In 2021, data breaches are more common than they have ever been. This can include not only passwords, but more personal information like addresses, social security numbers, bank account numbers, and PINs.
According to CyberNews.com, some of the most common passwords include:
123456
123456789
qwerty
password
12345
qwerty123
1q2w3e
12345678
11111111
1234567890
In the same article, Cyber News noticed a trend in passwords by year, such as people using their birth year the year in which the password was created, or “a special year” (something that had significance to them).
To make password cracking less likely, there are a lot more solutions available to help prevent it from occurring. One method that people can use to randomly generate passwords is called diceware, in which they use dice to generate passwords offline.
Diceware
Diceware works by rolling one or more dice and generating sets of five numbers, which then correspond to a word list. The word list, which can also contain numbers or symbols, then makes up your password (or rather, “passphrase”). For example:
41511 manic
16422 cheat
42245 meyers
In between the words, you can space them out with punctuation, like underscores or periods, to increase their complexity. Additionally, the Diceware method has an option for generating individual characters and symbols, although it takes longer to accomplish.
Roll a die three times or roll three dice for each character and then select one of the tables below:
As the instructions mention, it can be tedious to go through the process, but passwords made using this method, especially longer ones, are much harder to crack than the simple or common ones that most people use. Due to the original word list being used frequently, however, the Electronic Frontier Foundation (EFF) recently came up with a new list of longer words, making the passphrases more efficient. The EFF list contains words like:
53134 saturate
24535 ebay
14314 bucktooth
In addition, using a password manager can also make the passwords easy to remember as well as securing them. Diceware, in fact, can be used synchronously with a password manager. As with any type of software, of course, there are numerous different password managers. Choosing one, besides considering security, can also depend on personal preference.
Bitwarden
Bitwarden is a “freemium” password manager, i.e. it has both free and paid versions. Still, the free version has plenty of features. It protects passwords with end-to-end encryption, is open source, and is available in 40 different languages.
Storing a password on Bitwarden is simple. First, set up an account, and then install it on your device or browser. Once it’s set up, you can start adding passwords into your “vault.” As with most password managers, Bitwarden requires a “master password,” which grants access to all the other passwords; it’s most important to make this password a strong one.
The “generator” feature enables you to generate strong random passwords for each account you put into the vault without having to remember them. You can choose to make either a traditional password or a passphrase, similar to Diceware.
It also has two-factor authentication (2FA) to help prevent unauthorized users from getting into your vault (for instance, you can designate for it to send you a text message when you try to log in). It also locks the vault if you close your browser.
Plus, Bitwarden is available on many different platforms: Windows, Mac, and Linux, as well as browser plugins for Chrome, Firefox, Safari, and Tor Browser (to name a few).
KeePass
KeePass is generally considered in security circles to be one of the best password managers all around. Like Bitwarden, it has the ability to randomly generate passwords, and uses a master password to protect the database. It also features the option to add additional an additional encryption key to the database, with one caveat: if you lose access to the key, you will lose all of your passwords. The version below is KeePassXC, a fork of the original which is quite similar.
KeePass also has a number of additional features. As on Bitwarden, you can sort your usernames and passwords into groups, like “Work,” “Games,” etc., and you can also set dates and times for your passwords to expire. This is generally a smart idea, as using the same passwords for too long opens them up to being more vulnerable.
One feature that KeePass has that is unavailable on Bitwarden (at least in its free version) is “Auto-type,” in which it will fill in your username and password for you, although Bitwarden will allow you to copy and paste the passwords from the database. This helps prevent keystroke loggers from stealing your personal information.
Also, KeePass’s password generator has the option to use “extended ASCII” symbols, which include additional characters not found on a standard keyboard. For example, an extended ASCII password may look something like: Zt#ßé_`1%\H÷µâZ:NçuÐ.
Therefore, if a password cracking program were only trying the standard set of symbols, it would be more difficult for it to crack such a password. Plus, like Diceware, it can generate passphrases with sets of random words, like “concur exodus omega passover ditzy winner legwork.”
KeePass, if you indicate it so, will also lock databases after inactivity, require password repeat when it is visible, and other security measures to prevent unauthorized access.
Dashlane
In addition to managing passwords, Dashlane is a freemium service that offers online safety monitoring and cross-platform logins. On its main page, when you first register, it asks for an estimate of how many passwords you have:
Most regular internet users these days probably have at least 10-50 passwords, considering all the financial, social media, and streaming services, just to name a few. While it may not have all the security features of a program like KeePass, it does seem very user-friendly.
When you first register, it shows a list of popular social media sites and services like Facebook, Netflix, and LinkedIn. If you click one of the buttons, it will then take you to that site. When you type in your login information on the site, it will now offer to save it for you.
Bitwarden has a similar feature (asking to save new passwords), as do quite a few of the other popular password managers. One helpful security feature that Dashlane offers, on the other hand, is “Password Health,” which can inform you if any of your passwords are too weak, or have been compromised in a data breach. For instance, if one of your passwords is “12345,” it will likely consider this password to be weak, and give you a chance to generate a new one.
In addition, its premium version has a “Dark Web Monitoring” feature (which a lot of security companies offer these days). Different services implement this feature in various ways, but some check specific sites where leaked data is known to be shared, as well as dumps from a number of .onion sites that may have been leaked to the clearnet.
It should be noted that these types of features are only semi-efficient, as it’s difficult to search every “dark web site.” Most services that offer something like this search popular forums, markets, and pastebins on both the dark web and clearnet, and if they happen to come across one of your passwords or login information matching something in their database, they will inform you.
Even though its premium features require a paid account, Dashlane at least gives you the opportunity to try some of these features for free initially, to see if you like them. A premium trial with Dashlane lasts for 29 days before you have to pay.
Other Password Managers
There are numerous other password managers in addition to the three above, such as LastPass, NordPass, LogMeOnce, and RoboForm. Some of these share features, like the password generators, and syncing passwords across devices. If you want to go in-depth, test out the different options until you find one that suits you.
Bonus: Randomly Generating Usernames
As with passwords, some of the methods above also work for generating usernames (Diceware in particular). Roll the dice in the same way that you would for a password, and then use that, or a combination of words, as your username.
An alternative method for this is to use nonsense word generators or username generators; many of these are available for free without signing up for a service. For instance, the site Soybomb nonsense word generator creates lists of nonsense words that can also make good usernames:
Spinxo.com has a similar generator, which you can edit by adding in hobbies that you like or personality traits. Part of the reason to use a tool like this is that just like when you reuse passwords constantly, an attacker might be able to connect different accounts of yours that use the same or similar usernames. For example, if you always use the name “BikerGuy,” someone might search for all the variations of this username and tie them to you. If you also repeat usernames and passwords across different sites, this makes it far more likely that attackers like these will be able to access your accounts.
While none of this is required, using some combination of any or all of the above tools can help you be a less likely target than someone who uses weak passwords or reuses the same passwords constantly, or doesn’t store their passwords securely. So, it can’t hurt, right?