Cracking the Code: The Myths and Realities of Password Management

First, some quick housekeeping:

1. UBR Readers’ Program: This June, we’re teaming up with Hunter Bookstore. Manager Leticia has handpicked 21 timeless reads for Hong Kong. If you fancy donating some books, swing by Hunter Bookstore. And while you’re at it, admire the new decor – it’s worth the trip.

2. Drifting Classroom Recap: The previous last Thursday (2024.06.20), six readers showed up for our Drifting Classroom #1, a noodle gathering in disguise, a record turnout! We even got five newbies to set up DHK wallets. Last  Thursday (2024.06.27) from 6:00 PM to 8:00 PM, Drifting Classroom #2 happened at Mido Café in Yau Ma Tei, at one of the booth featured on the cover photo.

3. Book Club Reboot: After some well-deserved laziness, our book club was back on the first Monday of July (2024.07.01) from 7:00 PM to 8:00 PM (Taiwan/HK time). We’ve discussed four articles from the LikeCoin 3.0 Green Paper on Google Meet.

Now, let’s crack on.


When it comes to protecting your info, aside from 2FA (two-factor authentication), a password manager is another “low-hanging fruit”. 

If I had to choose just one security measure, I’d go with 2FA. But let’s not split hairs – both are crucial, and skipping either is like leaving your front door open because you locked the back.

The Three Superpowers of a Password Manager

Everyone knows a password manager stores passwords, but there’s more to the story. Here are its three main functions:

1. Storing Passwords;

2. Filling Passwords;

3. Generating Passwords.

Storing passwords is straightforward. Think of it as a digital Fort Knox for your credentials. Each entry typically includes.

– Service name (e.g., Spotify);

– URL or app ID (e.g., https://spotify.com or com.spotify.music);

– Username (e.g., [email protected]);

– Password (e.g., csN@^t8u(x0T>.6Gdj.R).

Password managers are mostly infallible, except for a few cases like OS logins or certain browser plugins. Once you’ve saved your login details, the manager will fill in your usernames and passwords for you. It’s not just convenient but also more secure. You won’t have to copy and paste passwords, avoiding the risk of some app sneakily peeking at your clipboard. For instance, TikTok was caught reading iOS clipboards every few seconds. Worse yet, Apple’s “universal copy-and-paste” means if you copy something on your iPhone, it can be read on your iPad or Mac signed into the same Apple ID. Only with iOS 14 did users start getting alerts about this, and TikTok had to drop this so-called “anti-spam” feature. Some apps might have excuses, but others, like malicious keyboard apps, can directly steal your passwords as you type. By having your password manager autofill, you avoid these traps.

If you encounter a URL like https://www.goog1e.com, most people wouldn’t notice it’s a phishing site (a “1” instead of an “l”). They’d happily enter their credentials. A password manager, however, won’t be fooled – it won’t autofill if the URL doesn’t match perfectly. This not only keeps your passwords safe from malware but also reduces the risk of falling for phishing scams.

Many overlook the password generation feature of their manager. I have a friend who, despite being convinced to use a password manager, only uses it to store and fill passwords, clinging to his “password creation wisdom” developed over years. He believes his method is uncrackable and unique to him. While I don’t agree, I didn’t argue. At least he’s taken the first step. Pushing him to change all his habits at once might backfire, making him abandon the password manager entirely.

Data Breaches: When You Get Hit Out of Nowhere

You’ve seen those TV drama clichés: Bob tries to hack Alice’s computer, fails a few times, then notices something on her desk that gives him the idea for the correct password. 

In reality, unless Alice’s password is something absurdly simple, Bob isn’t going to use “guesswork”. More likely, he’ll rely on a dictionary attack or a brute-force attack. The former uses words and combinations from dictionaries to guess passwords, while the latter is a brute-force attempt to try all possible combinations using powerful computing. 

When my friend imagines how hackers might crack passwords, he envisions a TV show scenario. In reality, it’s a very different picture, completely unrelated to any “secret formula” for generating passwords.

To avoid both scenarios, good cybersecurity habits are key: use a password manager to generate, store, and fill long, random, and complex passwords. Experts have various recommendations on password length, some suggesting at least 8 or 10 characters, others 12 or 16. While I’m not an expert, I suggest going as long as possible – 20, 30, or even 40 characters – since the password manager handles it all for you. The only hitch is some services, especially older institutions like banks and government agencies, love to remind you about security but restrict password length or disallow special characters. In these cases, you just have to set the best password possible within their limits.

Another way passwords get compromised is through data breaches at service providers, leaving users blindsided. While these situations are hard to prevent, adding 2FA to your accounts can stop unauthorized access. Also, using a password manager to create unique passwords for each service ensures that even if one password is compromised, it doesn’t affect other accounts. This underscores the importance of 2FA and password managers yet again.

Big Companies, Big Mistakes

Don’t be fooled by a sleek website or assume that big companies have airtight security. Data breaches happen all the time. Apple, Google, Microsoft – they’ve all been hit. Facebook alone has leaked user data at least seven times, exposing over 500 million users’ phone numbers, birth dates, and locations in 2019.

While data breaches don’t always include passwords, when they do, it’s often password hashes. Hashing is a mathematical function that converts your password into a fixed-length string of characters, which is typically one-way – you can’t reverse-engineer the hash to get the original password. For example, if [email protected] uses “apple” as a password and [email protected] uses “banana,” their hashed passwords might look like this:

“`

[email protected]   3a7bd3e2360a3d29eea436fcfb7e44c735d117c42d1c1835420b6b9942dd4f1b

[email protected]    b493d48364afe44d11c0165cf470a4164d1e2609911ef998be868d46ade3de4e

“`

As users, understanding these basics is enough. Don’t worry, we won’t dive deeper into the technical weeds here. The key takeaway is that storing user passwords as hashes rather than plain text is a fundamental security practice. If a company is careless enough to store passwords in plain text, it’s a massive vulnerability. Facebook, the so-called champion of user privacy, made this rookie mistake in 2019, storing passwords in plain text affecting 200 million to 600 million Facebook and Instagram users. Their PR spun it as a minor oversight, with an announcement titled “Keeping Passwords Secure”, downplaying the severity and reminding users about security. You have to admire their nerve.

If even Facebook can be so sloppy, imagine the risks with lesser-known services. Data breaches, including those involving passwords, are quite common. If you’ve been on the internet for a while, you’ve probably been affected. Regularly check the website ‘;–have i been pwned?’ to see if your email has been involved in any breaches. If you’ve reused the same password across multiple sites, you can also check if it’s appeared in past breaches. As for me, my email and password have been exposed 24 times across various sites. How about you?

Unless you want to be an easy target, a password manager is essential. While I’m against being tied to any platform and wouldn’t recommend built-in password managers in operating systems or browsers, they’re still better than nothing. For more security, opt for a third-party manager like Proton Pass. I use it because it’s open-source, the company has a solid track record, and it offers end-to-end encryption. Plus, it has a “masked email” feature that generates unlimited email addresses for different services, further protecting your privacy. I believe in paying for quality services and Proton is no exception, though even their free version is quite robust.

Finally, securing the password manager itself requires a strong password. You can’t rely on the manager to store its own password. Create a strong, memorable password and let it expire frequently, so you get used to entering it often. This way, you’ll have one strong password ingrained in your memory to manage all your others.


P.S. In last week’s newsletter, I posed a question about whether my Substack account counts as two-factor authentication. My attempt to spark a discussion fell flat. This time, no more games – I’ve laid out the crucial points clearly.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *