Passwords and 2FA

It’s hard to overstate how important online security is. Unfortunately, it is easy to make mistakes, due to lack of knowledge or laziness. This post is my guide to a simple and secure approach that will be good enough for the vast majority of people. I make no claim to be a security expert, but I have spent some time looking into this and thought I would share what I’ve learned.

My advice boils down to these rules:

1. Use two-factor or multi-factor authentication.
2. Use a password manager service.
3. Use a Diceware password for your password manager.

In this post I’ll explain each of these rules and why I think they are important.

Rule 1. Use two-factor or multi-factor authentication

I’ve put this first because it can have the biggest impact on how secure your accounts are. Microsoft have reported that based on their studies “your account is more than 99.9% less likely to be compromised if you use MFA.” That’s huge.

If you aren’t sure what two-factor authentication (2FA) and multi-factor authentication (MFA) the good news is that the idea is pretty simple - and assuming you’ve almost certainly used one or the other already. Let’s start with single-factor authentication, which means to unlock your account you need something that only you should know - i.e. a password or PIN. With 2FA, you also need something only you have - a physical device. Often this is a mobile phone but could be a card (like your credit card) or something else entirely. Credit/debit cards with chip & PIN are an example of 2FA - you need both the card itself and the PIN. Multi-factor authentication adds in a third element - something only you are. This means using biometrics, like a fingerprint scan or a face scan.

Not all sites offer 2FA, but I recommend enabling it wherever you can. When you enable 2FA/MFA for a site, you may be presented with some different options. In particular, for 2FA some sites will let you choose between the option to use text messages or use an authenticator app, or a special 2FA hardware device like a Yubikey. Text messages are the weakest form of protection here, and 2FA hardware devices are usually the strongest, but I’m going to say that for most people it doesn’t matter which you choose. The reason that 2FA and MFA are more secure is that anyone wanting to hack into your account needs to bypass all of the factors. Even if each factor is imperfect, this still increases the challenge significantly. Unless you are being specifically targeted, hackers will just move on to other accounts which only have single-factor authentication.

The drawback of 2FA and MFA is that they can make things a little less convenient, but the added security is well worth it in my opinion. You should certainly enable it for your password manager (more on these below) and your primary email account.

If your email provider doesn’t offer 2FA, you should really consider switching. The reason is that most websites offer a “forgot password” feature, where they will typically email you a temporary password or a reset password link. This means that if a hacker gets access to your email account, they can just gain access to your accounts on other sites by using the “forgot password” feature. Your email account is a single point of failure for your accounts with many different services, so it is worth making sure it is secure.

Rule 2: Use a password manager service

A password manager service is pretty much what it sounds like - it lets you store and manage your passwords. The key idea is that rather than having to remember different passwords for different sites you only have to remember one password - for the password manager. (You shouldn’t use the same password across different sites, see Rule 2a below.) Most services include browser plugins that can fill in usernames and passwords for you when needed, and also offer extra features like telling you how “strong” your passwords are, generating passwords for you, letting you change passwords automatically for some sites, or warning you when you are using the same password across multiple sites. If any of this sounds confusing, don’t worry - I’ll explain in more detail below.

Giving all your passwords to one service may sound a lot like putting all your eggs into one basket, and it kind of is. The thing is, these are very well constructed baskets. For the companies that run password manager services, security is the whole reason their business exists in the first place so they value it very highly. This means they will do a much better job of keeping your data secure than other websites, and unless you are a security expert they will do a much better job than you.

Personally I’ve been using LastPass for the past few years. It’s fine, but not amazing and I am currently shopping around for an alternative. There are plenty of options out there - e.g 1Password, Dashlane, NordPass. I would tend to stick with one of the more popular options.

Rule 2a: Use different passwords for different sites

If you haven’t been using a password manager for a while, you almost certainly use the same password across a few different websites. This is a problem because if hackers get hold of your password for one site then will try the same username and password combination on other sites. You can slightly vary the password you use for each site - e.g. by including the site name or some letters of it in the password - but if the system is easy to remember, then hackers likely use tools that will try these sorts of patterns automatically.

Many password managers will warn you if you are using the same password on multiple sites.

Rule 2b: Use auto-generated passwords where you can

When people talk about “good” or “strong” passwords, what they are really talking about is how hard it would be to guess. Security types refer to this as entropy, and you can think of it as the amount of randomness involved in the password. Although I say “guess”, don’t imagine someone will sit there typing in one guess in one after another - they would use a tool to do it for them, and this means they can potentially try thousands or millions of passwords every second. (The actual number would vary depending on a lot of factors, but the point is it’s a LOT.)

Words are easy to remember, but have pretty poor entropy - the average native English speaker knows about 20,000 - 30,000 words, so using an actual word for your password makes it pretty weak. If you throw in names, foreign words, misspellings, uppercase and lowercase letters, or add a couple of random numbers or symbols it makes it harder to guess but it also makes it harder to remember.

If you’re following Rule 1 and using a password manager, it will have a feature which will generate a random¹ password for you. Use it! The longer the password, and the more different characters you let it use, the higher the entropy and the stronger the password.

Rule 3: Use a Diceware password for your password manager

Even if you store all the passwords you possibly can using your password manager, you’re going to need to remember at least one password - the password for the password manager! Since you’re going to be storing a lot of valuable data in there, it’s worth having a strong password, so something like “password123” or “P4ssword$$” is out. The thing is, you also need to be able to remember it so something like “uB28@f2#X6%f7w” won’t do either. Our brains aren’t good at remembering random strings of letters and symbols, but they are better at remembering words, as we can easily tie them to images and stories. A few years ago the author of a web comic called XKCD noticed this and proposed a system using four common words selected at random:

When people took a closer look at this system it turned out not to be quite as strong as the comic claims, but the basic idea is sound. I recommend a system known as Diceware. The idea is the same - your password is a series of randomly selected words - but you use dice to select the words (ensuring they are sufficiently “random”) and use more of them. 5 or 6 words can take a little while to stick, but you’ll get it soon enough. It helps to make it into a little story or mental image in your head.

Conclusion

As I said at the outset, online security is hugely important but can be dishearteningly hard to understand. By following the rules I’ve outlined here, you will have a pretty secure setup that should put you beyond the reaches of all but the most determined and targeted hacking attempts. Even if you decide not to follow my rules, hopefully you will at least understand some of the tradeoffs you are making a little better, and be wary of some common pitfalls.

Stay safe out there! If you found this guide useful or have any suggestions on how I can improve it, I’d love to hear from you.