Passwords are a constant problem for users, and something that even experienced folks who ought to know better often do wrong. The IT world does a pretty poor job of communicating good password practices to users, but rather harps on what not to do. This results in users who know that long, complex passwords are good, but still struggle to create them. They know that you shouldn’t reuse the same password on different sites & services, but do it anyway because they also know you shouldn’t write them down.
Security guru Bruce Schneier has a method to generate passwords that seems quite secure, but I would struggle to remember—and type!—passwords created with that method. So here is what you should do.
Step 1: Use A Password Manager
That’s what most security experts do, what they recommend, and this article could almost stop there. Modern password managers will generate random passwords for you, store them in an encrypted file, and often automatically fill them into forms on web pages for you. LastPass is a common, convenient cloud-based solution. KeePass is a free, open-source, alternative for folks who wish to keep even an encrypted password file off the cloud and under their own control.
Step 2: Generate A Random Passphrase
Part of what I don’t like about Schneier’s method above is that it isn’t random. But my primary concern is that I often find myself using a computer I don’t own, or typing passwords into a mobile device. In those situations installing a password manager or typing a string of complex characters is problematic.
Diceware has a classic answer. Though their website will remind you of the 1990’s, the math behind their method is sound. Plus, their linked support articles serve as a good primer on why passphrases beat passwords, and what really makes a good one. In short, length greatly trumps complexity. Their method involves rolling 5 dice and looking up the answer in their list of 7778 words.
One online alternative is correcthorsebatterystaple.net, which will simply generate a phrase for you. I don’t trust online generators, however. How big is their list of words? How can I be sure they aren’t storing a copy of what they send me? Even if they don’t store a copy, I have no assurance that the results are safe from the NSA, my ISP, and God knows who else in between my computer and their web server. I would hope that they are generating the passphrase using code executing privately in my browser, but their method isn’t transparent to me, and I therefore only include them here as an example of an easy to use alternative for demonstration purposes.
Security guru Steve Gibson preaches using password padding as a way of adding that desired length without adding much complexity. It’s a very human-friendly method that retains ease-of-use even when typing with your phone’s keyboard.
Step 3 (optional): Test It
The aforementioned Steve Gibson maintains his “Haystack” password search space calculator at the password padding link above. While it doesn’t purport to test how resistant your password would be to a dictionary attack, it does at least provide data on how resistant it would be to a brute-force attack.
A different calculation can be done at howsecureismypassword.net. That site is run by Dashlane, who wants to sell you their password manager. It will throw a different result at you than Steve Gibson’s Haystack Calculator, but is still useful for knowing how strong one password is versus another.
These test sites swear they don’t send the passwords you type into them over the network. Still, I prefer not to take the chance. I recommend you don’t type your actual password or passphrases into those sites, but rather, type in something like them; something that has the same number of upper- and lower-case characters, numerals, and special characters.