March 18, 2022

How to Stop Using Passwords

I've been softly recommending people start using 1Password for the past 5-10 years. I'm no longer going to be soft about it, you have to stop using passwords, they are horrible. 1Password is a password manager. The idea behind password managers is you have it generate a different password for every single website and service you use. It remembers them puts them in a "vault", fills them in, works on your phone, and you remember 1 password to unlock the vault.

Because you can only remember a few passwords, so you'll end up reusing passwords, and those passwords are already public. The technical term is "credential stuffing" that is using publicly leaked passwords to log into other accounts. It's being done to everybody and it's used to steal money, to run extortion schemes, and to get personal data often for identity theft.

My password

It's so bad, that I'll just strait up tell you my old password because it's already public;

219necaol

This was my first memorable password, I kept adding things to the end of it. Sometimes I'd add something different for each site, sometimes I'd add a ! or a number to the end so it would pass validation. I can firmly say that today I don't have any accounts that I'm aware of that use that password. (And after writing this I'm sure someone will find an old forum I used to use and login and make fun of me.)

You don't need to read this blog post to get my password however.

  • If you search for 219necaol you find it on the web. It's in a wordlist offered for use to crack wifi passwords.
  • If you search my email, it's in my spam folder too. I get emails once a week saying someone has hacked my accounts and have videos of me that I'd be ashamed of that they'll send to my work unless I pay them. You might get them too, they're spam and don't worry about them.

Needless to say it's burned, and should never be used again. And in fact it's been breached for years. At least one (and probably many more) of the websites I used that password with was hacked and the data was publicly dumped, sold, or traded. Probably many times.

And google isn't showing you the whole picture. They know bad data is public, so they hide it. If they really showed everything they've found you'd see a lot more results.

Your password

So how do you know if your password is public? The easiest place to go is haveibeenpowned.com this service started by researcher Troy Hunt lets you know which hacks specifically that he's aware of that have included your email and password. It's not an exhaustive list but if you're not in there yet you will be soon. If we were to guess that 5% of all websites get hacked (and even fewer realize it). Do you have more than 25 accounts? One of them has been compromised.

There exists other websites less reputable, that let you search these database dumps for anyone and get the password results. If your email is in haveibeenpowned then your password is on these other sites. It's an automated task to take those passwords and try them against your bank, your facebook, your email, etc. etc.

How to stop using passwords

There are many ways to do this. OS X's keychain with Safari has gotten pretty good. Chrome and Firefox has password managers that sync and are ok. But as I stated before I think the best one today is 1Password. It works best on OSX (windows support is good, but confusing if you're new to password managers). They have long since moved to a subscription model that backs up your passwords and helps you sync between computers and mobile devices.

Depending on your use case, check out their marketing materials to learn more.

If all this sounds simple to you, then you didn't need to read this blog post. It's not for you and that's alright. But a lot of people I know will find this useful and I welcome feedback to improving this document.

Roborooter.com © 2022.
Powered by NextJS and Vercel.