Password Security

Password security is important because, without 2FA, they are the only factor stopping an attacker from gaining access to your beloved accounts. This page serves as a basic guide to password security. For setting password policies in applications, follow NIST SP800-63-4 and/or the NCSC’s advice.

TL;DR

• Use passkeys instead of passwords where possible.
• If you can’t use a passkey, use a passphrase consisting of at least three words, separated by some symbol. Add numbers randomly. Capitalise if you want. Optionally, change this every so often so your passwords use different formats.
• Store your passphrase in a password manager. Use a longer passphrase and 2FA to log into your password manager.
• Use 2FA everywhere you possibly can.

This can all be done with VaultTub for societies:

1. Log in to https://vault.bathcs.com/.
2. On the sidebar, go to Tools > Generator.
3. At the top, press Passphrase.
4. Set:
   • The number of words to something greater than or equal to three.
   • The word separator to a random valid symbol of your choice.
   • Optionally, change the above two options every so often so your passwords use different formats.
5. Copy the password and use it for whatever account.
6. Save the login in VaultTub or your own password manager.

Note

VaultTub is only for society usage. For personal passwords, we recommend Bitwarden which is very similar (VaultTub uses a Bitwarden-compatible service called VaultWarden).

Attacks

When considering password security, it is important to consider what you are up against. Here is a non-exhaustive list of common attacks:

• Phishing: tricking someone into revealing their password by some means (usually a fake website login from a dodgy email).
• Leaked Passwords: using passwords from data breaches. This is commonly associated with credential stuffing, where an attacker will attempt to reuse leaked credentials from one service on other services.
• Password Spraying: where an attacker tries many common passwords against a large number of accounts on a single service.
• Brute Force: the adversary tries a load of different passwords against a single account on a service. There are a few sub-types:
  • Simple: try all possible passwords by incrementally cycling through all combinations.
  • Dictionary: use a “wordlist” of common passwords found in breaches. The most well-known is rockyou, though it is pretty small with only a few million passwords. Some lists are in the billions.
  • Hybrid: a sort of combination between dictionary and simple brute force attacks. Modifies words in a wordlist with common changes people make to passwords, for example if password is in a wordlist, the attack might also check Password123.
  • Rainbow Table: an offline brute force attack, meaning the adversary needs the hash of your password, which they often don’t unless a breach has occurred. Essentially they build a lookup table of common passwords and their hashes for quick cracking of passwords.
• Shoulder Surfing: where an attacker either watches or records you typing in your password.
• Insecure Storage: passwords left in unsecured locations. For example, on a sticky note under a keyboard.
• Keyloggers: if a device has been infected with spyware, a keylogger can see what keys have been pressed and the attacker can see your password.

Mitigations

Considering everything in the attacks section, what can we do to protect ourselves?

• Phishing:
  • Use a password manager. A good password manager would not auto-fill on an incorrect domain name.
  • Ideally, use a passkey as they will not work on an invalid domain.
• Leaked Passwords:
  • Regularly check for your accounts in breaches. Some password managers have functionality built in to check all of your stored accounts against known breaches. Otherwise, there is HIBP. If an account has been found in a breach, rotate it. Otherwise, it is fine to leave it alone (see §8.1.2.1 of SP800-63B).
  • Use a password manager. With a password manager you don’t need to re-use the same password or variations across many accounts. You use one long password and 2FA to access your password manager, then you can make all your other passwords completely unique, therefore mitigating credential stuffing.
  • Use passkeys. A passkey will almost certainly be unique¹ to the breached site, therefore mitigating credential stuffing.
• Password Spraying:
  • Use a password manager. With a password manager, you can make your passwords ridiculously long without ever having to memorise them all. Spraying attacks only really target common passwords.
  • Use passkeys. There is no concept of “passkey spraying” as passkeys are all unique¹.
• Brute Force:
  • Use a password manager. Password managers should have built in password/passphrase generators. The NCSC recommends passphrases with 3 or more words. We would also recommend changing the settings of your passphrase generation every so often. If one of your passwords shows up in a breach and the attacker knows the wordlist you use for your passphrases and the format you use (i.e. word separators, capitalisation, number of words), this might speed up brute force efforts for other accounts.
  • Use passkeys. Brute-forcing a passkey can only really be done with a simple brute force attack which should be impossible with current hardware and cryptography.
• Shoulder surfing:
  • Use a password manager and 2FA. For logging into accounts, your password manager should be able to auto-fill, therefore an adversary can’t see you type your password. The one exception to this is the password to your password manager. If you enable 2FA, this is less of an issue because they’d then need to brute force anyways.
  • Use passkeys. Can’t shoulder surf something you don’t type.
  • Privacy screens. While not perfect, these can block shoulder surfers from seeing what you’re doing on your computer or phone, therefore making it a bit harder to grab your credentials if you type them in.
• Insecure Storage:
  • Use a password manager. Password managers are meant to be secure storage for passwords.
  • Use passkeys. Passkeys are pretty much always stored securely somewhere. Whether that is within a secure enclave on your device, on your password manager’s infrastructure, or on a physical security key.
• Keyloggers:
  • Stay up-to-date. Make sure you consistently update your devices and software to help prevent malware.
  • Anti-malware. Use anti-malware software. Yes, Linux has anti-malware software too. No, using Linux does not mean you are secure.
  • Sandboxing and mandatory access control. You should probably sandbox applications and apply mandatory access control. This will depend on your OS.
  • Don’t download dodgy stuff. Pretty self explanatory really.

Following the common themes: you should use passkeys instead of passwords where possible. Where it isn’t possible, use a password manager. Wherever possible, use 2FA.

Use Passkeys

Passkeys are a more secure alternative to passwords. You don’t need to remember them as they are created and stored safely by software on your device (or hardware with a security key). Passkeys are also a lot faster to use.

How Do They Work?

They essentially replace your password with public-key cryptography². You securely store a private key for each account and give the server a public key. The private key is something only you should have access to, whereas anyone can see your public key. To log in, the server creates a challenge using your public key which can only be solved with the private key. Since you should be the only person with the private key, the server knows it must be you.

In the event of a breach, the public key being leaked doesn’t matter because it is public by design. This is another advantage over passwords³.

Usage

To use passkeys, we’d recommend either installing an extension for your password manager (if the password manager supports passkeys), or, if you have money to spend, buy a security key and use that instead (YubiKeys are pretty common).

If your browser is up to date, that’s all you really need to do. Whenever you sign up for a new account, navigate to whatever security settings that service has and add a passkey. Make sure it uses your password manager extension to do so. Unfortunately, adoption has been slow, so many accounts will still require a password. It is therefore important to use a password manager effectively.

Tip

We do not recommend storing passkeys on your device (i.e. in the browser or your phone). If you reset or lose your device, your passkeys will be lost too. Using a service like Bitwarden means your private keys are synced between devices.

With physical security keys, we recommend buying two and making them alike where possible. Keep the backup somewhere safe and your main key attached to something that makes it hard to lose.

Use a Password Manager

Our general guidance for effective use of a password manager is as follows:

• For the master password, use a long passphrase consisting of five or so words, with special character word separators, and added numbers. This is something you will memorise, so make sure it is memorable, but avoid using personal information (such as birthday, your pets’ names, etc.).
• Enable 2FA. For a 2FA app, use something sensible. We’d recommend you find an open source one such as ente auth. For more information on 2FA see the 2FA Wiki page.
• Use the browser extension and app for your password manager. This should give you stuff like auto-fill, password generation, and should make saving new accounts easier.
• If using VaultTub or Bitwarden, follow the recommended settings on the VaultTub Wiki page.
• When generating passphrases:
  • Set the number of words to something greater than or equal to three. Optionally, change this every so often.
  • Enable adding a number.
  • Optionally, cycle through word separators every so often.
  • Optionally, cycle between using and not using capitalisation every so often.
  • Save them to your password manager immediately after generation. This will save you from making an account, realising you didn’t save the passphrase, and then having to immediately reset your password.
• You don’t need to bother with rotating your master passphrase unless you have suspicion of a breach.

External Resources

• NCSC guidance
• NCSC guidance for system owners
• NIST guidance
• Wikipedia

---

Footnotes

1. except in the extremely unlikely event a collision occurs. ↩ ↩²

2. this is a very simple explanation that misses out on a lot of detail. For a nicer explanation, see this computerphile video. For a more in-depth explanation, see this conference talk, or this goto; conference talk. ↩

3. unless a PAKE is in use. ↩