Passwords and password management
The most important things about passwords you need to know are: Every password
- should only be used for one service, and
- should be strong enough to survive a password cracking attempt.
It is difficult to remember one or multiple strong passwords (see below). We highly recommend that you use a password manager that remembers your passwords for you, and protect it with a randomly generated passphrase.
Such a passphrase looks like encircle approve candy glorifier unknowing cross and is easier to remember than the equally secure password hctmenzqrefaacbmhhpe.
Don't worry, a passphrase is easier to remember than you think! The Electronic Frontier Foundation (EFF) provides a useful guide on how to create a secure passphrase, and we suggest that you follow it. You should choose a passphrase that has at least six words. If you are facing a state-level adversary, like your government or military, you should choose a passphrase that has seven words.
You also do not have to remember your passphrase by heart immediately. If you can keep a sheet of paper in a safe place you may write it down. To do this, place a sheet of paper on a hard table, to not leave any marks on the surface, and write your passphrase on this paper. Once you are sure that you will remember your passphrase, destroy this paper in a secure way. For example by burning it and destroying the ashes.
If you do not already use a password manager, we suggest the following steps:
- Install an open source password manager
- Create a random passphrase, and write it on a piece of paper.
- Enter your account information and site-passwords
- Make a backup of your password database
After some time: destroy the piece of paper that contains your passphrase.
Details on password managers
A password manager is a software tool that stores passwords for you. Your passwords will be encrypted and stored on your device in a password database. The encryption key is generated from one additional password or passphrase, that is not stored and that you have to remember. So when someone takes your device away, they need your passphrase in order to get access to your passwords.
When talking about password managers, the password or passphrase that is used to encrypt the password database is called the master password, while the passwords within the database are called site-passwords.
Though password managers are useful tools, you have to keep a few things in mind before you start using one:
- You should practice to regular back up the data of your passwords manager.
- When an attacker takes your device away, they may force you to tell them your master password.
Travelling with passwords:
When on the road it is best practice to only carry the passwords with you that you truly need. Some commercial password managers provide a special "travel mode" for this, but you can use any free password manager and create a second password database manually.
Some free and open source password management systems are KeePassXC, Bitwarden and Password Safe.
When not to use a password manager:
You should not use a password manager when you suspect that your device is infected with malware or a software that logs your keystrokes.
Warning about state-less password managers:
Some password managers do not need a database. Sometimes they are called state-less password managers, sometimes password generator. Instead of a password database they calculate a site-password from a master password.
While state-less password managers can, in theory, be used safely, you should only use them when you know exactly what you are doing! In general, we do not recommend the use of a state-less password manager.
One open source state-less password managers is LessPass.
Notes about online password managers:
Online password managers store password databases encrypted in the cloud. You usually have to create an account for them. When you log in, your login password or passphrase is used to decrypt your password database.
Online password managers have three main benefits:
- You only need a Web Browser and do not have to install additional software on your computer.
- Your password database is not stored on your device, and can not be taken away with your devices.
- The company providing the password manager can rate-limit login attempts and thus slow password cracking down.
Depending on your situation, the same benefits can however turn into disadvantages. If the company providing the password manager is cooperating with your government, they may hand over your password database. They may also capture your master password when you log in and hand that over as well. You are also vulnerable to phishing attacks, and a successful phishing attack will reveal all your passwords at once.
Some open source online password managers are Clipperz and Passbolt.
Details on secure passwords
A password is only strong enough when it is sufficiently unpredictable. Unfortunately, such a strong password
- has to be randomly generated by a computer,
- should be at least 13 characters long,
- and should contain lower- and upper-case letters as well as numbers.
If, and only if your password is randomly generated, the impact of numbers and upper-case characters in your password is rather small. The following table shows various secure password-lengths that achieve a normal security level, as well as a security level when you face a state-level adversary. Note that these lengths are only secure if the password in question was randomly generated.
Technical Details: we consider a normal password to be secure when it has at least 75 bit of entropy, and require 90 bits for a state-level adversary. We consider the English alphabet a-z with 26 characters, as well as A-Z with 26 characters, and 10 numbers from 0-9. For example: one uniformly at random selected character from the set of all lower-case characters has about 4.7 bit of entropy. The entropy of a lower-case password of length 16 is calculated as 16 * log2(26), which is about 75.2 bit.
This calculation is of course only correct when the password has been randomly generated by a computer. For example, a password of length 13 that was generated by a human is most likely not secure.
|character set||security level||minimum length|
|lower and upper-case||normal||14|
|lower and upper-case, and numbers||normal||13|
|lower and upper-case||state-level||16|
|lower and upper-case, and numbers||state-level||16|