One of the biggest distractions of modern life is passwords. Many web services and forums require that you set up a separate user name and password. You have to develop and maintain a system to remember it all. And you have to enter these user names and passwords many times per day.
Even the lightest of users may have a dozen or so online accounts and heavy users have hundreds. How do you keep track of all these passwords?
The Way Most People Manage Their Passwords Is Not Secure
The way most people manage their passwords is to use a 2 or 3 password system. A typical 3 word system is to use:
- The same short and simple password for unimportant accounts
- A better password for all moderately important accounts
- The best password for critical accounts such as online banking
While this makes passwords easy to remember, this is not a secure password system. Password thieves understand and increasingly exploit this common setup to compromise accounts and sometimes even take over identities. Having your e-mail or financial accounts compromised is a considerable distraction and having your identity stolen is even worse.
Typical Password Advice Is Unrealistic
Unfortunately, if you follow typical password advice you’ll suffer even more password distractions. Overwhelmingly long lists of password rules include using a mixture of upper, lower, number, and special characters, never storing passwords electronically, and changing your passwords every few months, just to name a few. Some of this password advice is unnecessary, yet how do you know which?
More importantly, how many people outside of the security industry have the time, patience, and motivation to manage passwords like this?
A Better Way to Manage Passwords—the Short Version
Here’s a much better way to manage passwords:
Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password.
Why does this work so well?
It’s convenient. Your password manager automatically stores and enters all user names and passwords for you and associates them with the correct web site. All you need to do is enter your master password once at the beginning of your computer session.
It’s much more secure. Because all your passwords are unique, random 15 character jumbles, your passwords are nearly impossible to crack by brute force. Even if one of your accounts gets compromised through no fault of your own, no other accounts will be compromised.
A Better Way to Manage Passwords—the Long Version
The rest of this post is a guided index to a series of posts I wrote on password management, set up so that you can learn as little or as much as you like.
If you’re new to password management and want to develop some intuition through extended metaphors, first read Password Management for the Average Joe. Then, to better understand why password managers are the best solution for typical users, read Why Use a Password Manager.
If you’re ready to choose the password manager that’s best for your situation, read Which Password Manager. For tips on how best to use your password manager, including master password selection, read Tips for Wise Use of Password Managers, Including Master Password Selection. You might also want to read Bad or Useless Advice About Password Managment.
You’ll be better able to defend yourself against password theft if you take the time to read and understand How Attackers Steal Passwords, and How Attackers Exploit the Usual Way Passwords Are Managed.
To improve password management without the use of a password manager, read A Base Phrase Approach to Password Management.
Here’s a list of Definitions For Common Password Security Terms.
Acknowledgements
It took me hundreds of hours of research to write this comprehensive set of posts on passwords, and I continue to spend more time maintaining this guide as new developments occur in the password security field. I received help from a few security experts along the way, some of whom provided feedback after carefully reading through my posts. These people are:
- Carl Hallberg, Information Security Engineer at Wells Fargo
- Mark Burnett, author of Perfect Passwords
- Ron Bowes, Skull Security, Security Research Engineer at Tenable Network Security
- Simon Davis of RoboForm
- Jeffrey Goldberg of Agile Web Solutions
One other person I would like to acknowledge is Karin Fisher-Golton, my wife. She uses her skills as a children’s book writer and former technical writer/editor to edit most of my posts. She went above and beyond the call of duty helping me refine this password management series.
A sincere thanks to all of you who helped make this guide useful, accurate, and comprehensive.
After reading your series about Password managers, and few months of procrastination, I finally started using KeePass. Well, my partner Jim kickstarted my use of it, too. I LOVE it! What a big help. It’s amazing how much I refer to it in my daily work.
Thanks for all the good information, FilterJoe…
Thanks for your comment, Esther. I’m always really happy to hear when my password series gets people started on the road to good password management, and yours is a common pattern: Read, agree, procrastinate, start (maybe a little rough for the first week), then love it (how did I ever live without a password manager?).
Feel free to spread the word (Facebook, Twitter, Etc.)!
Hi Joe
I want to endorse your work here, too. Good job!
I’ve recently moved to using a password manager myself. I chose a solution that caters to my needs with the help of your excellent advice.
I would still recommend my ‘One Ring’ idea — as an admittedly less secure, but arguably more convenient — alternative to a password manager to anyone who’s still using one password for everything (Very Bad Idea), or the ‘usual’ setup of three passwords (Bad Idea). As we’ve discussed before, it’s horses for courses.
Social engineering, and password resets, remain massive holes in even the best laid password schemes. See for example:
http://www.cbsnews.com/news/amazon-wish-list-is-gateway-to-epic-social-engineering-hack/ which used adding a credit card to Amazon as a gateway. Your email account is the gateway to all other accounts: and it’s also the account you want access to from the most places.
I agree, Bryce. It’s a good idea to avoid using your email address as a user name as much as possible – and do not allow password resets if given a choice. Google frequently prompts me to enter password reset info but I never give it to them because I don’t want anyone else to have the ability to reset my password. A password manager does help in the sense that I don’t need a password reset to ever occur, because I will never forget my password.