Originally written for F-Secured – Your complete guide to online security in 2023.
Republished here with permission.

On a weekly basis you’re likely using around 10 different accounts, but did you know that on average each of us already has close to 100 online accounts? Most of us can’t even name all the sites we’ve been creating accounts for – think about all the webstores you’ve made a single purchase from, or perhaps those mobile apps that force an account creation in order to function. Now, if we don’t even remember all the services we’ve signed up for, how could we remember all the required passwords?

Multiple weak passwords

To solve this, people tend to do one or both of the following: they either reuse a handful of passwords (or just one) across all services, or they make some slight but obvious alteration to their common password (like ‘P@sswordFB’ for Facebook, Every month millions of people have their passwords stolen. Here we explain how to keep your passwords secure. Master your passwords ‘P@sswordIG’ for Instagram, and so forth), resulting in multiple weak passwords.

The issue with both is the same: credential stuffing. In a nutshel, it’s likely that your login details have leaked through at least one data breach, and now criminals are trying that one leaked email address + password combination to access a wide range of online services. So, as the name implies, they’re ‘stuffing’ your credentials in many different locks and hoping that they open as many as possible. This is a very popular technique, because it simply works due to reused and weak passwords. By accessing just one of your passwords through a data breach, criminals can now take over several of your accounts. Similarly, if, for example, Facebook login credentials have been leaked, it doesn’t take a criminal mastermind to look for all mentions of ‘FB’ in passwords, and automatically replace them with ‘IG’, and then test those credentials in Instagram.

To combat the impossible task of remembering all passwords, many people have begun to store their credentials in their web browsers. In fact, in a recent survey 75% of respondents said they save at least some of their passwords in their web browser. This is a step in the right direction, but, unfortunately, cyber criminals have noticed this as well. In 2022, the ‘infostealer’ malware type gained popularity among cyber criminals, and it was often specifically used to steal login credentials stored in browsers. For example, in December 2022 alone, F-Secure saw 23 million credentials stolen with malware such as RedLine Stealer, Raccoon Stealer and Vidar Stealer.

Password no-nos

Sometimes passphrases have been suggested as a replacement for traditional passwords. Often passphrases consist of 3-4 random words written together, forming a password that’s relatively easy to remember and almost always longer than its traditional counterparts. And when it comes to passwords, bigger is better. However, when there are hundreds of passphrases to memorize, the system becomes impossible for people to remember and keep track of.

Passphrases gained their 15 minutes of fame several years ago when a popular webcomic XKCD illustrated how the passphrase ‘correct horse battery staple’ is superior to the password ‘Tr0ub4dor&3’. While this is technically correct, we’re willing to bet that a lot of people started using ‘correcthorsebatterystaple’ as their password, which brings us into another big password no-no: common passwords. Using massive lists of common passwords, criminals try them one by one to gain access to accounts. This technique is referred to as a ‘dictionary attack’, as it often can include a literal dictionary’s worth of words that the automated attack goes through to see if one of them has been used as the password for the account the criminal is trying to access.

So, let’s summarize: we all have a hundred or more online accounts. For each of them we should have a password that is strong, and—most importantly—unique, meaning “And this is where password managers come into play.” we only use each password to log in to a single service. Some people even advise that: ‘a good password is one you can’t remember’. Which poses quite a conundrum.

However, modern problems require modern solutions, and this is where password managers come into play. A password manager is an application that not only generates strong and long passwords for you, but it also stores them securely. To access your vault of passwords, you only need to remember one ‘master password’. This, of course, needs to be strong and unique as well, but we’re all much better equipped to remember just one perfect password than a hundred or more of them.

*** This is a Security Bloggers Network syndicated blog from Privacy & Security – Joel Latto authored by Joel Latto. Read the original post at: https://joellatto.com/2023/10/17/master-your-passwords/