In our main post, we covered why password managers are more secure and more convenient than other solutions. Here we’ll go beyond the introductory level and discuss some more details that we didn’t have space for in the main post.
Let’s start with straightforward concepts and work toward the harder ones. Here are links to each section:
Security questions
A photo caption in the main post says to never give real answers to security questions. This is true for many people, and probably true for you if you’re reading this post. Security questions exist because most companies want a convenient way to authenticate users beyond the typical two-factor auth methods. That’s often because some people lose access to their usual login credentials and need a backup.
But security questions are also a vulnerability. Some of them are easy to answer through basic research on a person, or by knowing them even as an acquaintance. If you’re confident that you know how to maintain access to your passwords and two-factor auth, you should make up answers to all security questions and store them in your password manager. See the Bitwarden screenshot in the main post for an example.
Why not use the browser for passwords?
A lot of people store some or all of their passwords in their browser’s native password manager. Google Chrome must have the most widely used password manager in the world. Is that better than what most people would be doing otherwise? Yes, it’s way better. At least they’re generating long, random passwords by default.
There are some security drawbacks to using browser password managers. But I’d like to highlight that it’s far too easy to lose access to your whole digital life at once if you keep your passwords inside (say) your Google account in Chrome.
Loss of a device is one path to losing access. It could be due to destruction or theft, or the device might just suddenly die. Many people have never thought about what would happen to their accounts if they couldn’t access texts sent to their phone number. Or maybe they’re logged into their Google account on only one device. If they lost that device, in order to log in on a new device they would need the password to their Google account, which requires being logged into their Google account already … uh oh.
Even worse is if Google itself brings down the hammer. In 2022, The New York Times reported on a case in which Google shut down the account of a guy named Mark who used Google for everything. He lost more than a decade of contacts, emails, and photos. He even used Google Fi for his phone plan, so he had to get a new phone number. He couldn’t use his email or phone number for two-factor authentication, making it difficult or impossible to log into all his other accounts.
Why did that happen? Google scanned his photos and decided to terminate his account because they thought photos of his child, later sent to their pediatrician, were child pornography. Google reported him to law enforcement, and the police were able to access everything in his Google account during the investigation. According to Google’s transparency report, they restrict or disable hundreds of thousands of accounts each year. The report says that affected users “are given an opportunity to appeal.” But although the police investigation concluded that no crime occurred, Mark’s repeated appeals to restore his account didn’t work.
Think about what Google apps you rely on: Gmail, Calendar, Docs, Drive, Photos, Maps, and Home are common. Maybe your passwords are in Chrome too. A lot of people have gradually developed a heavy reliance on their account with a single company. You access your data — or don’t, ever again — at Google’s discretion.
I have personally stopped using every Google service except YouTube. I want to avoid concentration risk with a company that tries to spy on everything I do and applies fallible algorithms to cut user access without notice. Everyone has to make their own judgment about that. But I insist that, wherever you land, you should use a dedicated password manager instead of your browser. The experience is better and it’s a more robust solution in every way.
On a lighter note, using a dedicated password manager protects you from lock-in. If you want to try a different browser, you can switch instantly rather than feeling trapped by your current setup because it would take so much work to change.
Sharing passwords
What’s the best way to send sensitive info like passwords? Personally I use the disappearing message feature on Signal. Signal is the leading secure messaging app: the most popular messaging apps by big tech companies built their encrypted messaging partly with Signal’s protocol. Messaging on the Signal app is secure partly because Signal itself retains no data on its users, and there’s no backup feature for the messages. Unless you deliberately export your messages and store them elsewhere, they’re stored only on the devices involved in the chat.
The app has a feature that erases messages after an amount of time you select. You can turn it on for one message, then turn it off if you want. So even if you don’t use Signal for anything else, consider using it to send login credentials. Of course, there are other ways to do it, but sending over Signal is so simple and easy.
Why the obsession with long passwords?
We want to use our password manager to generate passwords that are virtually impossible to guess. So we should use a method with a possibility space far larger than any computer can search through. Let’s start from the bottom.
How many potential passwords are there if we use one character? There are 26 lowercase letters, 26 uppercase letters, ten digits (0-9), and about eight special characters that are accepted in every website’s password field. That’s a total of 70, so there are 70 distinct one-character passwords.
If we increase the length by one, how many potential passwords are there? 70×70 = 4,900. Notice that there aren’t twice as many possibilities: there are 70 times as many.
What about passwords with ten characters? 70 multiplied by itself ten times is 70^10 = 3×10^18. That number is incomprehensibly large, but let’s compare to a password length of 15 characters: 70^15 = 5×10^27.
The difference is nine orders of magnitude. In other words, the number of ways you can combine 15 characters is over a trillion times as large as the number of ways you can combine 10 characters. This is exponential growth: every character you add multiplies the number of possibilities by 70. Every five characters you add multiply the number by more than a trillion.
Without context, the exhortation to use long passwords might sound like over-cautious, pointless heavy breathing by cybersecurity nerds. The take-home message is that 20-character passwords aren’t twice as hard to guess as 10-character passwords. They aren’t ten or 100 times as hard to guess. 10 random characters are easy to guess, and 20 random characters are nearly impossible to guess. But with a password manager, they take the same amount of your time to use!
Misspell words!
We introduced the use of a passphrase in the main post. A passphrase is mainly composed of words rather than random characters. Because words are somewhat predictable sequences of letters, a passphrase is easier to guess than a password of equal length in which every character is randomly generated.
Non-randomness is the basis for a dictionary attack, which guesses the most common combinations of words and other characters rather than using pure computational brute force to guess a password. Most people create passwords with predictable patterns. If they include a number, for instance, it’s very likely to be at the end of the password. 1 is the most common number used by far, followed by 2, 3, and 12. Using a passphrase is much better than following simple patterns like that, but the point is that words are less random than strings of random characters.
How do we maintain the memorability of a passphrase, while making it a stronger password that’s harder to guess?1 If you misspell a couple of words in your passphrase, the password strength jumps closer to that of a randomly generated password.
Imagine you want to use the word “castle” in your passphrase. How many ways are there to misspell “castle” by adding, removing, or replacing one letter? Assuming we stick to lowercase letters, there are 344 ways to do that.2 By misspelling a word, we’ve radically expanded the space of potential passphrases. Replace “castle” with “cajtle”, for example. I try to make changes that make the word easier to type.
I’m not saying that a 30-character passphrase is weak. But it’s so much stronger if you make this tiny adjustment.
Usernames matter!
Before I started using a password manager, I used “rjwthree”, or a slight variation, as my username for every account. This isn’t the worst habit, but it does present a vulnerability in some cases.
For example, I once war-gamed what would happen if someone SIM swapped my phone number and used it to try to access my accounts. I tried changing the password for my Bank of America account by pretending I had forgotten it and didn’t have access to my email. They let me do it with only my phone number as authentication, as long as I could tell them one other personal data point. One of the options offered was … my username. It wouldn’t be hard to guess: it was the same as my Twitter handle at the time.
If you try to replicate this, I can’t guarantee it will go the same way. Maybe BoA has changed their login reset process. But this illustrates why it’s worth randomly generating a username in your password manager for each account, instead of using the same one for everything. At virtually no expense to you, it creates another obstacle for anyone trying to break into your accounts.
Salt
“Salt” and “pepper” are technical terms in cryptography. Here I’ll just describe how some people manually add “salt” to their passwords.
Under normal use, when you log in using a password manager, you autofill the username and password fields, and that’s it. But some people have a 3-6 character string that they manually append to each password. The incomplete passwords are different for each account, but the string at the end is always the same. That is the salt.
Let’s say your salt is “8feja”. After each incomplete password is filled in, you would type 8feja. This guards against a hacker accessing your password vault, because you wouldn’t store the entire password in the password manager.
Personally I don’t salt my passwords. The weakest link by far in keeping my password secure is the company whose account I’m logging into. And even if my password manager were hacked, and they managed to guess my master password — which is not feasible — they still wouldn’t pass two-factor authentication, which I’ve activated for every important account.
If you’re concerned enough to salt your passwords, you might consider using an offline password manager for some of your passwords, which we discuss below.
Encryption key settings
The password manager I use, Bitwarden, allows you to adjust encryption key settings for your vault (on the website only, navigate to Settings > Security > Keys). If you use a different password manager, it may have a similar feature.
As explained by Bitwarden here, changing these settings (in the right direction) would make guessing your master password more computationally intensive for a hacker who breached Bitwarden’s databases.
In the settings, you’ll see that the default KDF algorithm is PBKDF2 SHA-256. If you have a modern device that can handle it, change the algorithm to Argon2id. Any flagship smartphone less than five years old, and any computer less than ten years old, is definitely sufficient.
You can leave it there, and you’ve already made an improvement. To further increase the computation required to guess your password, you can gradually increase the KDF iterations and KDF memory. You can also decrease the KDF parallelism — some people get this wrong and assume you’re supposed to increase this number as well.
Make small changes to these settings, then try logging in with the master password — not with biometrics or a PIN — on your mobile and desktop apps. At some point, you’ll likely notice a lag when you enter your master password. You can keep cranking up the settings, but it becomes an inconvenience if you have to wait ten seconds to unlock your vault. It’s possible to make these settings so extreme that your device might no longer be able to log in, but that’s not a major concern if you have modern hardware and you’re not exceeding 10 for KDF iterations and 1024 for KDF memory. 1 is the natural minimum for parallelism.
These changes matter, but not nearly as much as creating a strong master password. That should be the first, second, and third priority before thinking about nuances like this.
Other (better?) password managers
As I mentioned in the main post, my general password manager recommendations are Bitwarden and 1Password. Proton Pass is also a great option, especially for those who like the Proton ecosystem and use SimpleLogin email aliases. All three would work great for most people, and if you have specific preferences, then you’ll have to try them out yourself.
Here I want to distinguish the more popular password managers — like Bitwarden, 1Password, and Proton Pass — from managers that are designed to work locally with no online syncing.
These include options like KeePassXC for desktop, KeePassDX for Android, and KeePassium for iOS and MacOS. They have similar names not because they’re made by the same organization, but because they derive from an open-source project called KeePass. I can’t make recommendations because I haven’t tried them, but Techlore has a continually updated list of recommended options.
You will sacrifice a degree of convenience if you choose an offline password manager. Some people who know how to self-host with a NAS device could sync between their own devices without using the internet. If that sounds like an interesting project for you, then maybe you’re the right type of person to try an offline password manager.
With offline software, you need to think a lot more about (a) keeping your vault synced between your devices when you add or change login credentials; and (b) preserving your vault in case of catastrophic events in which you lose all your devices, like theft or a fire.
You could take a moderate approach and split your vault: an online synced manager for most of your passwords, and an offline manager for the few most precious. These would be passwords to accounts without which you would literally die — perhaps your email account, financial accounts, and at least one among Google, Apple, and Microsoft. Just keep in mind the questions: What happens if one of my devices suddenly dies? What happens if a fire or flood destroys all my devices, or someone steals them?
I think a password manager that uses online syncing is perfect for nearly everyone. Done right, it’s an extremely secure system. I would consider using an offline password manager only if I were concerned about being targeted individually by extremely well-resourced actors, like national governments. Even then, I would take the moderate approach and continue to store the vast majority of passwords in my Bitwarden vault.
Further resources
Every Money IRL post is organized in The Omni-Post, and all vocab terms are here.
This interesting post describes the patterns in how people create their passwords.
The main post has a number of further resources.
—
We love comments here. Tell us what you like or dislike, agree or disagree with. Recall a long story barely related to this post. Ask a question!
Please send photos of your pets if you’d like to see them in future posts. Or suggest a new topic, or say hi! You can email or tap the message button. Stay safe out there.
Email: bright.tulip711@simplelogin.com
—
The technical way of saying that would be “increasing entropy”.
There are 7 positions to add a letter and 6 letters that could be replaced, each multiplied by 26 possible letters. There are six letters that could be deleted. 26(7+6) + 6 = 344. This is a little oversimplified, because some one-letter changes produce a different word, but we’re looking for non-words: deleting “l” from castle produces “caste”, so that one shouldn’t count.