How to Create a Password System You Can Live With
You could lose your life savings by being sloppy with passwords. So maybe it is worth some effort to improve your security?
Start by improving upon your own current practices, and keep doing so over time. You can make things a billion times better with little effort—literally.
The simplest advice I can give is this: think of a password not as a word, but as a multiple words or a phrase hence the term passphrase. That alone tends to generate far superior passwords, if nothing else, longer. A simple example is "tomatoes-are-not-a-vegetable".
Below, this is an outstanding article, albeit too long for many to deal with all at once. Accordingly, parts of it are quoted here with some of the best ideas called out.
The world's BEST password advice
By Michael Horowitz.
...We all need hundreds of passwords that need to created, stored and retrieved. When creating them, they need to be reasonably long and reasonably unique...
...Long passwords (12 characters is probably a minimum length, the exact number is debatable) defeat brute force guessing attacks...
PAPER HAS ITS PLACE... keep your most important passwords away from any type of computing device.
... a password formula is a great solution. It solves three problems: it makes retrieving passwords easy and it helps create reasonably long and reasonably unique passwords.... consider a password as a two part thing.
One part never changes, its something meaningful to you that you will never forget. The other part does change but can be very simple and also meaningful to you. That's it. A constant and a variable. This should help you create dozens of unique, yet easily remembered, passwords.
...speaking as computer nerd, I cannot stress enough how important it is to not re-use passwords...
...ARGUING AGAINST PASSWORD MANAGER SOFTWARE: knee-jerk reaction of techies, is typically to use a password manager. I think a formula is often a better option...
...The best way to deal with security questions was to treat them like a second password. When asked the name of a person, give the name of a place. When asked the name of a place, use the name of a person instead...
...LIE TO YOUR PASSWORD MANAGER...
...PASSWORDS CAN BE TOO SECURE...
...BEWARE OF BROWSER EXTENSIONS...They see everything on every web page...
MPG: note the first comment “We all need hundreds of passwords...”. I’d bet that most people have fewer than 5 passwords, heavily re-using them.
I do use a password manager, but I agree it is largely for techies and has a significant learning curve for ordinary users to master, even setting aside the other issues with one, which demand additional techie knowledge because of the “all eggs in one basket” approach. For such users, paper passwords using a password formula approach may be the best idea.
I hadn’t realized how incompetent some password managers are, like LastPass. I worked in security (encryption, Pretty Good Privacy aka PGP) for years and it sure looks like 1Password does things right.
If you use paper for passwords, do append a prefix and/or suffix to all of them, but do NOT write that down. Then even if your paper is obtained, they won’t work without that additional prefix/suffix.
I also incorporate a formula approach along with extra rules. And I use gibberish passwords intentionally for some sites, so that even *I* cannot remember them—perfect for a password manager. I mix various rules to suit, depending on the importance of the login. And I use 2FA (two factor authentication) in some cases (password plus a one-time-use code).
Anti-security web-site design
Most web sites force us to use an email address to login. Not only does this mean it has to be an active email (which might later go dead), it defeats security in a big way, since the user login name is now known in advance. This hugely simplifies the job of hackers breaking into accounts across services, particularly those that re-use the same password! Stupid beyond belief, but that’s how sites are designed these days—by morons. These same morons often prohibit various characters for passwords and/or length of passwords—unbelievable. These same morons make you provide answers to fixed security questions—terrible idea.
Apple iOS makes it such a pain in the ass to enter a complex password, that most users (including me) choose mediocre passwords. It’s a total fail in every way. Shame on Apple for making it so hard.
For example, I cannot use a complex password because I often mis-type it, which I cannot see, because Apple hides the typed text from me as I type it! Then if I get it wrong more than a few times, some sites lock me out. You cannot win with such a stupid design. Accordingly, I just do not use my phone or iPad for things that require a password—I refuse the two shitty choices of poor security or difficult-to-use.
See also: Why Passkeys Will Be Simpler and More Secure Than Passwords.
Reader Christopher C writes:
After noting that LastPass had been hacked, I was curious as to whether 1Password (which I have used for years, and see that you do too) had a blog post that mentioned it. They do, and it has a very interesting section about the advantages of optimizing the security of passwords by maximizing randomness — something I hadn’t thought through previously.
MPG: I hadn’t realized how incompetent some password managers are, like LastPass. I worked in security (encryption, Pretty Good Privacy aka PGP) for years so I consider myself competent in evaluating the general security approach of a product, and it sure looks like 1Password does things right.
Reader Tait S writes:
I had been a theoretical believer until I checked this website: https://haveibeenpwned.com/
Now I have password religion!
MPG: that's a good site to check. It has some connection to 1Password password manager, which I use, and as far as I know has proven secure over the years—so far so good. But you can never really know how good code is; assurances are worth little because the programmers themselves by definition are unaware of the security flaws they do not know about.
For years I got "pay us bitcoin" emails and still do because of one incompetent web site that stored unencrypted passwords in their database.