Best: Password Manager
It's 2022. Everybody should be using a password manager to store and randomly generate different complex passwords for each website they use. There's a lot of good options on this front. Even the simple password managers built into your browser work pretty well. For most people, using Google Chrome, Mozilla Firefox, or iCloud Keychain is sufficient.
If you want to use a third party for whatever reason, LastPass served me well, although the free tier only allows you to store passwords on one device: mobile or desktop. I am now using 1Password, which is almost perfection, although it costs $3 per month.
I could write a whole article about which password manager is best, but the important thing is to use one. They generate secure passwords instantly, obviate the need to remember more than one password, store your passwords in a secure location, seamlessly sync mobile and desktop (except LastPass free tier), and tell you how secure each password is. Many password managers have other features like reporting to you when a password was found in a breach, informing you of your reused passwords, and keeping a history of used passwords.
But if you must, I'll list some other options.
How Hackers Crack Passwords
Before we get into how to generate a fancy hard-to-guess passwords, let's talk about why we're doing this and not just using "Password1!" for all your passwords.
The first way a hacker might get access to your account is to just guess your password. If it's just your name backwards, that's easy enough to guess. In fact, that was the password to my brother's electronic organizer in the 1990s (don't tell him I cracked it!). Similarly, hackers know to guess "password", "123456789", "qwerty" and other similar easy passwords.
Assuming the website you're using has good security (uses good hashes, with salt, etc.) another way a hacker might try to guess your password is to reuse one of your passwords from a website with bad security. For example, until a few months ago I still had an email account at excite.com, which had an insecure login page. That means anyone with basic hacking skills could steal my username and password for that site. Obviously, no one uses Excite for anything important anymore, but people do reuse passwords from site to site. If I reused my Excite password elsewhere, I'd be begging to be hacked at those other sites.
Lastly, a hacker might crack your password by simply trying all possibilities aka brute force. If the website you're using doesn't have very good security, a hacker can try different passwords rapidly. In fact, hackers can try a billion different passwords per second. Here's a chart showing how the speed of a cracking password is related to password complexity.
 |
| Chart from Hive Systems |
This is why many websites require a password of at least 8 characters that must comprise uppercase letters, lowercase letters, numbers and symbols.
Next Best: Hidden, Secured Password Documents
As we have shown in the previous section, passwords should not be guessable, should not be reused across different sites, should have at least 8 characters, and should be composed of different types of characters.
The next best option to using a password manager is to generate these passwords yourself and keep them in a secure location. There are plenty of password generators on the Internet (ahem). The question is: how will you store your passwords securely? Your passwords are surely too complex to remember. You should also have access from your computer as well as from your phone.
For a while, I stored all my password in a text document that I uploaded to a mobile app. I changed the extension on the text document, so it wouldn't open in a word processor. The mobile app (IDrive) was secured with a password, so no one could open it without knowing one of my passwords.
This was a decent way to store my passwords, but was cumbersome and meant I had to manually sync my passwords by uploading my password file every time I changed or added a password. For those of you who don't like or trust password managers, this might work.
Perhaps Instead: Easy-to-Remember Passwords
There are several easy to guess password ideas:
- Memorable password generators
- XKCD: Four random words
- Uncommon word or phrase with substitutions (like "Tr0ub4dor&3", what XKCD was making fun of)
- Motor patterns, shortening words, etc.
In an ideal world you could simply remember your passwords using these hacks.
Actually...
But you won't. Memorable passwords won't work. The average person has 100 passwords, and whether you use the password generator or something super memorable, it doesn't matter: you simply won't remember all of your passwords. Secured storage is key and you can't get better storage than a password manager, as mentioned above. If you're very meticulous and organized, maybe you might not need a password manager, and instead can do something like I mentioned above with a hidden text file uploaded to the cloud.
But chances are you're not going to do that. You're going to have a Microsoft Word document or a physical notepad full of your passwords. And that's fine if no one ever will have physical access to your machine. But that won't fly at a professional workplace, on shared computers, or on a laptop owned by someone who travels a lot.
For most people in the modern world, a password manager is a necessity.
