Overview

Passwords. Everyone in the digital world has to use them, generate them, store them, remember them, and ensure they are secure. However, picking good passwords is hard, and there are many common pitfalls in the secure use of passwords. Some platforms are moving towards a passwordless future, where applications use other means of authentication - MFA apps, hardware security keys, and other methods. For the most part though, services still use passwords, and it's critical that users manage them securely. Preventing account compromise, in most cases, starts with password management.

Password Management Tips

Password Picking

Setting up a solid password involves multiple factors, but the core technical factor needed is entropy, or randomness. In simple terms, the more random a password is, the better. 

Randomness makes it difficult for an attacker to guess your password. Hackers might try to guess your password right on a website, entering it into the password field directly. More likely though, they have a password hash from a data breach - a scrambled version of the password run through a cryptographically secure one-way function. They must try to guess your password until they get a matching hash, and can then use that password to log into your accounts.

But how random is random? You might think that something "goofy" is random enough. The password "sillypotato", for example. But in terms of real entropy, 2 silly words isn't really that random. An attacker with a powerful computer could guess this simple 11 character, 2 word password in seconds to minutes. It turns out humans are really bad at random generation on our own. 

A better way to create secure passwords is to use tools like a password manager to generate truly random passwords, consisting of random characters selected by the computer's cryptographically-secure RNG. A truly random 20-character password might look like this - "u8XqHp6jVp7eFutm9nzz". If you have to type or easily remember a password, you can use a type of random generation called diceware, which turns the underlying entropy into a series of English (or some other language's) words. For example - "PokeParkLikeQuickHappy". This diceware phrase is generated from 13 bits of entropy per word, and ends up with 22 characters. Lastly, if you must generate the password yourself, choose a long phrase over one or two words. Generating a long sentence with meaning to you is better, for example - "HarryPotterAndTheLongStrongAccountPassphrase" is better than "HarryPotter". 

You'll notice that these random passwords aren't only random, it's also longer than our example "sillypotato" password. Length is another important component of strong passwords, and ties in with the concept of entropy. The longer a password is, the more possible combinations exist. With every character added to a password, the amount of possible passwords an attacker has to guess increases exponentially. Practically speaking, an attacker with an off-the-shelf laptop can guess all possible 8 character passwords in minutes. It doesn't matter how random an 8 character password you use, because an attacker can guess all of the possible combinations quickly.

Password Management

There's another layer to password security, not just the strength of one individual password. Password reuse is a danger that must be avoided. We discussed the possibility of an attacker guessing a password via password cracking methods. And if you reuse that password across multiple services (Coinbase, Google, Facebook, Banking, etc.), the attacker has now compromised all of those services. It's critical to generate unique, strong passphrases for all the different accounts you use. So if one is compromised, the others can remain safe.

Generating strong, random passphrases may be important for security against attacks, but also come with a practical cost. How does one remember all these difficult to guess passwords? It is completely impractical, if not impossible, for a person to remember hundreds of passwords for different accounts. 

In comes a piece of secure software called a password manager. Password managers are bits of software designed specifically to generate, store, and even autofill secrets - your passwords! The software encrypts all of your passwords, 2FA notes, or payment cards in a secure vault using the master passphrase as the encryption key. Users only have to remember one very long, strong, random master passphrase to decrypt the secrets stored in the manager. To access your other accounts, the manager can autofill websites' login fields or allow you to copy-paste your passwords. 

Password managers are particularly useful because they prevent password reuse, and allow you to generate and store much stronger passphrases than you can remember on your own. It's critical that you choose a well-vetted, reputable password manager and generate a long, strong master passphrase for encryption. 

Password Power

There's a lot that goes into day-to-day password security. The two most critical components for the average user are the strength of their passwords - in other words, their resistance to password cracking attacks. Strength comes through overall entropy - the amount of randomness and length of the password. Choose long passwords, 20+ characters or more, and randomly generate those passwords if you can. If a password must be memorable, diceware is a useful tool. If it must be self generated, make your passphrase a long sentence of words rather than one or two words. 

Secondly, password management must consider password reuse and avoid it as much as possible. A secure password manager can help you by generating, storing, and autofilling each unique password for various services. It's important to choose a long, strong, random master passphrase to encrypt your password manager vault.

Password hygiene is a challenge, but understanding these basic tips will help clean up your password game and build your security skills!

This article was written by our CryptoCurrency Essentials (CCE) Committee, with special thanks to committee member Josh McIntyre.

Disclaimer

The information presented in this article is for educational and informational purposes only. It does not constitute financial advice, investment recommendations, or any form of endorsement. 

The views and opinions expressed by individuals in this article are solely those of the speakers and do not necessarily represent those of C4 or any other organizations with which they are affiliated.

The mention or inclusion of any individuals, companies, or specific cryptocurrency projects in this video should not be considered as an endorsement or promotion.

Regulations and legal frameworks around cryptocurrencies may vary in different jurisdictions. It is your responsibility to comply with the applicable laws and regulations of your country or region. 

The CryptoCurrency Security Standard (CCSS) has been updated to version 9.0. See the updated CCSS here.

Systems certified under 8.1 are still valid.