Each year, “the worst passwords of the year” make it into the news. Passwords like “123456,” “111111,” “querty,” or “password” are always on these lists. If you look at leaked passwords, you quickly realize that passwords are short, non-random, and may have a trailing “!” as the special character. Companies try to get rid of weak passwords by enforcing password rules; however, users find creative ways to bypass these unpopular rules, again using weak passwords.
While countless websites flood the internet with tips to create the “perfect” password, many of them forget about two essentials: Defining a threat model, and keeping credential management as simple as possible.
Always stay in the loop!
Subscribe to our RSS/Atom feed.
- Use built-in functionality of your password manager to manage (not store) your passwords.
- Keep it simple: Encrypting your password database three times using three distinct passwords is overkill and might result in zero usability.
- Prefer multi-factor authentication over passwords.
The three types of factors in authentication
You may know the three factors used for authentication:
- Something you have or own.
- Something you are (either a unique behavioral aspect, or a unique physical characteristic).
- Something you know.
Let’s look at several examples:
Something you have or own
Something you have or own includes SIM cards, credit cards, and security tokens.
|Easy to use||Can be lost|
|Built-in cryptography||Can be stolen|
|May be cheap or for free||Backups and account recovery may be hard|
|Cloning may be impossible||May contain security vulnerabilities|
Something you are
Something you are includes unique behavioral aspects (keystroke dynamics, mouse usage characteristics) and unique physical characteristics (physical fingerprints and iris, vein patterns).
|Easy to use||Can be lost in rare cases|
|Literally “built-in”||May be easy to clone|
|For free||Backups and account recovery may be impossible|
|May be insecure on its own|
|Raises privacy concerns|
Something you know
Something you know includes PINs, passwords, and passphrases.
|Easy to create||Can be forgotten|
|Backups and account recovery may be easy||Does not scale (the more passwords, the harder to use)|
|For free||Backups and account recovery may be impossible|
Further problems of credential management
As you can see, no factor is “perfect” on its own. All factors come with benefits and drawbacks. Additional problems exist when talking about credential management:
- Expiration: Password expiration was considered best practice for years. However, more and more studies show humans bypass the annoying task of changing passwords over and over again. For instance, people set passwords like “s3cur3!maY2022,” and six months later, they change it to “s3cur3!novembeR2022.” This behavior is predictable and an easy-to-spot pattern. Security experts started to speak out against password expiration due to this unwanted user behavior.
- Recovery: You can forget passwords, lose security tokens, or your biometrics change due to injuries. Therefore, authentication needs a secure way for recovering accounts. Applications may allow weak mechanisms for recovery, like asking for personal information. Attackers may misuse such weak “backdoors” to access your accounts.
- Reuse: Reusing the same or similar password for multiple accounts is another common problem. If an attacker recovers the password for one account and identifies the pattern, all other accounts are in danger.
- Strength: You can measure the strength of passwords and keys in “bits of entropy.” The “least sufficient” strength depends on your threat model: A wannabe hacker with one device can’t recover your hashed password while a motivated government agency with thousands of GPUs and human assets will be able to do so. Hence, the discussion about the perfect strength is pointless without looking at potential attackers.
- Storage: What is the best way to store passwords? Some people swear by offline password managers like KeePass; others use online password managing services. As before, the “best” way depends on your threat model.
What is best? Changing passwords regularly, or keeping your password for years? What is the best length for your password? 8 digits? 10? 20? Does it need special characters? And how to store it? Online or offline? But isn’t your password database a single point of failure? We need to look at your threat model.
Threat modeling 101
“Best” factors for authentication don’t exist as long as you don’t define any threat model. Who is your enemy? What do you want to protect?
An example: Look at a medieval castle. A wooden defensive wall offers sufficient protection against random attacks by small groups. However, the same wooden wall fails to protect against a well-trained army with dozens of ladders. You build thick and high stone walls, the enemy’s ladders become inefficient. Then, the enemy brings trebuchets, reducing your stone walls to rubble. Even extremely strong fortifications, protecting against trebuchets, can become useless if the gates of your castle are vulnerable to battering rams.
On the other hand, you can’t spend countless resources to protect your castle against every possible threat on earth. You address the most likely threats by building appropriate defenses. What sounds like a round of Age of Empires 2 is the same in credential management: Spending 30 minutes each day to secure your credentials is overkill; using the same 8-digit password everywhere for years is underkill.
You need to think about your opponents. Consider four points:
- Time: How much time has the attacker to attack you?
- Money: How much money has the attacker to attack you?
- Motivation: How motivated is the attacker?
- Skills: How competent is the attacker?
A motivated, well-trained attacker with an unlimited amount of financial resources and time will always be able to get all your secrets.
A low-skilled attacker with no budget and an unlimited amount of time won’t be probably able to do any harm, even if you write down all your passwords and store them on your digital desktop.
Think about your threat model. Save your time and money. 100% security doesn’t exist, and you can’t even control every part of authentication.
Keep in mind authentication is much more than choosing the “right” password length. You must share your secrets with other parties in a secure way, allowing others to identify you in future. Even one-time password algorithms like OATH-TOTP rely on sharing secrets. As soon as authentication relies on a shared secret, all involved parties need to manage the secret securely. And this is out of your control. Credential management is a shared responsibility like most topics in information security.
Good practices for modern credential management
After talking about different factors, common problems, and your threat model, we look at activities regarding credential management.
The following activities show the basic lifecycle of credential management:
- Generate credentials
- Store credentials
- Back up credentials
- Use credentials
- Change credentials
- Delete credentials
“What to do” each time depends on the factor (as discussed at the beginning). Let’s look at good practices to manage the three factors accordingly.
Managing something you have or own
Something you have or own includes SIM cards, credit cards, and security tokens.
- Generate credentials: Generate your secrets on the device (e.g., security token, smart card) if possible. Security devices come with an isolated environment, keeping the secret secure.
- Store credentials: Store these devices according to your threat model (e.g., in a physical safe). Store digital keys (like OpenPGP keys, SSH keys, or certificates) on security tokens, and encrypt them according to your threat model.
- Back up credentials: Register multiple security tokens for backup purposes if possible. Clone digital keys (e.g., by printing them, see “Paperkey - an OpenPGP key archiver"). Consider using numerous physical locations for storing your backups.
- Use credentials: Keep your workflow as simple as possible. Connect your security token with your laptop, press the button, done.
- Change credentials: You can leak your digital keys, security tokens may contain security vulnerabilities, cryptographic algorithms can become weak over time. Regularly check if your devices are up-to-date. Update or replace them if necessary.
- Delete credentials: Dispose devices that you don’t need anymore. Physically destroy your security tokens and smart cards.
If needed, create a simple spreadsheet to keep track of your tokens, cards, and keys. Include the following columns:
- Unique ID, such as fingerprint or description (e.g., “My YubiKey 5C”).
- Cryptographic algorithm (e.g., “Curve25519”).
- Owner (e.g., “my partner”).
- Purpose (e.g., “used for accessing ABC”).
- Any linked accounts (e.g., “user account XYZ”).
- Current state (e.g., “in use”).
- Backup locations (e.g., “at my friend’s house”).
- Creation date (e.g., “2022-01-05”).
- Expiration date (e.g., “2024-01-05”).
Document what you need to know. If you don’t need an overview, skip it.
Managing something you are
Something you are includes unique behavioral aspects (keystroke dynamics, mouse usage characteristics) and unique physical characteristics (unique physical fingerprints and iris, vein patterns).
Managing “something you are” is easy and self-explanatory. However, you can’t “back up”, “change”, or “delete” yourself. Keep this in mind when relying on this factor for authentication.
You should at least write down where you use this factor for authentication. Identify how these credentials are processed and stored. For instance, if you use your fingerprint to unlock your smartphone, how does your smartphone process this? Does it process your fingerprint on the device or does it upload your fingerprint to a remote server? Could a third party get this information?
Falling back on the other two factors for authentication might be better in case of doubt.
Managing something you know
The final factor is about PINs, passwords, and passphrases.
- Generate credentials: Use a known and proven password manager to generate passwords. The length depends on your threat model.
- Store credentials: Use a known and proven password manager to store PINs, passwords, and passphrases. Use more than one password database to separate credentials if needed.
- Back up credentials: Use tools like Restic or Borg Backup to back up your password databases and configuration files.
- Use credentials: Use a known and proven password manager to fill in password fields automatically.
- Change credentials: Change your PINs, passwords, and passphrases according to your threat model. Use the expiration function of your password manager if helpful.
- Delete credentials: Delete PINs, passwords, and passphrases if you don’t need them anymore.
Use a password manager to manage your credentials. A password manager is much more than a “dumb” encrypted file, containing usernames and passwords.
Install a password manager, set up a new database, and create one entry per account to store the following information:
- Name of the website, service, or application where you use this entry.
- E-mail address used for registration and recovery.
- Unique password, PIN, or passphrase.
- Creation date.
- Expiration date if needed.
Use the “Notes” functionality of your password manager to add more information. We recommend to document which personal data you provide. For instance, if you enter your physical home address and your cell phone number when registering for an online shop, note this down. In case of a data leak, you can quickly estimate which of your personal data is at risk.
The rule of thumb for password strength: One digit longer is always better than one additional special character. A 21-digit password, allowing hexadecimal characters, is more secure than a 20-digit password, consisting of hexadecimal characters and an “!”.
Include metadata about your password databases in your spreadsheet:
- The name of the password database (e.g., the file itself).
- The owner (e.g., “my partner”).
- Storage location (e.g., “SSD of my laptop”).
- Backup locations (e.g., “encrypted online storage”).
- How to unlock it (e.g., “security token + password”).
As before, document things helping you to keep track of your factors. If you don’t need it, skip it.
Migrating to multi-factor authentication
We focused on the three factors on their own, looking at their benefits and drawbacks.
Combining distinct factors is called multi-factor authentication. You may compensate factor-specific drawbacks by combining them. Nowadays, using multiple factors for authentication is considered good practice.
Common standards for multi-factor authentication are:
- OATH-TOTP: When registering, the online service shows a secret key (e.g., as a QR code). The online service and your TOTP client application use this secret key to derive a 6-digit one-time password for authentication. Be aware the secret key is also stored by the online service. It is a shared secret.
- FIDO U2F: U2F security tokens contain a secret asymmetric key. You can’t clone this secret. This key is used to sign a challenge sent by the online service or offline applications. The server or application checks the response for a valid signature. This scheme relies on a secret key stored on your device. There is no shared secret.
- W3C WebAuthn: Web Authentication is a W3C recommendation for web applications. Web Authentication supports a wide range of authentication mechanisms, based on asymmetric keys. If used for single-factor authentication, WebAuthn clients need to store additional secrets (“Residential Credentials”). Otherwise, clients can be used for two-factor authentication—similar to U2F—without storing additional secrets.
We recommend to use multi-factor authentication if possible. Apart from online services, you may use multi-factor authentication for accessing your devices (e.g., laptop, smartphone, SSH server).
Many people write about credential management but it is still plagued by problems and unpopularity.
We recommend using a password manager that is easy-to-use for you and allows you to add notes to each entry. Instead of thinking about the perfect length of your passwords and encrypting your database several times, focus on usability and simplicity. Let your password manager manage your credentials, and migrate to multi-factor authentication if possible.
We republished this article in September 2021.
- FreeOTP Two-Factor Authentication (Android, iOS)external link
- YubiKeys (security tokens supporting OATH-TOTP, U2F, and WebAuthn)external link
- KeePass Password Safe (Windows)external link
- KeePassXC (Windows, Linux, MacOS)external link
- Paperkey - an OpenPGP key archiverexternal link