This is something I have written for a project I am currently writing. Any corrections/suggestions gratefully recieved.
Advice on setting and managing passwords
This is a selection of advice on setting and managing password when signing up to a site on the internet. The idea is that anyone who doesn't have a lot of experience with the world wide web isn't just thrown in at the deep end.
If you just want the short version: use a password manager and take advantage of not having to remember all your passwords to set a different complex password on every site. Also take especially good care of your email account password.
Password Managers
If you take nothing else away from reading this then I hope you start using a password manager. You may have heard that they are a risk. Yes they are, like all software it is incredibly difficult to ensure they are entirely free of errors however I subscribe to the view that Password managers don't have to be perfect, they just have to be better than not having one[1]. There are three main options for you:
3rd party password managers
When people talk about password managers, they invariably mean 3rd party software that you use to store your passwords. The full run down on how to pick on and why that one will be the right one for you would take a very long article itself but there are three main questions to ask yourself.
- Are you signing into lots of websites and apps across several computers/devices?
- If this is the case you'll need to look at the options for sharing the passwords across devices. This may come as standard or as a paid upgrade. Some managers use your existing storage (Dropbox, Google Drive, One Drive etc.) to do this, in that case you need to make very sure that you don't put anything that can be used to guess your master password in that storage.
- Are you good at remembering passwords?
- It might seem silly to ask this when talking about finding a service designed to remember passwords for you, but you still have to remember one very important one, that gets you into your password manager. As a general principle those password managers that are a web based service themselves are more likely to have account recovery tools, but do make sure to double check.
- Will you want to share passwords with other people?
- This is easy in some managers although you may need to pay extra for it, while in others you can't do it without sharing the whole set of passwords and giving the other person your master password.
A few that you might want to look into are: Lastpass, 1Password, Bitwarden, Enpass, keepass.
Browser built ins
If you use the same web browser whenever you use the internet then you can just use that to store passwords (it is probably nagging you to do this already). This can even work across multiple computers/devices if you are signed into the browser and it is syncing your data. All the major browsers offer this, although it can run into issues if you don't use the same brand of devices as your main computer. These built in password managers offer encrypted storage and complex password suggestions.
A diary
If you have ever worked in an office you have probably been told that writing passwords down is a terrible thing to do. And they will have been right, when thinking about the risks that exist in an office, which are mainly other employees and those attempting to get private company information to sell to competitors[2]. In your home life the risks are very different, and for most people that is online ne'er-do-wells trying to get your personal information and bank card numbers, in this situation passwords, written in a book, locked in a drawer is a sensible choice.
Creating a Password
Completely random strings
Now you have been convinced to use a password manager, you can just use the “generate password” feature and away you go (although you may need to fiddle with the settings to deal with different rules sites have about what needs to be in a password).
If you are not using a password manager, or yours doesn't come with a random password generator, try one of these ideas:
Three random words
Otherwise known as Correct Horse Battery Staple after a cartoon, Three random words or #thinkrandom is a way to generate passwords that are both strong and memorable. This is the method the “Generate Password” button uses. I would actually advise against using this function if you have to remember the password as it will always be more memorable if you come up with the words yourself. However if you need inspiration or are using a password manager to remember the password, go right ahead. If you are on a site that wants numbers or punctuation characters, you can add some at the end or swap out letters i or l becomes 1, a becomes 4 and so on, or make up your own.
I see a little silhouetto of a man, Scaramouche, Scaramouche, Will you do the Fandango?
Another way to create memorable passwords that are difficult for someone else to guess is to take a phrase, saying, quote, song lyric or similar and use the initials. So “I see a little silhouetto of a man, Scaramouche, Scaramouche, Will you do the Fandango?” becomes “IsalsoamSSWydtF?” if the password rules require numbers or punctuation characters you can substitute them in, or just use a phrase that has them in to start with “There are 106 miles to Chicago, we have a full tank of gas, half a pack of cigarettes, it's dark and we're wearing sunglasses!”
Other considerations
But this page contradicts what I have been told by someone
For a start, different risks need different levels of protection, this advice is good enough for most websites but might not fly for systems containing large amounts of sensitive, personal, or financial information. It also benefits from not having to line up with lots of external rules and regulations. If you want a good all round read on passwords try “Password policy: updating your approach”.
You've got mail
Even if they have other steps involved like security questions (don't forget you don't have to tell the truth for these, three random words works especially well for them if you might need to use them over the phone) most self-service password reset systems rely on the idea that your email account is secure and you are the only person who has access to it (or at least you trust everyone who does implicitly) so use a strong and unique password for your email (and if you can think about turning on 2 factor authentication).
What if my password is stolen
One of the reasons to not remember passwords yourself is that best practice is to use a different one for every different login. Why? Because when someone gets hold of a stolen database of passwords, they will often try those passwords out on other sites, if people have used the same details there then they can get in. This is especially a problem these days where most sites don't ask you to set a separate user-name, but just use email addresses. There is a service called “Pwned Passwords” that will allow you to check if a password has appeared in one of the many databases that has been stolen and posted on the internet[3]. This is what we use to check your password before we will accept it. This functionality or similar is now being built into several password managers and similar products. If you are wondering about the name, then just understand that like any group nerds have their own jargon.
How worried should I be if my password is in the pwnedpasswords.com list
It depends. If your password is Fido2018 then it might not be your password but someone else's that is in the list and they don't have the association with your email address. After all how many hundreds of people will have got a dog in 2018 and called it Fido. You should probably still change it just in case it is your actual password (and in this case it is a very poor password). On the other hand if it is unlikely that anyone else has the same password and you have used it on multiple sites then it is probably best if the first thing you do after getting your new password manager is spend an evening changing all your passwords.