Hi. I recently read an article talking about password security now requiring at least a 12 digit password in random order with the usual suggestions of no dictionary words, special characters, a mixture of case lettering and numbers. Apparently, AI is being used to help crack passwords. While I had been using a system that made sense to me, the increasing digit suggestion has made the use of a password manager a need more than just a convenience. I have been using BitWarden for my less critical passwords. It got me thinking a few questions: 1. Is it safer to have a passwords on a password locked file on a computer or on an online password manager like BitWarden? If anyone were to target the individual user, the former would seem more risky, but an online password manager seems to be more of a target. LastPass made me worried for every online solution as there are endless attempts to break into these managers. 2. All the talk about password strength made me wonder how does an account get compromised when a password is weak? If there are multiple attempts to get into an account, wouldn't business websites be aware of the multiple attempts to log in and lock the account for a certain time? I have been on that end of things when I have forgotten my passwords. 3. Do people who know security well use a password manager for critical passwords like bank accounts, credit cards, SSN, taxes, etc.? Thanks for your thoughts.
Below is a guide that may help with questions 1 and 2. This is, of course, a fluid situation, but a 12 digit password is a good start. As for the composition of your password then that issue is a constant debate. Here is an old article that I believe still holds relevance today https://www.grc.com/haystack.htm https://static.demilked.com/wp-content/uploads/2023/03/interesting-charts-data-is-beautiful-14.jpeg
A 12 digit randomized password made out of uppercase/lowercase letters, digits and symbols should be good enough, however I myself use 18 digit passwords. More important than the length is the hashing algorithm used to randomize the password, so use something strong like SHA-512, Whirlpool, Argon2 etc., and the encryption method used to encrypt the password database, use AES, twofish, serpent etc. I don't use online/cloud based password managers and strongly recommend against them. I personally use KeePassXC, with a locally stored database, that I manually sync between my PC and cell phone periodically. KeePassXC comes with a random password generator, and almost all of my passwords are generated through it. Hackers don't attack by trying different passwords on websites directly, most websites will only allow 3 or 5 wrong guesses before the account is locked, they usually steal the password database, and decrypt/break the passwords offline, and then use the decrypted password to compromise someone's account. Hopefully this answered your concerns, let me know if you have more.
Thanks to both of your answers. That chart in the first response is what got me to start updating all my passwords. I have a 20 character password for most of my critical accounts. I had used KeePass in the pass, but it was more difficult to use back in those days as it didn't have a mobile option. When I look in the Apple App Store, I'm not sure which app to choose. I see KeePassium and KeePass Touch with the former having more favorable reviews (albeit it has a paid option so I'm not sure how that affects the reviews).
I would not put too much stock into the above study as the study's main purpose was to determine how much computational power has increased over the years, and not about how many digits of password length are good enough. They do this every year and report on the computational power. Here is a link to the study https://www.hivesystems.io/blog/are-your-passwords-in-the-green? When you read the study you will find that all the passwords were generated through MD5 hashing algorithm. MD5 was developed in 1991, and as early as 1996, cryptography experts recommended against using it. It was replaced by SHA-1 by the late 90's. In 2008 it was completely broken. Even the replacement SHA-1 has been broken. No serious person has used MD5 to generate passwords since late 90's. MD5 is used nowadays to compute hashes for files to check for file integrity only. See this Wikipedia article for more detail about MD5 https://en.wikipedia.org/wiki/MD5 The above study has unfortunately been quoted out-of-context by media to generate panic. A good randomized 12+ digit password made out of uppercase/lowercase letters, digits and symbols and randomized using strong hashing logarithms like SHA-512, Argon2 etc is going to be very difficult to break. I however recommend an 18 digit password.
I saw the information from CNET. I wouldn't be able to figure out if things were taken out of context which news media often does. In case your comment came after my edit, I had used KeePass in the pass, but it was more difficult to use back in those days as it didn't have a mobile option. When I look in the Apple App Store, I'm not sure which app to choose. I see KeePassium and KeePass Touch with the former having more favorable reviews (albeit it has a paid option so I'm not sure how that affects the reviews). Additionally, do you also use the browser extensions? Does that have the same risks as online password managers like BitWarden?
KeePassXC is actually a fork of KeePass. I looked into both and switched to KeePassXC way back in 2017, as I found it to be slightly more secure and more user friendly. With KeePassXC you do not need to download any third party plugins for browser integration as it is officially supplied. The browser extension is used with local password database only, so it is very secure. KeePassXC unfortunately is only available for Windows, Mac and Linux. I use Keepass2Android for my android cell phone. It is an excellent app. I do not have an iphone, so I have never done any research into which KeePass database compatible app is good on iOS. Maybe someone else here can recommend a good one.
For really important stuff I always use unique, 16+ character password. AI can't optimize brute forcing random passwords. AI can optimize breaking passwords made by humans, that may seem at first sight like random, but they are not. Not only AI, many password crackers had human-made algos to do so for long time. 1. As long as you are not target of nation-state attack (that can do MiTM), encryption is done by proven symmetric encryption algo and scheme, and use long, strong passwords they are essentially the same. 2. Usually user has same passwords to multiple account across many Internet services. Passwords (or its hash) from one service is leaked and bad guys try to use it to login to other services. Hash can't be used directly, but when passwords is weak then it is doable to locally (offline) brute force it. When passwords is know there isn't a need to have multiple online attempts for each account. One probably could argue that using passwords that long may not make that much sense* if you are really using unique, independent passwords for each service. My take is that if you are using unique passwords then you probably use password manager anyway, so there is no reason to have shorter passwords. 3. I don't know. I guess at least some of them do. This doesn't change that 2FA, as a complementary mechanism, is an additional protection worthy of usage. *Of course encryption, including password manager encryption, is different. When you break hash of unique password then it may be essentially worthless, or of limited use. When you break into important files, like file with passwords, then you obtain credentials. For encryption purposes use 16+ long passwords here, please. Over the years various techniques were developed and deployed to prolong medium-sized passwords (10-14 characters) cracking. I were sceptical and used 16+ characters anyway. Time proven me right.
I would never upload a critical password online. Passwords for emails or 2FA apps can be used to recover any other password. I store them in a double encrypted doc. I do not worry much about credit cards due to limits and instant notifications. As for banks, they require 2FA to be accessed, so again emails/2FA have to be protected. Those tools are funny, for starters they assume that the password will be found as the last tried password and they generally test a single CPU, not GPUs or botnets of IoT. Second, no sane cracker will try passwords in a sequence like aaaa, aaab, etc. They will use an algorithm, like each character and number is used only once. My password:
Yeah, on average random password will be cracked in half that time. You can be pessimist and assume that you password will be cracked after 0.1% of that time. 0.1% of astronomical time is still astronomical time though...
I use a password manager for all of my passwords. I use KeePass (requires mono on Linux). I normally generate passwords with at least 20 characters. In addition to locally, my password database file is in the cloud for ease of access with other devices. A key file is required in addition to the password to open this file. Obviously I do not store the key file with the database file. The best feature of KeePass is its Password Profile feature. I have several sites I need to access that have very specific password generation requirements (including length). These sites also require frequent password changes. One site requires a change every 150 days. I can save these requirements in a profile for the site. So when I have to or want to change the password for that site I can select the profile for that site to generatie a new password that fits the sites requirements. I use Keepass2Android Password Safe for my cell phone. One caveat regarding using a key file. Have a backup of the key file stored in safe places (preferably more that one). Loosing that key file will render your password database useless, no chance of recovery. (Been there done that.).
Thanks for everyone's responses. I have adopted a hybrid online and locally stored password managers. Any account considered necessary for daily life, identity, financials have been updated to a much longer randomized password. It's interesting to see how some accounts that I would consider very critical are not as critical to others given that there are limitations to the damage done in the event of a breach (credit card). What other kinds of accounts do people consider critical? Email isn't as critical to me (but I still placed a stronger password on every account) given that I usually don't have personal identifying information coming through email.
Many services allow a password reset via email… Therefore, I consider email very critical (to protect).
Ah, very true. Most services allow changes to email address if needed, but some services use the email as the user name and can't easily be changed (resulting in the need to create a new account).
