One of the biggest distractions of modern life is passwords. Many web services and forums require that you set up a separate user name and password. You have to develop and maintain a system to remember it all. And you have to enter these user names and passwords many times per day.
Even the lightest of users may have a dozen or so online accounts and heavy users have hundreds. How do you keep track of all these passwords?
The Way Most People Manage Their Passwords Is Not Secure
The way most people manage their passwords is to use a 2 or 3 password system. A typical 3 word system is to use:
- The same short and simple password for unimportant accounts
- A better password for all moderately important accounts
- The best password for critical accounts such as online banking
While this makes passwords easy to remember, this is not a secure password system. Password thieves understand and increasingly exploit this common setup to compromise accounts and sometimes even take over identities. Having your e-mail or financial accounts compromised is a considerable distraction and having your identity stolen is even worse.
Typical Password Advice Is Unrealistic
Unfortunately, if you follow typical password advice you’ll suffer even more password distractions. Overwhelmingly long lists of password rules include using a mixture of upper, lower, number, and special characters, never storing passwords electronically, and changing your passwords every few months, just to name a few. Some of this password advice is unnecessary, yet how do you know which?
More importantly, how many people outside of the security industry have the time, patience, and motivation to manage passwords like this?
A Better Way to Manage Passwords—the Short Version
Here’s a much better way to manage passwords:
Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password.
Why does this work so well?
It’s convenient. Your password manager automatically stores and enters all user names and passwords for you and associates them with the correct web site. All you need to do is enter your master password once at the beginning of your computer session.
It’s much more secure. Because all your passwords are unique, random 15 character jumbles, your passwords are nearly impossible to crack by brute force. Even if one of your accounts gets compromised through no fault of your own, no other accounts will be compromised.
A Better Way to Manage Passwords—the Long Version
The rest of this post is a guided index to a series of posts I wrote on password management, set up so that you can learn as little or as much as you like.
If you’re new to password management and want to develop some intuition through extended metaphors, first read Password Management for the Average Joe. Then, to better understand why password managers are the best solution for typical users, read Why Use a Password Manager.
If you’re ready to choose the password manager that’s best for your situation, read Which Password Manager. For tips on how best to use your password manager, including master password selection, read Tips for Wise Use of Password Managers, Including Master Password Selection. You might also want to read Bad or Useless Advice About Password Managment.
You’ll be better able to defend yourself against password theft if you take the time to read and understand How Attackers Steal Passwords, and How Attackers Exploit the Usual Way Passwords Are Managed.
To improve password management without the use of a password manager, read A Base Phrase Approach to Password Management.
Here’s a list of Definitions For Common Password Security Terms.
It took me hundreds of hours of research to write this comprehensive set of posts on passwords, and I continue to spend more time maintaining this guide as new developments occur in the password security field. I received help from a few security experts along the way, some of whom provided feedback after carefully reading through my posts. These people are:
- Carl Hallberg, Information Security Engineer at Wells Fargo
- Mark Burnett, author of Perfect Passwords
- Ron Bowes, Skull Security, Security Research Engineer at Tenable Network Security
- Simon Davis of RoboForm
- Jeffrey Goldberg of Agile Web Solutions
One other person I would like to acknowledge is Karin Fisher-Golton, my wife. She uses her skills as a children’s book writer and former technical writer/editor to edit most of my posts. She went above and beyond the call of duty helping me refine this password management series.
A sincere thanks to all of you who helped make this guide useful, accurate, and comprehensive.