Skip to main content
Apply

OSU Emeriti Association

Open Main MenuClose Main Menu

Safe & Easy Password Management

January 2020

Why strong passwords

  • It isn’t an individual, or even a room full of individuals who are trying to crack your password.
  • Rather, banks of computers are being used to perform the task … and computers do not sleep, eat, take smoke breaks, demand worker’s rights, etc.
  • The top video cards used in PCs to meet the demands of today’s video games cost about $800 and can process data at the rate of more than 14 teraflops (trillion floating-point operations per second).
  • To put that in perspective, in the year 2000 the world's fastest supercomputer, a cluster of linked machines costing $110 million, operated at slightly more than 7 teraflops.

Password length Safe & Easy Password Management

  • Eight characters used to be good enough, but in recent years the minimum suggested password length has extended to at least 14-16 characters.
  • As cartoon artist XKCD puts it, Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess. (https://xkcd.com/936)

Best Practices

  • It is better to choose a longer password that is easy to remember than a shorter password that is too complex to remember. 
    • But it still is the case that the password should be complex enough to make it difficult to guess. 
  •  Instead of a password, we can create a passphrase by appending together several random words, perhaps followed by a number or with special characters separating the words.
    • The LastPass website suggests that you, “tell a story unique to you like Fidoate!my2woolsox.”

Passphrase generators

  • There are a number of websites that will generate passphrases for you.
  • For example, consider these passphrases generated by the Use a Passphrase website (https://www.useapassphrase.com), along with the website’s estimates of time to crack them:
    • tan crew prison mail (13K centuries)
    • incoming high binding review (33K centuries)
    • diet extreme flights of (280 centuries)

Password generators 

  • If you prefer passwords, there also are websites that provide you with strong, random passwords. For example:
    • http://strongpasswordgenerator.com
    • http://random.org/passwords

Top 10 most common password 2019 (https://wikipedia.org)

10. 123123

9. 111111

8. iloveyou

7. 12345

6. 12345678

5. 1234567

4. password

3. qwerty

2. 123456789

1. 123456

Should password be changed? 

  • Many experts believe that passwords should be changed on some periodic basis.
    • In this way, if a hacker cracks a password, they will be locked out again after the password is changed.
  • Other experts believe that forcing users to change passwords on a regular basis may not help. 
    • Many users will rotate among a small pool of passwords, such as pass1, pass2, pass3, and pass4.

Same password, multiple accounts? 

  • Is it alright to use the same password for multiple sites or accounts?
    • After all, that makes the password easier to remember.

Best practices 

  • It is better for each site and account to have its own unique password. 
    • Otherwise, when a hacker has one of your passwords, he or she can get into all of the sites/accounts that share the password.

Keeping track of all those passwords? 

  • If you are going to have a different password for each site/account, you need a way to keep track of them.
  • Each of these has its strong and weak points: 
    • Sticky notes or a notebook
    • Text files 
    • Excel files
    • Text/Excel file within an encrypted file OK

Password managers 

  • A better alternative is to utilize a password manager.
  • All password managers basically work the same way: they store all of your account IDs and passwords in an encrypted file, controlled by a master password.
  • According to CNET (https://www.cnet.com/news/best-passwordmanagers-for-2020), the best password managers for 2020 are: 
    • Best free password manager: LastPass (https://lastpass.com – more full-featured version for $36/year.)
    • Best subscription password manager: 1Password (https://1password.com – base price $36/year.)
    • Another worth considering: KeyPass (https://keepass.com – free.)
  • While fairly easy to use, KeePass requires the user to handle some things manually that are handled automatically by the other password managers. 
    • For example, both LastPass and 1Password automatically store their password files in the Cloud.

What if I forget the master password? 

  • This is a common question that prevents many people from utilizing a password manager.
    • The solutions differ among the various password managers.
    • It should be noted that – for security purposes – your master password is not stored anywhere in a form that can be recovered by you or anyone else.

Forgotten password: LastPass

  • Users who have downloaded and logged into the LastPass mobile app on Android or iOS can recover their accounts very easily using fingerprint or Face ID authentication. 
  • We encourage users to download the app because it’s very helpful to have all your passwords on the go – but it also acts as a safety net should you get locked out of your account.

Forgotten password: 1Password 

  • If you have 1Password on multiple devices, see if your Master Password works on the others. (If you have a 1Password account, don’t forget to try signing in on 1Password.com.)
  • If your Master Password works everywhere except one device, you should be able to start over on the device where it’s not working, and then sync your data from your other devices.
  • If you are using your family or team account, another family or team member may be able to recover your account.
    • This will let you choose a new Master Password.
    • If you use 1Password on an iOS device with Touch ID or Face ID, try to unlock the app using Touch ID or Face ID.

Forgotten password: KeePass 

  • If you forget [your] master password, all your other passwords in the database are lost… ▹
    • There isn't any backdoor or a key which can open all databases. There is no way of recovering your passwords.
  • Personal observation: I use an Android app named KeePassDroid that permits me to unlock the password manager with my fingerprint.
  • Thus, I could use this to recover my passwords.

What should I do with my passwords? 

  • There does not exist a no-risk solution.
    • Keep your passwords in a notebook or unencrypted file and take the chance that this is destroyed, deleted or stolen; or
    • Utilize a password manager and take the chance that you will forget/lose the master password.

What if I choose a password manager? 

  • Here are a couple of simple risk mitigation strategies for the master password:
    • Secure: Store a printed copy in your safe deposit box. 
    • Less secure: Store a printed copy at a trusted, off-site location.
MENUCLOSE