EDIT (20 JAN 2015): The worst passwords of 2013 list has now been compiled and released. This just further proves my point that your passwords (probably) suck.
I know what you’re thinking, “I don’t have the time or energy…or even the knowledge…to change and manage dozens or hundreds of password for all my accounts.” Guess what. I don’t either…and I promise that I have to keep track of WAY more passwords than you do.
Let’s talk for a second about what makes a good password. Passwords should be horribly long and ridiculously complicated. Something like this would be a good password:
That password is 30 characters long with both upper and lower case letters, numbers, and special characters. It does not use any dictionary words and is completely nonsensical to any human in any language. It’s also just about impossible to remember. If you had a few dozen passwords or more like this to keep in your brain? Forget about it…
Another good choice might be something like this:
This is a pass phrase with most of the same characteristics of the nonsensical password listed above–32 characters, both upper and lower case letters, numbers, and special characters. The difference here is that this password does use dictionary words to allow the user to create an image in their mind’s eye which will ultimately aid remembering that password.
Still, it might be difficult for all but the most diligent users to remember a few dozen passwords in that format. This becomes increasingly more difficult if the password has to change every so often as do many corporate passwords.
The best way to have your cake and eat it too–that is to have ultra secure passwords and still be able to remember them–is to use a password manager to generate and keep track of all passwords for all of your websites. You can generate one complicated pass phrase (such as my “rotting tomatoes” example) to access the password manager and then the password manager keeps track of all the nonsensical passwords needed to login to various services. I’ve been using password managers for at least 10 years and it has made my life incredibly easy. Well, incredibly easy in terms of remembering passwords, at least.
I recommend two different password managers for different reasons and budgets. First, KeePassX is a free password manager that we use in our office and it does a great job. There are desktop clients for Mac, Windows, and Linux and there are also mobile clients for both iOS and Android (perhaps Windows Mobile too, but I’m not sure). You can create a single password database that can be read and written by any of the desktop or mobile clients and, if you store that database in a DropBox (or similar) account, you can keep your passwords synced across all of your devices and have your most current passwords wherever you are.
The downside to KeePassX is that only one user can update the database at one time so if you leave the database open on your home computer and need to add a password while you’re out at the bank (for example) you cannot do that because the first user is still editing the file. (Long and complicated explanations of file locking and so forth here.) Also, there is no browser integration so you’ll be cuting-and-pasting usernames and passwords all the time. That’s not such a big deal, I did it for years.
The second password manager I recommend is 1Password which is the one I use at home for myself and my family. It has all of the features I described for KeePassX as well as native Dropbox syncing, multi-user simultaneous access, and editing, and browser integration so you have no cut-and-paste work to do. It’s a wonderful product and I’m very happy with it. The only downside is that it does cost money to purchase the desktop app as well as the mobile apps which are all sold separately. In my opinion, however, it is worth every penny.
Some people use and love LastPass as well. I have used this software and I have no problem recommending it. Personally, however, I prefer to use an app on my computer or phone and LastPass is only browser-based so you must have an internet connection to use it.
EDIT (20 JAN 2015): Supposedly,Lastpass just introduced a Mac-only desktop application as a companion to their browser plugins. At the time of this writing, I have been unable to find an exact link to download the software but rumors say it’s coming. Watch their website and blog for updates.
In the end, no password is 100% secure. An evildoer who is really interested in accessing your accounts will do it regardless of the precautions you take. Your job is to make their job as hard as possible. In all likelihood, that evildoer will move on in search of easier prey–like someone who hasn’t read my article.
…and just to be very clear about things… Now that I’ve published this article I strongly recommend that you do not use any of the passwords I’ve listed here. 😉
If you have a favorite password manager or method of keeping your digital life secure, I’d love to hear about it! Hit me up in the comments!