Avoid Credential Stuffing with Stronger Passwords

In the vast world of data breaches and malware, the username and password you use for one of the sites you visit have a high likelihood of being leaked onto the internet in some dark web forum. If you reuse the same password and email on multiple sites, then you open yourself up to a technique called credential stuffing. 
 
Credential stuffing is when the username and password from one data breach are tried against many other sites’ login, hoping that the user uses the same credentials on multiple sites. The best way to avoid having one data breach affect all your other accounts is to use a different password for every website. Doing that makes it hard to remember them because they should be unique passwords with little variations, such as putting the website name at the end of your password. Almost every website requires you to create an account to view anything. Solving this problem is easy; use a password manager because you only need to remember one strong password. 

Checking your accounts for data breaches

A new data breach: a misconfigured database server or malware data dump seems to be showing up almost weekly. It is a good idea to check if any of your accounts were compromised. The best website to check this is: have I been pwned?. You enter the email you want to check, and the site will tell you if it’s been in any known data breaches and what information was leaked in that specific data breach. Usually, it’s any personal information you entered on the site and the hashed password. If it says plain text passwords, then your actual password has been leaked.  

Picking a good password

The password you use for your password manager should be unique and complex: 16 characters minimum, a capital, a number and a symbol. An easy way to do this is to develop an acronym such as:

Congratulat!ons_Accurate_Troublesome_Stenograph!c_0319.

This password is long, has a simple acronym to remember (CATS); the symbols are where the ‘i’ would be, and the number could be your birth month and day. The symbol replacement is a common change, but the added complexity does make brute-forcing that much more difficult. You can think of anything you want, the more random and unique, the better. 

 

Comic Link

 

The password I just created has 157 bits of entropy, taking 5.79e28 years to break, based on an entropy report from KeypassXC, a free and open-source password manager. KeypassXC mentions their users not worrying about a hacker cracking a hashed password, which for a password manager is an essential feature. However, for a website suffering a data breach, the hash is what bad actors attempt to break. They can guess at over 10,000,000,000 hashes per second with readily available hardware. 
 
The goal is to create a password that is unrealistically breakable. Password managers make this a realistic goal and ensure that you don’t always have to click the dreaded forgot password button. Create a single, highly complex password and then have the password manager generate others. I usually set my character limit to 32, and the password generates additional, unique passwords using lower and upper case letters, numbers and symbols. This results in passwords with 150 or more bits of entropy. This means your accounts are all highly protected from breaks. 
 
Misspelling words can increase password entropy levels as they aren’t found in dictionaries. 

 

Picking a good password manager

There are many password managers available. Here are some recommendations based on personal experience: Lastpass, Dashlane, Bitwarden, and KeypassXC. 

Bitwarden is an open-source password manager that works great and supports organizations and password sharing. The open-source aspect is crucial because you can run your server and have complete control over your data. The browser extension is simple, intuitive, and has varied customization options. One of the best features of Bitwarden is how it handles multiple logins for the same website. Simply select the login you want from the drop-down in the right-click menu to access each of the various logins. This is an excellent option for users interested in complete control. Though, it requires a significant set-up time and an understanding of servers to implement correctly.
 
Lastpass is the best free enterprise-level password manager. It integrates smoothly with all major web browsers, and users rarely have any issues. It has everything you would need, syncs between devices, and helps you fill in forms. If you’re looking for a simple and effective password manager, I suggest Lastpass. 
 
Dashlane is the most expensive at over $50 CAD a year. There is a free version available, but it only works for one device. While there are benefits to paying for this password manager, I believe them to be limited. It is essential for users of this program to remember their master password. Without that critical piece of information, users and support will have no way of decrypting their data. 

 

KeyPassXC is a desktop password manager. It does not sync but allows the user to specify a different hashing algorithm, such as argon2 (which won the password hashing competition in 2015). You can set it up to have the database stored in dropbox or on a USB so you can access it anywhere, but it’s not as convenient as the other options. One of our developers uses it as a secure, local backup up all their passwords and sensitive notes such as payment information and recovery keys. 

 

In terms of security, all the above password managers use the standard, tested encryption options. In addition to the standard encryption options, KeypassXC also implemented a feature that specifies the algorithm used for their encryption. Although the other passwords managers do not offer this feature, it is a minor issue because you should have a strong master password for your password manager. A strong master password ensures that break-ins are virtually impossible. 
 
Not all website security measures are made equally. Some websites have extraordinary security requirements, while for others, it’s a much lower priority. Whenever you give a website any personal data, it needs to be protected with a strong password. This is especially true for any website where you enter any payment information. 
 
Memorizing an excess of highly complex passwords is awful and leads to many people forgetting their passwords. Password managers are the best way to protect yourself and ensure that you only have to memorize one password.