Yes, I know. For a lot of you, "password" is quite the trigger word. But it's possible to live a digital life where sign-up pages no longer send a shiver down your spine. You won't hesitate for a second when you encounter a login page for an obscure site you signed up for ten years ago while high as a kite at 2am. Gone are the days of needing to send a password reset email each time you've been logged out somewhere.
The Dangers
If you come across any sign up pages these days, you'll likely see a recommendation to use a strong, unique, and secret password. They're absolutely right, but how can this be pulled off once you've created accounts for hundreds of services? Or even just ten? We'll figure this out soon enough, but first let's go through why passwords need these properties to sufficiently protect your account in the first place.
Unique
This is arguably the most important property a password should have. The most common way for someone to take over your account, aside from phishing (which will be addressed in a later post), is to use a technique called Credential Stuffing. Let's say you signed up for a Neopets account back in 2010, and you signed up using the same password as your email account. With credential stuffing, a malicious actor will take the passwords they found in Neopet's 2016 database breach and try using them to log in to your email, your bank site, or other services you might be on until they're finally able to get into one of your accounts that use that same Neopets password. You can see for yourself how many data breaches you've been found in via cybersecurity expert Troy Hunt's Have I Been Pwned website.
Secret
This may be the most obvious, but to this day I still see people sending passwords to friends and family in texts, emails, and Facebook Messenger. Storage has become very cheap, so those passwords you sent over will remain available for years to come, just waiting to be found. And if you're running a Wordpress site or something similar, it's easy to misconfigure it in a way that your admin and database credentials, along with other sensitive information, can easily be found online. If you need to send a password to a friend or coworker, I'm currently building a service that lets you send it to them without either of you needing to create a new account.
Strong
All passwords can be guessed, it's just a matter of time. Using a "strong" password simply makes it much harder for the guesser. Password requirements that tell you to use at least 1 digit, 1 lowercase letter, 1 uppercase letter, and 1 symbol are simply trying to ensure that attackers will also need to include those characters while guessing, which exponentially increases how many guesses they'd need to make before they finally guess the correct combination. Trying every possible password combination until the correct one's found is called bruteforcing.
In the real world, it's highly unlikely anyone is trying to get into your account specifically this way. Instead, whenever a database is breached and the passwords are protected by hashing, people dedicate their time and computing resources to "crack" the hashes and reveal the actual passwords, which can then be uploaded to sites for other people to find. The weaker the password, the quicker it is for its "hash" to be cracked. They can now access your account thanks to your weak, easily-guessable password, and can pivot to credential stuffing to take over more of your accounts that may be using the same password.
The Solutions
Now that you know the ways bad password hygiene can be your downfall, it's time to see how you can have strong, unique, and secret passwords for every service you sign up for without breaking a sweat.
Password Managers
I'm not sure what surveillance capitalism knows about you, but it's very likely you've come across ads for these services. I usually direct people to 1Password or Bitwarden. Essentially, these are apps you can install on all of your devices/browsers that will keep track of each password for you. You only need to remember one password, which then gives you access to all of your passwords.
There's initially a good bit of friction when you first start using a password manager. You likely have already signed up on hundreds of websites, and you'll need to gradually add those credentials to your password manager one by one. Their browser extensions usually make this very easy, akin to using Chrome/Firefox's own built-in Save Password functionality. You'll log in, then accept the prompt to save it to 1Password/Bitwarden, and from thenceforth they'll be able to autofill your username and password the next time you need to log in.
Once you start signing up for new sites, you can let the password manager generate a strong password on your behalf, and save it for that site. You won't need to remember it, and it can be as long and complex of a password as necessary. Password managers are also very useful for security questions and storing other information that will help with account recovery. If you need two-factor authentication for a site, you can add the backup codes to that site's entry in case you lose the phone that has your authenticator app.
Password managers are the solution. But there are a few other alternatives I'd like to go over that either show promise, or never fulfilled their promise.
Passwordless Future
Passwords won't be going away any time soon, but there's been a lot of work in recent years to implement a way for users to sign up for a service without needing a password. It's called WebAuthn and Google, Apple, and Microsoft are all on board. In particular, they're working on an implementation of what's called device attestation and assertion. Instead of using a password, a secure part of your phone/computer will send a certificate to the website, and all consequent logins will provide a proof that you're using the device which generated that certificate, granting entry if this "assertion" is correct.
Again, this protocol is still in the works. And even once it becomes ubiquitous in usage, passwords will still take a long time to be phased out, if ever. And if my explanation of WebAuthn was confusing, don't worry, it's not necessary to know how it works, and the nuts and bolts of the protocol are difficult even for me to understand.
Social Login
Of course, I'll need to touch on social logins given how abundant these can be found. They're the "Login with Google/Facebook/Apple" buttons you see everywhere. When these first started to appear, I was a bit hopeful that it could be the "password killer". But my hopes were pretty quickly crushed, as I've found they cause more trouble than they're worth.
Social logins still require you to know the password for the social service you're using. They also require you to know which social service you signed up with for each site. If you choose the wrong one, you'll mistakenly create a new account instead of logging in with your existing account. This can be partially rectified by always choosing the same social service, but not every site will support logging in with the service you chose. And if the social service goes down, or you decide to delete your account, you'll no longer be able to log in to the sites you signed up for with it. And at the end of the day, social logins were simply a way to let site owners quickly access your personal information, and for the social services to further track you across the web.
Sanity Restored
Hopefully by now I've convinced you to use a password manager, or at the very least explained the reasoning in an entertaining way. It only gets harder to adopt a password manager as time goes on and your list of accounts grows. We're now seeing over 1000 data breaches per year, and it's only a matter of time before one reused password results in identity theft or a drained bank account.
Those stats are a bit grim. But on the bright side, there's safety in numbers. Like a lion picking off a gazelle from its herd, it will likely take some time before a thief singles you out. And if every one of your accounts are using a strong & unique password, the damage a thief can do will be drastically reduced.