Android password security

With so much of our lives online, secure p@$$w0rdz are a must

Android Central University — SecurityShow of virtual hands — how many of us use the same password for everything and everywhere? I hope everyone said no, but I'm sure not everyone did. It's high time we talk about passwords, and why a smart and secure routine is in your best interests.

While for many of us this is common sense, and for the more advanced users it's nothing new, a lot of us can use a little guidance here. There are so many options (both good and bad) and if you've ever had someone get and use one of your passwords, you know how important all of this can be.

Don't wait until that happens. Take control of your online security today, starting with your passwords.

The basics

Android password security

Before we go any deeper, let's go over the basics of good password management. Unless you follow a few simple rules, nothing else you do matters much. We're doing this so we can stay as safe as possible from identity theft and financial loss, but it's also important for things as routine as forum passwords. You don't want someone else impersonating you, ever. Anywhere. Ever.

  • Use unique passwords. Resist the temptation of using the same password for all your logins, because one day that will come back to bite you, no matter how strong that password is. Websites and web services can and do get hacked. If the bad guy gets your login credentials from a website, you can bet he (or she) will try it anywhere and everywhere. Like PayPal. Or your bank.
  • Never use unique identifying numbers or words for your password. Your date of birth, Social Security number or mother's maiden name make horrible passwords. All this information is available elsewhere, and it's tied to you.
  • Use something that isn't likely to be guessed or cracked. P@$$W0RD or ABC123 is not the way to go here. Make your password at least eight characters long, and include special characters, numbers, and a mix of upper and lower case letters. Any password string can be cracked over time, but making it hard on the bastards trying to crack it usually means they will move along to an easier mark. Thieves are lazy. Some people say you're best using password generators, but remember than random doesn't always mean random. When I want something to be as strong as possible, I generate a password, then add a character between each and every existing character. I end up with passwords that are impossible to remember, but we'll address that in a bit.
  • Never, ever keep your passwords in a plain text file on any electronic device. If someone gets into your phone — or your computer — a file named passwords.txt is like the Alaska Gold rush. Even if your phone or computer storage is encrypted, encrypt any record of your passwords with it's own unique password.

There are endless small things we can do that will help, but always be sure to follow these basics each and every time you need to create a password.

The managed approach

Android password managers

When you get down to the nitty gritty, there are two basic ways to keep track of secure passwords — use a password manager, or keep your own list. Either way can be very effective if done correctly, but for most people — normal folks who aren't total computer nerds — a password manager is probably the best way to keep track of everything.

There are a lot of options when it comes to password managers, both on your phone and your computer. If you're already using one, stick with it unless there's something that is forcing you to change. The single most important thing here is to use it religiously. Don't get lazy at a website and just type something in for a password without adding it to your password manager's database. This way you can use one of those strong, yet impossible to remember, passwords we talked about earlier.

Rather than offer up a suggestion of which one you should pick if your looking for a password manager, let's talk about what to look for in a good one. Most password managers work the same way. The program is a front-end to a database that securely stores login information, and by signing into the password manager you can retrieve this information when you need it. This way you're only required to remember one strong password, and you can use it to get individual passwords for all your accounts. There are other worthy options that a good password manager will include, and they will be what you use to decide which is best for you.

  • Multiple device support. Make sure your password manager can support more than one device adding to and reading the password database. This way you can use the same software on your phone and your computer. Trust us, this is a must have.
  • Secure storage of the database files. Chances are, your password manager is going to store it's sensitive information somewhere that all connected devices can reach. Make sure you trust where things are getting stored. This is where reviews and word-of-mouth can help. If you were to wander into the Android Central forums and ask five different people which password manager is the best (and you should), there's a good chance you'll get five different answers. There are plenty of good options, so be sure to ask the people using them.
  • Secure handling of data while the app is open. If you have a password manager app open on your phone and send it to the background, you want it to freeze completely. Ideally, you don't even want to see any data on the thumbnail in the task switcher. If the database is not locked to ALL users (even root) while the app isn't active, look at a different app. This is extremely important if you've rooted your phone. Install the app you're thinking of using, look in the settings so see how and when you can lock the app, then test it yourself.
  • It needs to be convenient to use. If a password manager is cumbersome to use, you won't use it. Look for things like copying obscured (when things looks like this: *******) passwords to the clipboard, or even a built in way to launch web pages within the app that have your login information pre-filled.

The good news is that most of the top-rated password managers in Google Play fit this criteria. I still want you to try them for yourself, but here at the AC office we like mSecure and LastPass. But others, like Dashwire or KeePass are great, too. Our criteria may be different than yours, so just try them until you find the one that's perfect for you.

Doing it yourself

Encrypted files

While it's a bit more to manage when you do it yourself, this is also an effective way to store and retrieve login information if you're dedicated. Usually, this means a secure place to store a "master" file of passwords that meets your security standards, a second copy of that list on your device or in a private cloud where you (and only you) can get to it when you need it.

You'll want to pay special attention to file encryption here, because you're doing it manually. Through the day, you can open the encrypted file on your device and retrieve any information you need, or add any new information to it. When you are able, copy this file to the "master" location so that you always have a full and complete backup.

This is a lot of work, and you need to be very security conscious about the files themselves and the places you're storing them, but it does fix one issue that many don't like about using a password manager — the cloud. Companies like LastPass or oneSafe take security very seriously, and aren't likely to get hacked. But as we all know, stuff happens. If one of these companies gets compromised, it's very possible that someone will have access to all your strong passwords and the login data that goes with them. Chances are, this will never happen. Those guys are way better at this than most of us will ever be. But for some people, even the slimmest chance is too much of a chance. We won't judge.

If you go this way, you'll need to secure more than your list of passwords. It's also a lot of work that you can't forget to do. But it does give you complete control over all of your data.

What do we use?

mSecure for Android

We all use a password manager here at AC. We may use different software, but we depend on the people who write this stuff for a living to keep everything safe for us. Because we have different needs and preferences, no one solution fits us all. For example, Phil likes LastPass because of the excellent desktop browser integration. I like mSecure because it allows me to bypass the cloud and sync with a computer on my local network. Andrew uses LastPass because of how well it works across all the browsers and devices he uses — and it's dead simple. Richard uses mSecure because it's cross platform and has an attractive price-point. In addition we all use two-factor authentication on everything Mobile Nations. We need our stuff to stay as safe as it can.

This means we may have to spend a little money on expensive software or subscription services, but when you work online, passwords are part of your livelihood. You may need a specific feature set, or support for something we don't need. What we all have in common, no matter what we do for a living or what we do on the Internet, is a need to keep our information and accounts out of reach of the bad guy.

You need to consider how you want to manage your passwords, choose what's best for you, and use it all of the time, every time.

 

Reader comments

Security 101: Passwords

55 Comments

Personally,
I have a method to it.
I have all my important sites categorised folder wise in my bookmarks toolbar..
Each folder has a Name..so for example all my banking sites are under the folder "Finance"
for each password for each site i use a pattern which is : aaA@abcd1234
where aaA is the first three letters of the folder name , and one of these letters is a capital letter...
abcd is the first four letters of the website and 1234 is a unique 4 digit pin which is the same for all my bookmarked sites.
so for each site i get a unique password which i don't even need to remember as i can simply see the category it is in on my bookmarks toolbar, the name of the website and my 4 digit pin which is easy to memorise. :D

Anything with a pattern puts everything at risk, no matter how clever the pattern.

What happens when you lose your bookmarks and the folder names?

You can easily create a pattern that isn't reliant on anything but your own mind, I use a slightly similar system where I have two or three base passwords that I select depending on the type of site/service and then I alter those same passwords with something from the site/service I'm using it on so that each one is unique... As long as you perform the same alteration it's a very easy system to remember.

I posted an example of how to do this in one of the comments below... You can argue that if someone saw two such passwords side by side they could figure out the system, but chances of happening are possibly even slimmer than the chances of a manager service getting hacked wide open... Though each approach has it's merits, managers are obviously easier to use, but also more cumbersome if the service goes down or you need to figure out the password while not online etc.

I use a system much like the one you describe. The biggest impediment, I've found is that many sites have bizarre restrictions on passwords that both make them less secure and throw a monkey wrench into my system. Ironically enough, financial websites (where you'd want the security to be the highest) tend to be the worst at this. I have several accounts where I'm specifically NOT allowed to use special characters in my passwords. In other cases, password lenth has an absurdly low MAXIMUM length (like 12-16 characters). Now I have to remember which sites have these stupid restrictions and how I modified my password algorithm to fit their requirements.

Yeah, that's the only stumbling block to making it a really seamless system... I defaulted to NOT including symbols in my base password (opting instead to add a period when needed) since symbols seem to not be accepted more often than they're required.

My base passwords do include numbers and length has rarely been an issue for me (they're between 6-9 characters before the site/service specific modification), probably got lucky there. Capitalization has been my biggest obstacle, tho I think that's easily avoided.

I don't capitalize anything by default and it has been the most common requirement for me after just having letters/numbers, but you could easily have a base password with capitalized letters as services that don't require it probably just default everything to lower case.

Changing everything if I decided to switch the base passwords (reason why it's a good idea to have a couple) or alteration system is my biggest worry, but it'd probably be just as much of a hassle with a password manager (just less typing).

If everything used two factor authentication, passwords would matter a lot less!

@distorted loop:
The chances of me losing my bookmarks is much lesser than my passwords getting exposed online. as long as any secure data is stored online, it is always at risk. My bookmarks are synced to my firefox account so even if i lose them, i still have them online..but not the actual password itself. Unless someone sees me typing my password or uses keyloggers (the risk of which is non existent for me as i use only very few, personal and trusted devices to be online), Its pretty safe...none of my information is stored online except my bookmarks, and my 4 digit pin is in my head only.

I have to say lastpass is excellent, and it's free unless you want the premium version which does full android integration, you can access free version through mobile web browser but it is inconvenient.

I use the same password for everything. But it's not a word or phrase. It's a randomly generated string of numbers, letters and symbols that I made myself memorize.

Posted via the Android Central App

You'll still have the trouble of changing your passwords everywhere if someone manage to retrieve it (keylogger, bad websites that could store passwords in plaintext, etc).

That very true but I'd rather not worry about having 20 different password to store or memorize. Even if that's the smarter thing to do and I agree that it is.

Posted via the Android Central App

The least you can do is modify it slightly for each use in an obscure (to anyone but you) yet consistent way, thus you end up with a unique password for each case.

It's pretty simple to do, let's say your super tough password is 12345 (for simplicity's sake, that's obviously a terrible one). Now let's say you wanna use it on Facebook, maybe you take the service's first three letters and you attach them at the end (12345fac), but maybe you don't wanna be do obvious so you do it backwards (i.e. 12345caf). Maybe you get fancy and you intertwine them instead (c1a2f345), it's only really obvious to you.

The key is to be consistent, so when you wanna use it for your Google account you replicate the process... If you did 12345caf then you do 12345oog, easy peasy.

That's the thing. I don't care. I don't have anything worth stealing. I've destroyed my own credit to the point that I can't even get signed up for any form of credit card or anything like that and I don't have a bank account.

Posted via the Android Central App

so your excuse for making poor life decisions is that you have made poor life decisions?

oh well, seems to be working for you...

My method:

Set up a .doc with headings; Website - Password - Email Address

Then once I've added or removed a password, I save it to a .pdf and then upload it to my cloud storage, which has two factor authentification

Horrible Horrible Horrible! This means that there is a plaintext copy of all of your websites, passwords, and email addresses contained on your computer. And it's stored in plaintext on the web, two factor or otherwise. And I would NEVER trust my passwords to the cloud, no matter what security it may have.

Who would want my info? I have no credit history, no money in the bank, and no social networks. I would be honored if someone thought I was worthy of being hacked, lol.

Posted via Android Central App

I own a PC (Windows 8.1), an Android phone (Nexus 4).

I use KeePass to manage my passwords. I store my database file on Google Drive, so it is accessible and synchronized on both my PC and smartphone. KeePass2Android keeps a cached copy of my database file, so even without a data connection I still have access to my passwords.

I also use Two-Factor Authentication (Google Authenticator) to access my most important accounts (Google, Facebook, Microsoft). I also have my most important 2FA codes locally stored on my Pebble smartwatch, so I won't be screwed if my phone battery died.

To make the experience a bit more convenient, I use ChromeIPass integrate my KeePass database with Google Chrome. It will prompt to unlock the database when it needs to input a password, so my passwords are only accessed with my explicit consent.

All of this free.

I am an iPhone user, and I used the same 5 passwords, just mixed around. I currently use iCloud Keychain to help me manage and create stronger passwords where I can though. I am highly thinking about looking into LastPass or 1 Password though. With some of the extension abilities of iOS 8, it will make it that much easier to enter and create secure passwords.

Regardless of platform or device, password security is an important part of the growing digital age. Great article Jerry!

Pass

Fact; fingerprint reader passwords are 100% insecure and gimmicky. Fact; you can not change your fingerprint/password. Fact; you leave your "password" on EVERYTHING you touch. No wonder Sony dropped this gimmick years before Apple "invented" it.

Posted via Android Central App

I use password box. You can use full functionality completely free across all devices for up to 25 accounts, so can easily give it a try. Works great for me since I use across my laptop, my ipad and S5.

Check it out: http://j.pbox.io/6RUe3iIV

Posted via Android Central App - Verizon S5

Funny you wrote this article... As soon as I finished reading it, I went onto Facebook and they notified me that someone tried to access my account from China... Just changed my password, needless to say!

Posted via Android Central App

I hope you changed it from Facebook actual, not a site linked from an email or instant message.

Posted via Android Central App on my HP TouchPad (Schizoid PAC-ROM 4.2.2)

i use a password protected Microsoft Office 2013 Word/Excel File with Strong Encryption and OfficeSuite Pro Android App to store/access my secure data in a password protected encrypted file. the beauty is you can open this file on any device from ANYWHERE in the world with MS Word/Excel or Android equivalent and internet access. both support Office 2007+ Super Strong 128 Bit Encryption/Password.

i like the free-flow format and the open standard of an MS Word/Excel File vs. a "mom and pop" Password App. i don't like relying on some mom and pop locked black box proprietary closed format that could lose support or trap my data or go out of business. and MS Word /Excel and Office Suite Pro/Documents To Go is free if you already have it.

i then use Dropbox and simply dump this Word/Excel file in my Dropbox so it is available to me from any device anywhere in the world and it is always updated and in sync - and it is encrypted and password protected.

I use this Excel method for my parents and relatives, because it's dead simple.
Myself, I use Keepass synced to OneDrive; I take comfort that it's open source, has been around and maintained for 10+ years, and convenient with its Android app.

Useless. Never been hacked. Who would even think to hack me?
And even if they do, what would they get? Nothing.
No credit cards no nothing, they can only log in to my facebook and post "I'm gay lulz!"
Same password that has a meaning and 321 at the end (not because I want it but because a lot of sites ask for that ish).
Never got hacked, and probably never will, because this isn't a Hollywood movie.
I change that password from time to time when I get bored, but that's the main reason, I get bored of typing one same thing too many times.
Also, about those password generators/keepers n such. Waste of time (for me atleast). It generates a pseudo-random password that is bad in multiple reasons.
First, I always have to check the app first, IDK if it requires internet connection, but if it does then it's terrible.
Then I need to type in that mess of nonsense, and make sure I typed it right. You can't just "feel it" like you can with normal passwords.
Also, everytime I change my pass or register to another website or IDK what, I have to visit the god damn app again and type it all in.

But hey, that's just me, if you people feel unsecure, and this helps you with it, go ahead, knock yourself out!
Just my 2 cents.

Lol. I do agree though, everyone thinks they are worthy of being hacked.

Posted via Android Central App

In the span of two months last year, I had my Visa card and login information compromised (thanks, Target) twice (thanks, Adobe). Nobody wants to hack me — Im just a random middle class dude who can't afford a new boat but still looks at them at Bass Pro Shops.

They just got me when they got thousands and thousands of other users.

I think isolated incidents are bound to happen, but a lot of credit card companies and banks have fail safes, so I wouldn't even worry, but I tend to not worry about things like that when other issues are more prominent in day to day life.

Posted via Android Central App

I use to think that way till my Google account got hacked and lost all my numbers and emails that sucked

Posted via Android Central App

I use "Safe In The Cloud", multi platform compatible and sync with most cloud services (GDrive, Dropbox, etc). Has browser integration for desktop.

Posted via Android Central App

I think the basic security provided by the device is more than enought to secure our privacy. Once people see a password protected device (even if we do not use a 53cUr3 P4$$w0Rd), they won't give so much effort to hack our password protection. They would just leave the device alone or make a factory total reset. Maybe celebrities' smartphone need so much protection.

But, it doesn't mean that protection is not important. We should give some basic protection to prevent unknown persons directly access our phone, seeing messages, and take privat data from your phone's memory. We can simply use the security system provided by the device. To explore more about default android security system you can refer to this article : http://siraru.com/3-basic-ways-to-protect-your-smartphone-privacy-androi...

I kept holding off on doing this because password auto populate and sync was supposed to be in chrome but it barely ever works right.

Posted via Android Central App

Even I was one of those who never trusted any softwares or app for storing my passwords because of their confusing UI, low trust factor and monthly/yearly subscription charges, but after giving a try to Enpass my opinion got changed completely.
With Enpass I can create unique hard to guess passwords for every website and can access my data on all my devices through sync. Not only this there is no backdoor entry from where any one can steal my data because they don't store the master password. So its like me and only me who can have the access to my data. Along with it the clean and simple UI simply increases the number of benefits which its offering.
From my side thumbs up for Enpass. :)

I just use the "I forgot my password" feature. The security questions are much easier to remember than the password for each site. I can easily remember my mother's maiden name, my first pet's name, or the model of my first car, no problem.

While slightly more complex to get set up, I use KeePass and Dropbox to manage my passwords. I do it because 1) its free 2) I get multi-platform support 3) I control the encryption without having any other outside company holding the 'key' to my encryption [I'm not *that* paranoid, but it is an additonal benefit worth noting].

I have a KeePass database (my 'password vault' as I call it) with a very strong password. I then have that database file on Dropbox (and in fact, I have the entire KeePass application in Dropbox as well as a Portable app so I can have my configuration settings, etc. synced as well.) This covers syncing my passwords in a secure and encrypted way to my PCs.

Then, I use KeePassDroid on my Android devices. I use DropSync (which acts like the 2-way syncing of the desktop Dropbox app) to sync the 'password vault' to my device. Whenever I update a password and save the password database, it then gets synced to my other PCs and my Android devices. The database is there but encrypted so I just have to enter my strong password each time I need one and then I get access to all of my passwords. On some of my devices that I don't use as regularly for things where I'll need passwords, I just use the Dropbox app to open the password database on an as-needed basis.

One of the nice features of KeePass, which I'm pretty sure some of the others have as well, is the ability to generate a random password for me. I can specify how 'complex' I want it to be, etc and it makes it for me. This way I don't ever have to remember my password and it makes it nearly impossible to guess what the password actually is.

Like I said - a little more complex to get set up, but I'm very happy with the setup now that I've done the initial legwork.

I have always wondered - what if these password manager databases are hacked?

Posted via the Android Central App