Table of contents

• Intro
• Passwords history
• Data breaches
• How to check my accounts
• Most common passwords
• Consider a password manager
• Critical to know by heart
• World Password Day
• Useful links

Intro

Did you hear something about security breaches, importance of keeping your passwords strong enough and using Multi-Factor Authentication?

Well, of course you did, and I have no doubts you already follow these practices when you sign up on a new website, in a new app or once a service asks you to update your password. In this blog post I will try to explain you everything I learnt about passwords history and give some advices on how to handle them nowadays.

You can read more about entropy as a measure of password strength on wikipedia. Overall quality is calculated using zxcvbn utility from Dropbox team. It can be considered as a realistic¹ strength estimator.

Passwords history

Passwords have been used in computer systems since their earliest days, and more concrete since 1961² when they were used in CSTT operating system from MIT, that was the first computing system to implement password login. Today, after more than half of a century later, we still use passwords as a go-to way to protect our data and privacy, although there are other ways of doing this. But those are more complex and require user to be more tech-savvy.

The problem is that computers became insanely performant and guessing a password is not that hard anymore, especially if that password is easy to guess. There is a possibility that it was used by someone on a service that experienced a data breach in the past, and if that service wasn't smart enough to hash, salt or encrypt all the passwords of its users, we can end up seeing our password in a so-called Rainbow Tables³.

Data breaches

Last years many companies announce data leaks one after another, no mater how big and secure is the company.

Some noticeable incidents:

• Instagram, TikTok, YouTube in 2020 (235M user profiles)
• Facebook announced 3 data leaks in 2019 (540M or 146GB of members data)
• Uber in 2017 (57M user profiles, 600K driver profiles)

If even such a tech giants cannot protect themselves and their users, what to say about small and medium-sized companies that cannot afford to have a department of security engineers and to spend massive amount of money on security needs.

In some countries fines and punishment for data leaks are so small that it's way more profitable to pay them instead of having a whole security department, paying salaries, taxes and spending money for penetration tests.

For example, in Russia the max fine for leaking users personal data is 100 000 rubbles.

How to check my accounts

The most popular services that aggregate leaked data and allow users to check their Email addresses against potential presence in various data leaks are haveibeenpwned.com and monitor.firefox.com.

If you trust the company behind this service, just enter your Email address to see if it was noticed in former breaches. Mine was for sure.

If you found yourself on one of these services, it's time to check and update your credentials. By the way, they provide a subscription feature and may inform once a new leak will occur.

Most common passwords

You may be surprised, but in 2022 people still tend to use unimaginably weak and trivial strings in their passwords, ignoring all the advices they receive and constraints defined by particular services.

Just have a look at these lists:

• NordPass: Top 200 most common passwords of 2021
• National Cyber Security Center: Top 20 most common passwords of 2019
• SplashData: Top 100 passwords of 2017
• 10k-most-common.txt on GitHub

It's funny that most compromised SSH password is root⁴ of course.

If you don't want to follow those links above, here's a list of top 10 passwords according to NordPass report as of 2021:

Consider a password manager

Good passwords must contain both lower- and uppercase letters, numbers, special characters and have enough entropy (be long). In addition to this, they must be unique and not be reused across many apps. Such a constraints make it close to impossible to keep them all in one head. I would even say managing them in an analogue or digital storage is not an easy task. Imagine having and notebook with 100 credentials (service address, login/email, password, etc.) and updating all of them several times a year.

Thanks to humanity we solved this problem by inventing password managers. Basically, these are tools to help to store, organize keep track, update and protect sets of credentials.

There are 2 sorts of Password Managers: Open Sourced and Proprietary.

Well, it's debatable for sure, but proprietary PMs have exact same downsides as any other app: they store your data, and they are vulnerable to data breaches. Plus they all are paid of course.

Open Source password managers:

• KeePassXC
• Bitwarden
• Strongbox
• KeeWeb

Some popular proprietary password managers:

• LastPass
• 1Password
• NordPass
• Keeper

I prefer KeePassXC, just because it is cross-platform, and I can use it on both Mac and Windows machines. KeePassXC can be installed using brew. Give it a try:

brew install --cask keepassxc

For terminal lovers there are many impressive tools that use GPG encrypted files as a storage. Canonical one is pass. More robust one that looks promising is gopass.

Critical to know by heart

I don't memorize 99% of my passwords, however some of them are very critical to remember, like the one from your password manager or one that you use to log in into your operating system. Basically, those are passwords that should be used without having access to PM.

Usually we think about passwords as random strings of predefined characters. It's true, but not always. There is another technique, called passphrase and such passwords are way easier to remember.

Source: xkcd Password Strength comics

Let's take a look at this passphrase and classic random password I have generated in KeePassXC: CONSENSUS GONE TRIAL BACKHAND PAYEE and aZa%aj@w5L&X. Even though visually they differ hugely, and you might think the second one is more secure, it's not.

It's obvious that passphrases are easier to remember by creating mnemonics similar to one shown in the comics above. How safe they are? Well, let's calculate the possible number of combinations.

Having a wordlist provided⁵ by EFF, and using a diceware method for passphrase generation, we have the following numbers:

const wordsCount = 7776; // words count in the EFF list
const passphraseLength = 6; // assuming we generate a 6-words passphrase

const combinationsCount = wordsCount ** passphraseLength;
const powerOf2 = Math.floor(Math.log2(combinationsCount));

console.info(`Combinations: ${combinationsCount} or 2^${powerOf2}`);

//→ Combinations: 2.2107391972073336e+23 or 2^77

Learn more: EFF Dice-Generated Passphrases

World Password Day

Taking into account that in average user has around 100 passwords for different websites and apps, updating all of them can become a real pain. Some say it's a good practice to update all your passwords every several months or once per quoter. Others suggest updating even more often.

It's all up to you when to update your entire wallet or credentials for particular service, but there's one rule of thumb that everyone should follow: World Password Day.

Introduced by Intel⁶, it has place yearly on the first Thursday of May. And although it's not an official and widely accepted date, we use it as a reminder of the important role that passwords play in our digital lives.

So don't hesitate, save the date to your calendar and update all of your passwords at least once per year. I follow this way, though I update many of my credentials more frequently.

Useful links

• OWASP Authentication Cheat Sheet