I don’t have a nice intro to this post. Just use password managers.

They are integral to your internet safety. Imagine you had one PIN in real life for all of your credit/debit cards, house lock (assuming you have electric PIN lock), car, garage, literally anything. It’s easy to image how if one of those vectors is leaked all goes to shit. Same with online accounts. If you use just one password to all services you are registered to, no matter how strong, one hack or leak and all is f*****d.

So how do password managers help?

They let you store and retrieve all of your passwords securely, generate unique and strong passowords for each service, and (depending on your threat model and paranoia) autofill login fields.

But my web browser already does it

Yes it does, but all of your passwords are very easy to access when your machine is compromised for some reason, also personally I’d never trust Google or any other massive corpo with my passwords.

Ok, then what should I use?

Depends on your threat model. If you don’t really care about some other company hosting your passwords on their servers (the files being E2EE ofc) then Bitwarden or Proton Pass can be solid. Between the two I’d recommend Bitwarden unless you are already subscribed to some Proton services.

If you are a schizo freak then KeePassXC is probably your best option. Great password manager, fully offline. Just remeber you are fully in charge in keeping your passwords safe and backed up.

What is a good password?

Password strength

(Password cracking speed equal to 632GH/s achievable by AWS p3.16xlarge server costing 25$/hr. Read more here)

Long one. Complexity is almost irrelevant when it comes to passowrd strength. To a machine there is no real difference between superdog123 and xjaosldf924. Focus on generating long, easy to type passwords. Include as many character sets as possible: small characters, capital characters, numbers, special symbols. Bitwarden allows you to generate a passphrase instead of a password, imo it’s way simpler to use w/o any real drop in security. Generate AT LEAST 4-word, capitalised passphrase with a word separator of your choice, and a number somewhere in it.

Good enough password: Cloud#River#Mountain#Leaf#Sky9

Yes, technically you can lower the pool of all password possibilities as a hacker by assuming that the first letter is always a capital letter, last is either lower letter or number, and more, but this change is so minor I will just ignore it (also we can easily overpower it by making the password just a tiny bit longer).

IF YOU JUST WANT JUST THE SURFACE KNOWLEDGE, YOU ARE GOOD TO STOP HERE. TO GEEK OUT, CONTINUE READING.

How to know if a passoword is good enough?

Entropy. I won’t pretend as if I am competent in chaos theory. There are far smarter people than me researching this field. All you need to know it that the password entropy is equal to:

$$\text{Entropy (in bits)} = log_2\text{(Total no of Passwords)}$$

One issue is that getting the total no. of password is different for passwords and passphrases. There are also an assumption that a password uses all lower and upper case letters, numbers, and special characters printable in base ACII. This yields:

$$\text{Total no of passwords(L)} = (C)^L$$

Where \(C =\) total number of possible characters, and \(L =\) length of the password. The total number of supported characters varies based on which characters the service supports, we will asume a scenario where all base ACII characters are supported (being 33 unique characters). This yields:

$$\text{Total no of passwords(L)} = 94^L$$

For passphrases it gets a bit more complicated. Assuming:

  • using a common word dictionary (diceware) containing 7776 words,
  • there is a number included at the end of some word,
  • any ASCII printable special character as separator. we get a scary looking:
$$\text{Total no of passphrases(N)} = (\prod_{i=1}^N(7776-i+1))*32*10N$$

where \(N=\text{number of words}\).

A strong enough password, according to Proton, is one that has at least 75 bits of entropy.

We will assume a worse scenario where the hacker knows whether we used capitalized words or not, just because it makes a math a bit easier.

Now to calculate the entropy of the password we use the equation mentioned above. We will check the entropy for 16 length password and 5-words passphrase.

$$ \text{Entropy} = log_2(94^{16}) = 104.87 $$$$ \text{Entropy} = log_2(\prod_{i=1}^5(7776-i+1)*32*10*5) = 75.28 $$

As you can see, the password is stronger than the passphrase but I want to argue that the passphrase is good enough and is much MUCH easier to type in scenarios where you can’t just copy your password from your password manager. It’s for you to decide which is easier to type:

  • G#f8Lp2@Zx1!Qv5N
  • Cloud#River#Mountain#Leaf#Sky9

Moreover, to get a similar entropy from a random password we can calculate that:

$$ \text{Entropy per character}=log_2(94)=6.55 $$

so to get the entropy of 75.28

$$ \frac{75.28}{6.55} = 11.49 $$

If we check the image above, given perfect info, our passphrase would take somewhere in between of 50k and 8m years to crack (equivalent of 11.5 character password). Which is good enough if you ask me.

Remember, this assumes that the hacker has the perfect information that you’re specifically using:

  • a passphrase made out of 5 words
  • each word is capitalized
  • word dictionary is diceware
  • there is just one random number at the end of randomly selected word
  • there is just one random word separator being one of ASCII printable special characters

As you can see this is quite a high ask and basically the worst case scenario apart from a hacker just knowing your passhprase out right. Now let’s calculate the strength of your passphrase as if it was just a password, let us assume each word is on average 5 letters long, 5 words have 4 separators and there is 1 number, making it a 30 characters password:

$$ \text{Entropy} = log_2(94^{30})=196 $$

196 bits of entropy is effectively unhackable by anyone in existence, even Europol and NSA with unlimited resources.

My argument is that a 5-word passphrase, given the perfect information, is good enough and is more that you would even need given no information, while being much, and I REALLY mean much easier to input manually than a shorter password.

Not to mention 6-word passphrases which, for the time being, are more than good enough for the forseeable future.

We can go one step further

Pepper your passwords. Salt and pepper are the same, salt is done by the service, pepper by you. It is an addition to the password/passphrase that you do not store anywhere but your brain. It can (and for convenience probably should) be the same for all passwords. An example of a pepper would be gT3$ at the end. So the passphrase changes to Cloud#River#Mountain#Leaf#Sky9gT3$. BUT REMEMBER TO STORE ONLY Cloud#River#Mountain#Leaf#Sky9 in a password manager. Ok but why? Because now out passphrase uses more than just diceware, not all words are capitalized, a separator is missing, basically we are violating every assuption that drops down the entropy from 196 to 75.28. You can insert the pepper anywhere you want, start, tenth character, end, just keep it consistent.

Is it enough?

In most cases, yes. If you want to go one step further you can start using 2FA via TOTP codes. Do not use 2FA via SMS or Email, these protocols are insecure by design. Standalone TOTP apps like Authy are good. Bitwarden Premium offers integrated TOTP codes in their app, but I would not recommend it unless you’ve secured your Bitwarden account with a hardware key (and if you did, you know more than this post can teach you anyway). One way you could go about using Bitwarden Premium (being priced at only $10/YEAR) w/o a hardware key is to set up 2FA for your Bitwarden account on Authy, store the TOTP Key somewhere secure as the backup and then use Bitwarden’s TOTP for all other serivces, your choice.

All of the stuff mentioned above applies the same to Proton Pass and KeePassXC

Edit: 2024 Nov 6

Cloud#River#Mountain#Leaf#Sky9gT3$ might be a bit too much. If you decide on peppering your passphrase I think it is safe to drop it to 4 words. Your are still safe from dictionary attacks and 4-word passphrase will be more than enough entropy-wise when treated as a random password. One drawback of using a pepper is that when one passowrd gets compromised, all other passwords are then back at passphrase level so they are again ‘weak’ to dictionary attacks (also your separator got compromised). I’m not saying all of the sudden to not use passphrases, I still preffer them. But I wanted to make sure I mention this drawback.