Security 101: Passwords

Android Lock Screen
Android Lock Screen (Image credit: Android Central)

With so much of our lives online, secure p@$$w0rdz are a must

Android Central University — Security

Show of virtual hands — how many of us use the same password for everything and everywhere? I hope everyone said no, but I'm sure not everyone did. It's high time we talk about passwords, and why a smart and secure routine is in your best interests.

While for many of us this is common sense, and for the more advanced users it's nothing new, a lot of us can use a little guidance here. There are so many options (both good and bad) and if you've ever had someone get and use one of your passwords, you know how important all of this can be.

Don't wait until that happens. Take control of your online security today, starting with your passwords.

The basics

Android password security

Before we go any deeper, let's go over the basics of good password management. Unless you follow a few simple rules, nothing else you do matters much. We're doing this so we can stay as safe as possible from identity theft and financial loss, but it's also important for things as routine as forum passwords. You don't want someone else impersonating you, ever. Anywhere. Ever.

  • Use unique passwords. Resist the temptation of using the same password for all your logins, because one day that will come back to bite you, no matter how strong that password is. Websites and web services can and do get hacked. If the bad guy gets your login credentials from a website, you can bet he (or she) will try it anywhere and everywhere. Like PayPal. Or your bank.
  • Never use unique identifying numbers or words for your password. Your date of birth, Social Security number or mother's maiden name make horrible passwords. All this information is available elsewhere, and it's tied to you.
  • Use something that isn't likely to be guessed or cracked. P@$$W0RD or ABC123 is not the way to go here. Make your password at least eight characters long, and include special characters, numbers, and a mix of upper and lower case letters. Any password string can be cracked over time, but making it hard on the bastards trying to crack it usually means they will move along to an easier mark. Thieves are lazy. Some people say you're best using password generators, but remember than random doesn't always mean random. When I want something to be as strong as possible, I generate a password, then add a character between each and every existing character. I end up with passwords that are impossible to remember, but we'll address that in a bit.
  • Never, ever keep your passwords in a plain text file on any electronic device. If someone gets into your phone — or your computer — a file named passwords.txt is like the Alaska Gold rush. Even if your phone or computer storage is encrypted, encrypt any record of your passwords with it's own unique password.

There are endless small things we can do that will help, but always be sure to follow these basics each and every time you need to create a password.

The managed approach

Android password managers

When you get down to the nitty gritty, there are two basic ways to keep track of secure passwords — use a password manager, or keep your own list. Either way can be very effective if done correctly, but for most people — normal folks who aren't total computer nerds — a password manager is probably the best way to keep track of everything.

There are a lot of options when it comes to password managers, both on your phone and your computer. If you're already using one, stick with it unless there's something that is forcing you to change. The single most important thing here is to use it religiously. Don't get lazy at a website and just type something in for a password without adding it to your password manager's database. This way you can use one of those strong, yet impossible to remember, passwords we talked about earlier.

Rather than offer up a suggestion of which one you should pick if your looking for a password manager, let's talk about what to look for in a good one. Most password managers work the same way. The program is a front-end to a database that securely stores login information, and by signing into the password manager you can retrieve this information when you need it. This way you're only required to remember one strong password, and you can use it to get individual passwords for all your accounts. There are other worthy options that a good password manager will include, and they will be what you use to decide which is best for you.

  • Multiple device support. Make sure your password manager can support more than one device adding to and reading the password database. This way you can use the same software on your phone and your computer. Trust us, this is a must have.
  • Secure storage of the database files. Chances are, your password manager is going to store it's sensitive information somewhere that all connected devices can reach. Make sure you trust where things are getting stored. This is where reviews and word-of-mouth can help. If you were to wander into the Android Central forums and ask five different people which password manager is the best (and you should), there's a good chance you'll get five different answers. There are plenty of good options, so be sure to ask the people using them.
  • Secure handling of data while the app is open. If you have a password manager app open on your phone and send it to the background, you want it to freeze completely. Ideally, you don't even want to see any data on the thumbnail in the task switcher. If the database is not locked to ALL users (even root) while the app isn't active, look at a different app. This is extremely important if you've rooted your phone. Install the app you're thinking of using, look in the settings so see how and when you can lock the app, then test it yourself.
  • It needs to be convenient to use. If a password manager is cumbersome to use, you won't use it. Look for things like copying obscured (when things looks like this: *******) passwords to the clipboard, or even a built in way to launch web pages within the app that have your login information pre-filled.

The good news is that most of the top-rated password managers in Google Play fit this criteria. I still want you to try them for yourself, but here at the AC office we like mSecure and LastPass. But others, like Dashwire or KeePass are great, too. Our criteria may be different than yours, so just try them until you find the one that's perfect for you.

Doing it yourself

Encrypted files

While it's a bit more to manage when you do it yourself, this is also an effective way to store and retrieve login information if you're dedicated. Usually, this means a secure place to store a "master" file of passwords that meets your security standards, a second copy of that list on your device or in a private cloud where you (and only you) can get to it when you need it.

You'll want to pay special attention to file encryption here, because you're doing it manually. Through the day, you can open the encrypted file on your device and retrieve any information you need, or add any new information to it. When you are able, copy this file to the "master" location so that you always have a full and complete backup.

This is a lot of work, and you need to be very security conscious about the files themselves and the places you're storing them, but it does fix one issue that many don't like about using a password manager — the cloud. Companies like LastPass or oneSafe take security very seriously, and aren't likely to get hacked. But as we all know, stuff happens. If one of these companies gets compromised, it's very possible that someone will have access to all your strong passwords and the login data that goes with them. Chances are, this will never happen. Those guys are way better at this than most of us will ever be. But for some people, even the slimmest chance is too much of a chance. We won't judge.

If you go this way, you'll need to secure more than your list of passwords. It's also a lot of work that you can't forget to do. But it does give you complete control over all of your data.

What do we use?

mSecure for Android

We all use a password manager here at AC. We may use different software, but we depend on the people who write this stuff for a living to keep everything safe for us. Because we have different needs and preferences, no one solution fits us all. For example, Phil likes LastPass because of the excellent desktop browser integration. I like mSecure because it allows me to bypass the cloud and sync with a computer on my local network. Andrew uses LastPass because of how well it works across all the browsers and devices he uses — and it's dead simple. Richard uses mSecure because it's cross platform and has an attractive price-point. In addition we all use two-factor authentication on everything Mobile Nations. We need our stuff to stay as safe as it can.

This means we may have to spend a little money on expensive software or subscription services, but when you work online, passwords are part of your livelihood. You may need a specific feature set, or support for something we don't need. What we all have in common, no matter what we do for a living or what we do on the Internet, is a need to keep our information and accounts out of reach of the bad guy.

You need to consider how you want to manage your passwords, choose what's best for you, and use it all of the time, every time.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.