We’ve previously discussed what not to do when constructing passwords. I put a stake in the ground at 14 printable ASCII characters for offline systems and 20 for systems accessible over the internet. (Remember that those are minimum numbers. I tend to default to 32 characters whenever possible). Couple this with a “no repeat” recommendation and most people’s brains are about to explode!
What to do?
Get a password manager! A password manager stores and encrypts all of your passwords and provides access to them based on one master password.(We’ll talk about how to come up with a good one later).
When choosing a password manager, be realistic about how much you want to invest in maintaining it. This will determine whether you go with an online system or a locally stored database. For most users, online systems are recommended. The setup portion is always the longest, but once you have it up and running, everything else becomes simple. It is the easiest option to create new passwords and keep track of them.
With a simple copy and paste (or autofill, as some browser plug-ins allow) you will never again need to type out the bulk of your passwords.And when services such as Twitter are hacked, you simply generate a new password in your manager and copy it over to Twitter. You can make these passwords 32-character ASCII soup because you don’t need to memorize them.
What do you do with the passwords that can’t easily be stored in a password manager?These are usually passwords to devices (laptop, phone, domain-joined workstation, etc.) as well as the master password to your password manager. How do we make these better?
To start, let’s move away from using “passwords” to using “passphrases.”You can use (1) lyrics from a song or poem or (2) an acronym of the above.
Example for 1:
Twenty5orSix^Four(a 17-character mixed password). This is obviously a song by Chicago. It would be better to pick a more obscure song that wouldn’t be the first guess (like this one may be).
Example for 2:
Dnggitgn,Oasbaracod;Rratdotl (a 30-character mixed password). If you’re a fan of Dylan Thomas or have seen the movie Interstellar, you might recognize this as an acronym of “do not go gentile into that good night.”
Passphrases take longer to type out initially, but after some time they get easier and I think they’re easier to remember. But don’t reuse these examples as they are no longer secret (reference No. 1 and No. 3 from my previous post).
Now, most of your passwords are safely stored in your password manager — should you write down the master passphrase that gets you into the password manager? Security expert Bruce Schneier recommends writing down passwords on a piece of paper and keeping it in your wallet. Treat that piece of paper like a credit card — it comes out of the wallet to be used and then goes right back in the wallet.
With a password manager, you don’t have any reason to succumb to the pitfalls discussed in my previous post. My online banking password is 32 characters randomly generated from the full printable ASCII table. Can you be that boldly secure?