The Only Effective Password Is One You Can’t Remember
Having effective passwords for the myriad of sites that we need them for is getting harder. The best passwords are: long, not words, no pattern, include numbers, symbols and caps. We shouldn’t use the same one, or similar ones, twice, in case 1 gets compromised. And we should change them often.
Password cracking is getting easier all the time. This arstechnica article entitled Why passwords have never been weaker—and crackers have never been stronger goes into great detail, but the essence of it is:
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
There are several reasons for this. For example, password breaches give hackers significant information about typical password patterns that help them create algorithms to crack other passwords.
My personal belief is that someday biometrics will be the answer to this – although there are huge issues to overcome before that can work effectively.
So what can we do? If a service offers 2 factor verification, consider using it. But using that is not permission to use a simple password.
Consider using password management software such as keepass, lastpass, 1password, or passwordsafe. Opinions on the relative merits of various products differ. Some are free, some are not. Some store the info locally, some in the cloud. Some are better than others at working across multiple devices (a necessity if, for example, you might access a particular service on your work desktop, home desktop, iPad, iPhone, Android phone, Microsoft phone, etc.)
Each one generates strong passwords, then stores and manages those. You do have to remember 1 strong password to use the service – but only 1.
I just signed up for a car share service that required a lot of private information I wouldn’t usually post online. The system forced me to create a password I will never remember. But, in the online agreements which I clicked agreement to, it said I was not allowed to write the password down or store it electronically. I don’t know what to think–it is not like I will be using this service frequently enough to remember the password. It might have been easier (and safer) just to forget using the service altogether.
I also recently signed up for Google’s 2-step verification which is supposed to be a lot more secure than the regular password; however, it sure is complicated putting in place, and has its own challenges. But perhaps that is getting closer to a solution?
Use the first or last of the words in a phrase you won’t forget and one “word” that you’ll always remember because the process of keying in the password is a sufficient hint.
No – I don’t follow my own advice. (g)
Biometrics intrigues me. Like having a chip implanted or give a blood spot? Love it! Will probably live to see it. Thanks for a thought provoking blog.
All you need for a strong password is a combination of upper and lower case letters, punctuation, and numbers. Creating a strong password that is easy to remember is fairly simple using words that are part of a phrase that is meaningful to you personally but otherwise hard to guess – separate the words with an underscore, for example, and add a number to the end. When the password expires, increase the number.
Biometrics seems like the only solution to this problem but what happens when they figure out how to hack that? It’s not like you can reset your fingerprint, face, etc. For now I will stick to complex passwords that I only write down offline.