necessarily be able to get into any of the others. It’s not foolproof, but it’s an additional layer of security that you’ll certainly appreciate in the aftermath of a data breach and subsequent cyber coitus.

Okay, so do I have you not wanting to be a cyber-idiot? Not yet? Cool, read on a bit to where I tell you that you only need to remember ONE, Yes ONE fucking password for the rest of your life!

Basic Usage and TL;DR

When you set up a password manager, you create a ‘master password’ that you use when you log in. Once you have all your online account details stored in the password manager, the master password is the only one you have to remember. The password manager will do the rest for you. You don’t have to try to remember a load of different passwords, or risk using the same one over and over, make sure you:

Your master password must be completely unique. It can’t be related to anything else. There can be no chance of it leaking because it can only live in your head. It can’t be easy for someone to figure out. It can’t be birthdays, it can’t be pet names, it can’t be family names.

One thing to note: passwords made up of words and phrases can actually be stronger than some passwords with common numbers or symbols. Have you heard of “correct horse battery staple”?

Always generate passwords with as much randomness as possible.

Every website MUST get its own unique password. The more complicated it looks, the better. You’re not going to remember it, your password manager is!

You’ll often find certain websites, like government, medical, and finance websites, that can’t support a wide range of characters for the password or can’t support a long password. That’s shitty (compliance and regulation lags behind actual best practices/common effing sense), but a password manager will help you make the best of a shitty situation.

Password Managers I Recommend

The password managers on the list below are things I’ve actually used. So some things that needed to be considered when making a recommendation are;

  • It should be easy to use! once again it’s not aimed at cyber sec pro’s but persons who just need a bit of guidance and to just maybe get one person to stop doing stupid shit online.
  • It should be free (whenever possible).
  • It should be open source (whenever possible) because when you trust someone with such sensitive info as passwords you should know what’s running behind their source code.
  • Available for every operating system. If not every then for Android, iOS, Windows, Mac and Linux or accessible online on most of the popular browsers on a browser across those platforms.
  • Should be privacy-respecting. That means it shouldn’t track you, sell your data to third parties for profit or involve in any other fucked up activities and it MUST updated by it’s developers regularly which means they can address not just security issues but privacy and compliance as well.
  • Most importantly you should be able to sync your data across devices.

Bitwarden — Best choice

Bitwarden is a good choice for both geeks and amateurs. It is easy to use and has a nice interface. You can easily sync them across all your devices for FREE. It can also create secure passwords for you. It has a self-hosted option and a really cool light-weight rust version I self host it because I like to sprinkle some paranoia/over-engineering in for good measure. I’ve used Bitwarden for several years now and strongly recommend it to the point it’s foisted on anyone wanting to “borrow” a Netflix password.

Dashlane — If you have some extra cash lying around

Most password managers on my list are free and open-source but Dashlane is a closed source proprietary password manager. Gasp… but it’s password manager I used for a long while before moving to Bitwarden. For free you will get decent features you expect from a password manager. But to unleash its real power you have to purchase a premium plan. Dashlane also has VPN for extra security… Because Vodafone, Flow and Digicel…. Can suck an egg!

KeePass – Keeping it ole skool

For most average users KeePass has all features they will ever use. If you are switching from any other password manager like LastPass you will have no problem using it as it is easy to use. One thing I would like to point out is that unlike Bitwarden that is available for almost every platform KeePass is officially available only for Windows. But there are a ton of unofficial KeePass variants available for literally every OS from Android, iOS to even Palm OS and Sailfish OS.

Basic Hygiene

  • Don’t reuse passwords. Even with a password manager. Instead, create unique passwords for every site and let your password manager do what it’s designed to do.

  • Create complex passwords. Many password managers helpfully auto-suggest strong passwords whenever you create an account for a new site.

  • Use a passphrase. When it comes to creating your master password (the one that unlocks your other passwords), try using a passphrase; i.e., a series of words that are easy to remember, but hard to guess. Something familiar with a strange twist, for example: “Serrated-Starry-Stuffing-Resend-Flaxseed9”

  • Enable two-factor (2FA) or multi-factor authentication (MFA). One of the best ways to secure any account, password manager or not, is to enable MFA. You’ll be required to verify your identity using two or more authentication factors, which include something you know, something you possess, and something you are.

  • Shit happens! So, you need to be notified when your passwords have leaked online. First, go to https://haveibeenpwned.com/ to check your different email addresses, and then sign up for their email alerts. Check for any compromised password and change them, I repeat change them! and one more time for the people in the back; CHANGE THE FUCKING COMPROMISED PASSWORDS! Good password manager apps will have functionality built in.

  • Don’t answer security questions truthfully. Security questions are bad. Do you know how easy it is for someone to figure out your birthday, your mom’s maiden name, and/or your pet’s name? Considering most of you got to this page from Instagram, you post those fucking things constantly.

  • Get an app everywhere you need it. It seems important to say this. If you’re setting up a password manager properly, you’re no longer going to know any passwords except your master password.

Quick Mention: Single sign-on (SSO).

Unlike a password manager that stores unique passwords for every application you use, SSO allows you to use one password for every application. Think of SSO as your digital passport. When entering a foreign country, a passport tells the officials at customs and immigration that your country of citizenship vouches for you and that you should be allowed to enter with minimal hassle. Likewise, when using SSO to log into an application, you aren’t required to verify your identity. Instead, the SSO provider vouches for your identity.

Social Login

An example of this is Sign in with Google or login with Facebook, but frankly speaking do you trust Marky z with even more insight into your private life? (the nudes you post on WhatsApp don’t count…. That’s between you, your partner and the reviewers at…. Meta…. barfs

In Closing

I am aware that there is not a great bit of detail and that is by design as the target audience are not persons in my usual sphere but persons who could do with some basic advice and the more persons who practice basic hygiene the more time we have to focus on the baddies.

So thanks for reading and I would say feel free to leave a comment, but I don’t give an iota of a fuck about your opinion, and also I haven’t implemented a commenting system yet… but it’s mostly the first one.