How to manage passwords safely and protect our privacy

Last Updated on January 21, 2022 at 8:46 pm

It goes without saying that the protection of online privacy and financial transactions are of utmost importance. This article discusses how we can protect our privacy with strong passwords and how to manage these passwords safely.

About the author: Rajavel is a Computer science Graduate from NIT Trichy. He currently works as a software engineer in a premier Investment bank. He is an avid reader of Freefincal. This time he wanted to give back to the Freefincal community by sharing his knowledge on this subject.

Encryption & Hashing
What happens when you sign up/sign in to a website?
Unique passwords
Strong Passwords
Password managers

Disclaimer: I’m not associated with any of the websites/links/password managers mentioned in this article.

Encryption & Hashing

These are two basic concepts that you must understand first, before understanding how passwords work.

Join 32,000+ readers and get free money management solutions delivered to your inbox! Subscribe to get posts via email! (Link takes you to our email sign-up form)

🔥Enjoy massive discounts on our robo-advisory tool & courses! 🔥

Encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext using a key (which is a secret text).

Let us try with an example using AES-128 bit encryption (which uses a 16 character key, each char is 8 bits, so 16*8 = 128), let us try to encode the message “How are you?” using our secret key “ramaramaramarama”, the resulting ciphertext will look like this “ZGYP4/sparcNYA9WBoF0zA==”.

Basically, the ciphertext can only be decrypted only if we have the key used for encrypting.

Hashing is transforming a string of characters into a fixed-length value or key that represents the original string.

The md5 hash of message “Where are you?” is eccd993f47dec88b14a0c982b6948358

Try to make the md5 hash for some common word.
Now try to find if you can reverse the hash using this tool. Many precomputed hashes for common words/text are available on the internet.
Why hashes cannot be reversed? Hashing is one way only.

So you cannot use hashing to STORE something secret, you cannot retrieve the original message after you hash it. Also, can two sets of data have the same hash values? Yes, but near impossible due to the length of the hash that the modern hashing algorithms produce.

What happens when you sign up/sign in to a website?

When you sign up on a website, a hashing function is used to create a hash of the password you entered, stored on their server – the password itself is discarded. When you log in using your password, the password is sent over the network and hashed on the server using a copy of the same hashing function. The resulting hash is compared to the hash stored on the password server. Only if they match will the user be granted access.

Why are passwords stored as hashes? Because if the website gets hacked someday, only the hashes of passwords will be revealed and not the actual passwords. When data breaches happen these days, the usernames and the corresponding password hashes are sold on the dark web. A lot of precomputed hashes are available on the internet. Basically, for simple passwords like password123, the hashes are well known, so when the hackers see that well-known hash, they can find that your password is password123. But if the website uses salting on passwords before hashing, it becomes trickier to crack your password. More on hashing, how hashes are cracked, salts in hash

But on spooky random websites, where we created logins for the sake of reading articles, playing games etc., we never know how they handle our passwords, they might store our passwords as plain text in their servers. Even if they properly store our passwords hashed, they can still see our password when we signup. Because they ultimately need your password to hash it and store it. In some cases, the password you enter is hashed in your browser and then sent to their servers, but you never know, what changes when we can’t check the source code of every site we use every time. So never believe websites with your passwords.

Okay now let’s assume some random website where you have a login, is compromised, and the hacker managed to find your password. Now it’s easy for him to log in to other websites using the same password or the common variants of it. If your Facebook password was ramaFB123 and was compromised, then ramaTW123 might be a good guess for your Twitter account. There are computer programs that do all this, at speeds of 1 Billion passwords per second. So such variations you create on passwords are not going to protect you. Watch some interesting live-action password cracking here.

Now let’s discuss how websites store our data. We often think all our data is encrypted in the servers behind Google Drive/Gmail/Facebook etc. Yes, all data is encrypted, BUT not with YOUR password as the key, the respective website owns the encryption key. If they had encrypted all your data with your key, even they would not be read your data. Yes, you are right, Google can read your emails.

“So where is my password used then?” Your password is only used to check your login in most cases. After verification, they generally give you some unique browser cookie which will hereafter be used to authenticate you. If all of Google Drive data were compromised one day, nobody would need YOUR password to decrypt YOUR files you stored in Google Drive. But these are privacy issues, which we will not cover in this article.

Unique passwords

What did we understand until now? If your password gets leaked out of some random website, then you are probably in danger.

The only solution is to have different passwords for every website we use. We all have signed in to 100s of websites, and it’s simply not possible to remember 100s of passwords. Before moving on to how we can handle 100 different passwords, let us discuss strong passwords.

Strong Passwords

Is Rama123@ a strong password? Try this to find out. It’s not strong, spend some time experimenting on the above website, with various passwords you can think of. If you play with such tools for some time, you will figure out that passwords with more length take more time to crack. Also at greater lengths like 15 characters, it does not matter much if you use Upper case, numbers, and symbols or not. So it’s the length that matters the most in passwords, the longer it is, the safer you are.

So let’s settle with long passwords, but it’s tough to remember 15 random characters. So we bring in the passphrase concept. A passphrase looks like this: “clever pants oxygen sharpener”. Its 29 characters long, so it’s solid but straightforward to remember. Let us try to understand how.

Let’s try to find how many different PASSWORDS you can make with 29 characters.

Total available characters = 26(lower) + 26(upper) + 10(numbers) + 30(symbols) = 92

Password length = 29

Total No of passwords possible: 92^29 = 890,936,995,405,850,020,916,615,802,384,990,844,247,276,366,492,831,055,872

Wow! It is impossible to brute-force with this big search space (try all possible combinations) for the hacker.

So they would try brute-forcing passphrases (basically now they will try to combine words instead of individual characters), it’s not easy as well.

Let’s try to find how many different combinations you can make with English words for a 4 worded passphrase (like “clever pants oxygen sharpener”)

No of English words available (a simple google search) = 1,71,146

No of Words in our passphrase = 4

Total No of passphrases possible: 1,71,146 ^ 4 = 857,959,946,160,091,395,856.

This is a big enough search space for our password. How much time will it take to crack this? At the rate of 1 Billion password cracking per second. It will take 27,205 years. Still, want a tougher passphrase? Just add one more word, (clever pants oxygen sharpener nuclear). This 5 worded passphrase will take 46 MILLION CENTURIES to crack. You should be happy now!

So a 29 character 4 worded passphrase is almost equally secure as a 29 character random password. Also make sure not to use frequent words, which would make the search space smaller. You can also try some online passphrase generator.

If you introduce numbers, symbols, non-English words in the passphrase, the search space becomes much bigger, which might not be needed. It also adds tension, remembering complex passwords. Don’t bring in combinations like kj7b)*4H anywhere, you will make the search space bigger (which might not be needed), but you might soon forget the password.

So good passphrases are easy to type, easy to remember, easy to write in some secure location, and hard to crack.

Password managers

In the section ‘unique passwords’ we saw that it’s best to have unique passwords for every site we use. After learning about strong passwords we might want to use passphrases for all logins, but still, we cannot remember 100 passphrases.

Password managers come to the rescue, for this article let us assume to use Bitwarden, a famous open-source password manager.

Bitwarden will store all the passwords/passphrases you use for all websites in its vault. The vault will have a master password, which is the only one you will remember, preferable a strong passphrase. Before we even move on, stop me and ask me:

“It’s like putting all eggs in one basket, if my master password gets compromised, then all my passwords are compromised. Why would I do this?”

It’s not possible to remember 100 different passwords.
Even if we use a single ultra-strong password (or variants of the same password) for all the websites, there is a vulnerability that some weak website might get hacked and hackers get your password exposed. Or some spooky website you logged in might leak your password. Also, some creepy websites might still store your password in plaintext in their servers.

“Ok, why Bitwarden can’t be hacked or leak our passwords someday?”

Because it’s not possible for Bitwarden, they do not have our master password stored. All our data is encrypted, and only we have the key (which is our master password). So even Bitwarden cannot open and read our vault. After we login, the encrypted vault is sent to us, and decrypting the vault happens in the client-side (our computer). Also, our master password is never sent directly to the servers. Watch this video to understand how the authentication takes place in password managers.

“How are you so sure that they cannot do fishy stuff?” Bitwarden is open source, meaning anybody can see their source code. They are also frequently audited by third party agencies. Why should I trust Bitwarden?

“How do they make money then?” They have premium features paid, like family/enterprise options, vault to store files etc. Bitwarden blog answers most of such common questions.

Now let’s add more complexity, in an extreme case, a hacker might guess your master password or install a key logger in your PC (through some malware) and finds your master password. Ok, now we are doomed.

But there is a solution to protect our self from this: using 2-factor authentication for Bitwarden. You can configure applications like google authenticator or Authy (Google authenticator vs Authy) with your Bitwarden account to enable 2-factor authentication. The authenticator app will generate a 6 digit number which changes every 60 seconds. Every time you log in to Bitwarden, you will have to enter the 6 digit authentication code. Even if the hacker knows your master password, he cannot find the authentication codes as they keep changing every minute. I’m not discussing more on 2-factor authentication in detail here, as it’s a vast topic by itself.

Other major features of Bitwarden for example are, they can suggest you random strong passwords when you sign up for websites, they have browser plugins to autofill passwords when you sign in to websites, they also have a mobile app, you can also store other information like identity, credit cards or even secure notes.

Conclusion

Always use a password manager to store all your passwords.
Have a strong master password like “clever pants oxygen sharpener.”
Enable 2-factor authentication in password manager for more security.

About The Author

Dr M. Pattabiraman(PhD) is the founder, managing editor and primary author of freefincal. He is an associate professor at the Indian Institute of Technology, Madras. He has over ten years of experience publishing news analysis, research and financial product development. Connect with him via Twitter(X), Linkedin, or YouTube. Pattabiraman has co-authored three print books: (1) You can be rich too with goal-based investing (CNBC TV18) for DIY investors. (2) Gamechanger for young earners. (3) Chinchu Gets a Superpower! for kids. He has also written seven other free e-books on various money management topics. He is a patron and co-founder of “Fee-only India,” an organisation promoting unbiased, commission-free investment advice.

Our flagship course! Learn to manage your portfolio like a pro to achieve your goals regardless of market conditions! ⇐ More than 3,000 investors and advisors are part of our exclusive community! Get clarity on how to plan for your goals and achieve the necessary corpus no matter the market condition is!! Watch the first lecture for free! One-time payment! No recurring fees! Life-long access to videos! Reduce fear, uncertainty and doubt while investing! Learn how to plan for your goals before and after retirement with confidence.

Our new course! Increase your income by getting people to pay for your skills! ⇐ More than 700 salaried employees, entrepreneurs and financial advisors are part of our exclusive community! Learn how to get people to pay for your skills! Whether you are a professional or small business owner who wants more clients via online visibility or a salaried person wanting a side income or passive income, we will show you how to achieve this by showcasing your skills and building a community that trusts and pays you! (watch 1st lecture for free). One-time payment! No recurring fees! Life-long access to videos!

Our new book for kids: “Chinchu Gets a Superpower!” is now available!

Both boy and girl version covers of Chinchu gets a superpower — **Both the boy and girl-version covers of "Chinchu Gets a superpower".**

Most investor problems can be traced to a lack of informed decision-making. We made bad decisions and money mistakes when we started earning and spent years undoing these mistakes. Why should our children go through the same pain? What is this book about? As parents, what would it be if we had to groom one ability in our children that is key not only to money management and investing but to any aspect of life? My answer: Sound Decision Making. So, in this book, we meet Chinchu, who is about to turn 10. What he wants for his birthday and how his parents plan for it, as well as teaching him several key ideas of decision-making and money management, is the narrative. What readers say!

Feedback from a young reader after reading Chinchu gets a Superpower (small version) — **Feedback from a young reader after reading Chinchu gets a Superpower!**

Must-read book even for adults! This is something that every parent should teach their kids right from their young age. The importance of money management and decision making based on their wants and needs. Very nicely written in simple terms. - Arun.

Buy the book: Chinchu gets a superpower for your child!

How to profit from content writing: Our new ebook is for those interested in getting side income via content writing. It is available at a 50% discount for Rs. 500 only!

Do you want to check if the market is overvalued or undervalued? Use our market valuation tool (it will work with any index!), or get the Tactical Buy/Sell timing tool!

We publish monthly mutual fund screeners and momentum, low-volatility stock screeners.

About freefincal & its content policy. Freefincal is a News Media Organization dedicated to providing original analysis, reports, reviews and insights on mutual funds, stocks, investing, retirement and personal finance developments. We do so without conflict of interest and bias. Follow us on Google News. Freefincal serves more than three million readers a year (5 million page views) with articles based only on factual information and detailed analysis by its authors. All statements made will be verified with credible and knowledgeable sources before publication. Freefincal does not publish paid articles, promotions, PR, satire or opinions without data. All opinions will be inferences backed by verifiable, reproducible evidence/data. Contact information: letters {at} freefincal {dot} com (sponsored posts or paid collaborations will not be entertained)

Connect with us on social media

Twitter @freefincal
Facebook
Subscribe to our YouTube Videos
Posts feed via Feedburner.
Pinterest

Our publications

You Can Be Rich Too with Goal-Based Investing

Published by CNBC TV18, this book is meant to help you ask the right questions and seek the correct answers, and since it comes with nine online calculators, you can also create custom solutions for your lifestyle! Get it now.

Gamechanger: Forget Startups, Join Corporate & Still Live the Rich Life You Want This book is meant for young earners to get their basics right from day one! It will also help you travel to exotic places at a low cost! Get it or gift it to a young earner.

Your Ultimate Guide to Travel

This is an in-depth dive into vacation planning, finding cheap flights, budget accommodation, what to do when travelling, and how travelling slowly is better financially and psychologically, with links to the web pages and hand-holding at every step. Get the pdf for Rs 300 (instant download)

freefincal